Commit Graph

2409 Commits

Author SHA1 Message Date
Hanno Becker
b3088b4b37 Fix information leak in ecp_gen_keypair_base
The function mbedtls_ecp_gen_keypair_base did not wipe the stack buffer used to
hold the private exponent before returning. This commit fixes this by not using
a stack buffer in the first place but instead calling mpi_fill_random directly
to acquire the necessary random MPI.
2017-10-25 15:44:10 +01:00
Hanno Becker
7d80688e53 Make mpi_read_binary time constant
This commit modifies mpi_read_binary to always allocate the minimum number of
limbs required to hold the entire buffer provided to the function, regardless of
its content. Previously, leading zero bytes in the input data were detected and
used to reduce memory footprint and time, but this non-constant behavior turned
out to be non-tolerable for the cryptographic applications this function is used
for.
2017-10-25 15:44:10 +01:00
Andres Amaya Garcia
1042d8637c Dont send alert on invalid DTLS record type
Do not send fatal alerts when receiving a record with an invalid header
while running DTLS as this is not compliant behaviour.
2017-09-15 10:57:29 +01:00
Simon Butcher
1fe5e8ab44 Update version number to 2.1.9 2017-08-10 11:51:47 +01:00
Hanno Becker
6ad82d714f Rename time and index parameter to avoid name conflict.
As noted in #557, several functions use 'index' resp. 'time'
as parameter names in their declaration and/or definition, causing name
conflicts with the functions in the C standard library of the same
name some compilers warn about.

