Commit Graph

3520 Commits

Author SHA1 Message Date
Hanno Becker
80e06d77d9 Use WSAEINTR instead of EINTR on Windows 2018-03-15 14:41:55 +00:00
Hanno Becker
9ac640326b Don't exit mbedtls_net_poll on interruption of select
If the select UNIX system call is interrupted by a signal handler,
it is not automatically restarted but returns EINTR. This commit
modifies the use of select in mbedtls_net_poll from net_sockets.c
to retry the select call in this case.
2018-03-15 12:19:31 +00:00
Jaeden Amero
79a5e72719 Merge remote-tracking branch 'upstream-restricted/pr/463' into development-restricted-proposed 2018-03-15 08:25:05 +00:00
Jaeden Amero
24b2d6fb6d Merge remote-tracking branch 'upstream-restricted/pr/459' into development-restricted-proposed 2018-03-15 08:24:44 +00:00
Jaeden Amero
ce183d994c Merge remote-tracking branch 'upstream-public/pr/1448' into development-proposed 2018-03-15 08:23:53 +00:00
Jaeden Amero
d1fedc55d7 Merge remote-tracking branch 'upstream-public/pr/1440' into development-proposed 2018-03-15 08:23:35 +00:00
Jaeden Amero
95ad522ecc Merge remote-tracking branch 'upstream-public/pr/1439' into development-proposed 2018-03-15 08:23:10 +00:00
Manuel Pégourié-Gonnard
fd3e4fbae7 x509: CRL: reject unsupported critical extensions 2018-03-14 09:15:02 +01:00
Gilles Peskine
5f1932817c Merge remote-tracking branch 'upstream-restricted/pr/398' into development-restricted-proposed 2018-03-13 17:18:06 +01:00
Gilles Peskine
553a06f08a Merge remote-tracking branch 'upstream-restricted/pr/351' into development-restricted-proposed
Move the added ChangeLog entry to the bottom so that the list remains
in merge order.
2018-03-13 17:15:34 +01:00
Manuel Pégourié-Gonnard
1ba8a3fc55 Yet another dependency issue (PKCS1_V15)
Found by running:

CC=clang cmake -D CMAKE_BUILD_TYPE="Check"
tests/scripts/depend-pkalgs.pl

(Also tested with same command but CC=gcc)

Another PR will address improving all.sh and/or the depend-xxx.pl scripts
themselves to catch this kind of thing.
2018-03-13 13:42:38 +01:00
Krzysztof Stachowiak
5224a7544c Prevent arithmetic overflow on bounds check 2018-03-13 11:31:38 +01:00
Krzysztof Stachowiak
740b218386 Add bounds check before length read 2018-03-13 11:31:14 +01:00
Krzysztof Stachowiak
027f84c69f Prevent arithmetic overflow on bounds check 2018-03-13 11:29:24 +01:00
Krzysztof Stachowiak
a1098f81c2 Add bounds check before signature length read 2018-03-13 11:28:49 +01:00
Gilles Peskine
f3ada4adb0 Merge branch 'pr_679' into development-proposed 2018-03-13 00:13:29 +01:00
Gilles Peskine
d5f7d24e84 Merge branch 'pr_1064' into development-proposed 2018-03-13 00:08:05 +01:00
Gilles Peskine
a31d8206b1 Merge remote-tracking branch 'upstream-public/pr/778' into development-proposed 2018-03-12 23:45:08 +01:00
Gilles Peskine
19c3862d0c Merge remote-tracking branch 'upstream-public/pr/1079' into development-proposed 2018-03-11 00:45:10 +01:00
Gilles Peskine
b4c571e603 Merge remote-tracking branch 'upstream-public/pr/1296' into HEAD 2018-03-11 00:44:14 +01:00
Manuel Pégourié-Gonnard
e57d7438b0 Improve documentation of some internal functions 2018-03-07 10:00:57 +01:00
Sanne Wouda
7b2e85dd7c Use both applicable error codes and a proper coding style 2018-03-06 23:28:46 +01:00
Sanne Wouda
b2b29d5259 Add end-of-buffer check to prevent heap-buffer-overflow
Dereference of *p should not happen when it points past the end of the
buffer.