This commit renames the arguments accordingly.
2017-07-28 22:14:55 +01:00
Manuel Pégourié-Gonnard
cdb4dc9393 Improve comments 2017-07-28 12:20:48 +01:00
Manuel Pégourié-Gonnard
c386317298 Only return VERIFY_FAILED from a single point
Everything else is a fatal error. Also improve documentation about that for
the vrfy callback.
2017-07-28 12:20:48 +01:00
Manuel Pégourié-Gonnard
489939f829 Improve behaviour on fatal errors
If we didn't walk the whole chain, then there may be any kind of errors in the
part of the chain we didn't check, so setting all flags looks like the safe
thing to do.
2017-07-28 12:20:47 +01:00
Andres AG
b322be507b Prevent signed integer overflow in CSR parsing
Modify the function mbedtls_x509_csr_parse_der() so that it checks the
parsed CSR version integer before it increments the value. This prevents
a potential signed integer overflow, as these have undefined behaviour
in the C standard.
2017-07-26 17:59:20 +01:00
Andres AG
1f06d9bac7 Fix potential integer overflow parsing DER CRT
This patch prevents a potential signed integer overflow during the
certificate version verification checks.
2017-07-26 17:57:43 +01:00
Andres AG
0ff660e0a6 Fix potential integer overflow parsing DER CRL
This patch prevents a potential signed integer overflow during the
CRL version verification checks.
2017-07-26 17:56:42 +01:00
Ron Eldor
a886ce3c88 Backport 2.1: Check rc of mbedtls_mpi_fill_random
Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
Reported and fix suggested by guidovranken in #740
2017-07-20 01:25:53 +02:00
Ron Eldor
0fb3e0afb9 Backport: Resource leak fix on windows platform
Fix a resource leak on windows platform, in mbedtls_x509_crt_parse_path,
in case a failure. when an error occurs, goto cleanup, and free the
resource, instead of returning error code immediately.
2017-07-20 01:05:47 +02:00
Ron Eldor
ee709f4d13 Backport 2.1: Wrong preproccessor condition fix
Fix for issue #696
Change #if defined(MBEDTLS_THREADING_PTHREAD)
to #if defined(MBEDTLS_THREADING_C)
2017-07-20 00:47:20 +02:00
Ron Eldor
5ff277ee1e Backport 2.1: check if iv is zero in gcm.
1) found by roberto in mbedtls forum
2) if iv_len is zero, return an error
3) add tests for invalid parameters
2017-07-20 00:30:44 +02:00
Simon Butcher
fbb9837ad5 Update the version number to 2.1.8 2017-06-20 23:31:06 +01:00
Hanno Becker
499391a02d Undo API change
The previous commit b3e6872c93 changed
to public functions from ssl_ciphersuite.h to static inline. This
commit reverts this change.
2017-06-20 19:33:51 +01:00
Manuel Pégourié-Gonnard
89930b354c Merge remote-tracking branch 'restricted/iotssl-1398_backport-2.1' into mbedtls-2.1-restricted
* restricted/iotssl-1398_backport-2.1:
  Add ChangeLog entry
  Ensure application data records are not kept when fully processed
  Add hard assertion to mbedtls_ssl_read_record_layer
  Fix mbedtls_ssl_read
  Simplify retaining of messages for future processing
2017-06-09 15:06:31 +02:00
Hanno Becker
cc019084b8 Ensure application data records are not kept when fully processed
This commit fixes the following case: If a client is both expecting a
SERVER_HELLO and has an application data record that's partially
processed in flight (that's the situation the client gets into after
receiving a ServerHelloRequest followed by ApplicationData), a
subsequent call to mbedtls_ssl_read will set keep_current_message = 1
when seeing the unexpected application data, but not reset it to 0
after the application data has been processed. This commit fixes this.
2017-06-09 10:51:37 +01:00
Manuel Pégourié-Gonnard
1defa8fd6d Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-2.1-restricted' into mbedtls-2.1-restricted
* restricted/iotssl-1138-rsa-padding-check-2.1-restricted:
  RSA PKCS1v1.5 verification: check padding length
2017-06-08 20:33:53 +02:00
Manuel Pégourié-Gonnard
63906d9200 Merge remote-tracking branch 'restricted/IOTSSL-1366/mbedtls-2.1' into mbedtls-2.1-restricted
* restricted/IOTSSL-1366/mbedtls-2.1:
  More length checks in RSA PKCS1v15 verify
  More length checks in RSA PKCS1v15 verify
2017-06-08 20:26:06 +02:00
Manuel Pégourié-Gonnard
640edc7810 Merge remote-tracking branch 'hanno/mpi_read_file_underflow_backport-2.1' into mbedtls-2.1
* hanno/mpi_read_file_underflow_backport-2.1:
  Fix potential stack underflow in mpi_read_file.
2017-06-08 19:51:19 +02:00
Manuel Pégourié-Gonnard
ebe391d1cd Merge remote-tracking branch 'hanno/sliding_exponentiation_backport-2.1' into mbedtls-2.1
* hanno/sliding_exponentiation_backport-2.1:
  Adapt ChangeLog
  Abort modular inversion when modulus is one.
  Correct sign in modular exponentiation algorithm.
2017-06-08 19:49:50 +02:00
Hanno Becker
bfbc494114 Add hard assertion to mbedtls_ssl_read_record_layer
This commit adds a hard assertion to mbedtls_ssl_read_record_layer
triggering if both ssl->in_hslen and ssl->in_offt are not 0. This
should never happen, and if it does, there's no sensible way of
telling whether the previous message was a handshake or an application
data message.
2017-06-08 14:04:31 +01:00
Hanno Becker
6a582e80f2 Fix mbedtls_ssl_read
Don't fetch a new record in mbedtls_ssl_read_record_layer as long as an application data record is being processed.
2017-06-08 14:04:22 +01:00
Hanno Becker
704f493730 Simplify retaining of messages for future processing
There are situations in which it is not clear what message to expect
next. For example, the message following the ServerHello might be
either a Certificate, a ServerKeyExchange or a CertificateRequest. We
deal with this situation in the following way: Initially, the message
processing function for one of the allowed message types is called,
which fetches and decodes a new message. If that message is not the
expected one, the function returns successfully (instead of throwing
an error as usual for unexpected messages), and the handshake
continues to the processing function for the next possible message. To
not have this function fetch a new message, a flag in the SSL context
structure is used to indicate that the last message was retained for
further processing, and if that's set, the following processing
function will not fetch a new record.

This commit simplifies the usage of this message-retaining parameter
by doing the check within the record-fetching routine instead of the
specific message-processing routines. The code gets cleaner this way
and allows retaining messages to be used in other situations as well
without much effort. This will be used in the next commits.
2017-06-08 13:08:45 +01:00
Hanno Becker
61c0c70418 Add tests for missing CA chains and bad curves.
This commit adds four tests to tests/ssl-opt.sh:
(1) & (2): Check behaviour of optional/required verification when the
trusted CA chain is empty.
(3) & (4): Check behaviour of optional/required verification when the
client receives a server certificate with an unsupported curve.
2017-06-07 11:36:12 +01:00
Hanno Becker
a3929bac1e Fix implementation of VERIFY_OPTIONAL verification mode
This commit changes the behaviour of mbedtls_ssl_parse_certificate
to make the two authentication modes MBEDTLS_SSL_VERIFY_REQUIRED and
MBEDTLS_SSL_VERIFY_OPTIONAL be in the following relationship:

    Mode == MBEDTLS_SSL_VERIFY_REQUIRED
<=> Mode == MBEDTLS_SSL_VERIFY_OPTIONAL + check verify result

Also, it changes the behaviour to perform the certificate chain
verification even if the trusted CA chain is empty. Previously, the
function failed in this case, even when using optional verification,
which was brought up in #864.
2017-06-07 11:36:09 +01:00
Manuel Pégourié-Gonnard
b55f613601 Merge remote-tracking branch 'gilles/iotssl-1223/mbedtls-2.1' into mbedtls-2.1
* gilles/iotssl-1223/mbedtls-2.1:
  Fix FALLBACK_SCSV parsing
2017-06-06 20:12:51 +02:00
Gilles Peskine
7344e1bd05 SHA-1 deprecation: allow it in key exchange
By default, keep allowing SHA-1 in key exchange signatures. Disabling
it causes compatibility issues, especially with clients that use
TLS1.2 but don't send the signature_algorithms extension.

SHA-1 is forbidden in certificates by default, since it's vulnerable
to offline collision-based attacks.
2017-06-06 19:09:02 +02:00
Gilles Peskine
12c19541a9 Allow SHA-1 in SSL renegotiation tests
In the TLS test client, allow SHA-1 as a signature hash algorithm.
Without this, the renegotation tests failed.

A previous commit had allowed SHA-1 via the certificate profile but
that only applied before the initial negotiation which includes the
signature_algorithms extension.
2017-06-06 19:08:23 +02:00
Gilles Peskine
5877c27846 X.509 self-tests: replaced SHA-1 certificates by SHA-256 2017-06-06 19:08:23 +02:00
Gilles Peskine
955738a4f2 Remove SHA-1 in TLS by default
Default to forbidding the use of SHA-1 in TLS where it is unsafe: for
certificate signing, and as the signature hash algorithm for the TLS
1.2 handshake signature. SHA-1 remains allowed in HMAC-SHA-1 in the
XXX_SHA ciphersuites and in the PRF for TLS <= 1.1.

For easy backward compatibility for use in controlled environments,
turn on the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 compiled-time option.
2017-06-06 19:08:19 +02:00
Manuel Pégourié-Gonnard
cd6e4d5bcc Merge remote-tracking branch 'restricted/mbedtls-2.1' into mbedtls-2.1
* restricted/mbedtls-2.1:
  Remove obsolete macros from compat-1.3.h
  Add fix for #667 to ChangeLog
  Fix bug in threading sample implementation #667
  Fix check-doxy-blocks.pl to run from root dir
  RSA: wipe more stack buffers
  RSA: wipe stack buffers
2017-06-06 18:23:05 +02:00
Manuel Pégourié-Gonnard
61946d2c68 Merge remote-tracking branch 'hanno/iotssl-1241-backport-2.1' into mbedtls-2.1
* hanno/iotssl-1241-backport-2.1:
  Improve documentation
  Split long lines.
  Remember suitable hash function for any signature algorithm.
  Introduce macros and functions to characterize certain ciphersuites.
2017-06-06 18:21:01 +02:00
Manuel Pégourié-Gonnard
6820eba2bb Merge branch 'iotssl-1272-fix-RSA-cache-attack-2.1-restricted' into mbedtls-2.1
* iotssl-1272-fix-RSA-cache-attack-2.1-restricted:
  Add Changelog entry for RSA exponent blinding
  Add exponent blinding to RSA with CRT
  Add exponent blinding to RSA without CRT
2017-06-06 16:12:33 +02:00
Hanno Becker
032aec0523 Improve documentation 2017-05-24 11:04:54 +01:00
Hanno Becker
118848fd77 Split long lines. 2017-05-24 11:04:54 +01:00
Hanno Becker
aa8a2bd05a Remember suitable hash function for any signature algorithm.
This commit changes `ssl_parse_signature_algorithms_ext` to remember
one suitable ( := supported by client and by our config ) hash
algorithm per signature algorithm.

It also modifies the ciphersuite checking function
`ssl_ciphersuite_match` to refuse a suite if there
is no suitable hash algorithm.

Finally, it adds the corresponding entry to the ChangeLog.
2017-05-24 11:04:50 +01:00
Hanno Becker
b3e6872c93 Introduce macros and functions to characterize certain ciphersuites.
The routine `mbedtls_ssl_write_server_key_exchange` heavily depends on
what kind of cipher suite is active: some don't need a
ServerKeyExchange at all, some need (EC)DH parameters but no server
signature, some require both. Each time we want to restrict a certain
piece of code to some class of ciphersuites, it is guarded by a
lengthy concatentation of configuration checks determining whether at
least one of the relevant cipher suites is enabled in the config; on
the code level, it is guarded by the check whether one of these
cipher suites is the active one.

To ease readability of the code, this commit introduces several helper
macros and helper functions that can be used to determine whether a
certain class of ciphersuites (a) is active in the config, and
(b) contains the currently present ciphersuite.
2017-05-24 10:54:17 +01:00
Gilles Peskine
39e2981b22 Fix FALLBACK_SCSV parsing
Fixed a bug in ssl_srv.c when parsing TLS_FALLBACK_SCSV in the
ciphersuite list that caused it to miss it sometimes. Reported by Hugo
Leisink as issue #810. Fix initially by @andreasag01; this commit
isolates the bug fix and adds a non-regression test.
2017-05-16 18:03:02 +02:00
Janos Follath
1cdf0fd2d5 Fix bug in threading sample implementation #667 2017-05-15 13:22:51 +01:00
Janos Follath
702dcd0ef4 Fix bug in threading sample implementation #667 2017-05-15 11:17:34 +01:00
Hanno Becker
4195e80649 Fix potential stack underflow in mpi_read_file.
When provided with an empty line, mpi_read_file causes a numeric
underflow resulting in a stack underflow. This commit fixes this and
adds some documentation to mpi_read_file.
2017-05-12 07:21:37 +01:00
Manuel Pégourié-Gonnard
230ee31a54 RSA PKCS1v1.5 verification: check padding length
The test case was generated by modifying our signature code so that it
produces a 7-byte long padding (which also means garbage at the end, so it is
essential to check that the error that is detected first is indeed the
padding rather than the final length check).
2017-05-11 13:33:13 +02:00
Hanno Becker
2938ccbdd8 Abort modular inversion when modulus is one.
The modular inversion function hangs when provided with the modulus 1. This commit refuses this modulus with a BAD_INPUT error code. It also adds a test for this case.
2017-05-11 11:23:48 +01:00
Hanno Becker
2a8d655664 Correct sign in modular exponentiation algorithm.
The modular exponentiation function  handled the sign incorrectly. This commit fixes this and a test case which should have caught it.
2017-05-11 11:23:48 +01:00
Janos Follath
9ef9f1099f Add exponent blinding to RSA with CRT
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.

This commit handles the case when the Chinese Remainder Theorem is used
to accelerate the computation.
2017-05-11 10:55:54 +02:00
Janos Follath
578517d459 Add exponent blinding to RSA without CRT
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.

This commits handles the case when the Chinese Remainder Theorem is NOT
used to accelerate computations.
2017-05-11 10:54:56 +02:00
Gilles Peskine
74fd868ca6 RSA: wipe more stack buffers
MGF mask and PSS salt are not highly sensitive, but wipe them anyway
for good hygiene.
2017-05-05 19:28:38 +02:00