Internal reference: IOTSSL-1663
2018-03-06 23:28:46 +01:00
Hanno Becker
a3389ebb09 Merge branch 'development-restricted' into iotssl-1306-rsa-is-vulnerable-to-bellcore-glitch-attack 2018-03-06 11:55:21 +00:00
Manuel Pégourié-Gonnard
05c00ed8b2 Fix some more MSVC size_t -> int warnings 2018-03-06 11:48:50 +01:00
Manuel Pégourié-Gonnard
f5bb78183a Fix MSVC warnings
library\x509_crt.c(2137): warning C4267: 'function' : conversion from 'size_t' to 'int', possible loss of data
library\x509_crt.c(2265): warning C4267: 'function' : conversion from 'size_t' to 'int', possible loss of data
2018-03-05 12:48:53 +01:00
Manuel Pégourié-Gonnard
05e464dff7 Merge branch 'development' into iotssl-1381-x509-verify-refactor-restricted
* development: (557 commits)
  Add attribution for #1351 report
  Adapt version_features.c
  Note incompatibility of truncated HMAC extension in ChangeLog
  Add LinkLibraryDependencies to VS2010 app template
  Add ChangeLog entry for PR #1382
  MD: Make deprecated functions not inline
  Add ChangeLog entry for PR #1384
  Have Visual Studio handle linking to mbedTLS.lib internally
  Mention in ChangeLog that this fixes #1351
  Add issue number to ChangeLog
  Note in the changelog that this fixes an interoperability issue.
  Style fix in ChangeLog
  Add ChangeLog entries for PR #1168 and #1362
  Add ChangeLog entry for PR #1165
  ctr_drbg: Typo fix in the file description comment.
  dhm: Fix typo in RFC 5114 constants
  tests_suite_pkparse: new PKCS8-v2 keys with PRF != SHA1
  data_files/pkcs8-v2: add keys generated with PRF != SHA1
  tests/pkcs5/pbkdf2_hmac: extend array to accommodate longer results
  tests/pkcs5/pbkdf2_hmac: add unit tests for additional SHA algorithms
  ...
2018-03-05 11:55:38 +01:00
Gilles Peskine
df761d5a6b Fix build with gcc -O -Wall
Fix warnings from gcc -O -Wall about `ret` used uninitialized in
CMAC selftest auxiliary functions. The variable was indeed
uninitialized if the function was called with num_tests=0 (which
never happens).
2018-03-01 22:18:14 +01:00
Manuel Pégourié-Gonnard
366e1b0464 aria: fix comment on aria_a function
The new version of the comment has been generated by the following python3
script, when the first constant is copy-pasted from RFC 5794 2.4.3.

 #!/usr/bin/python3

RFC_A = """
      y0  = x3 ^ x4 ^ x6 ^ x8  ^ x9  ^ x13 ^ x14,
      y1  = x2 ^ x5 ^ x7 ^ x8  ^ x9  ^ x12 ^ x15,
      y2  = x1 ^ x4 ^ x6 ^ x10 ^ x11 ^ x12 ^ x15,
      y3  = x0 ^ x5 ^ x7 ^ x10 ^ x11 ^ x13 ^ x14,
      y4  = x0 ^ x2 ^ x5 ^ x8  ^ x11 ^ x14 ^ x15,
      y5  = x1 ^ x3 ^ x4 ^ x9  ^ x10 ^ x14 ^ x15,
      y6  = x0 ^ x2 ^ x7 ^ x9  ^ x10 ^ x12 ^ x13,
      y7  = x1 ^ x3 ^ x6 ^ x8  ^ x11 ^ x12 ^ x13,
      y8  = x0 ^ x1 ^ x4 ^ x7  ^ x10 ^ x13 ^ x15,
      y9  = x0 ^ x1 ^ x5 ^ x6  ^ x11 ^ x12 ^ x14,
      y10 = x2 ^ x3 ^ x5 ^ x6  ^ x8  ^ x13 ^ x15,
      y11 = x2 ^ x3 ^ x4 ^ x7  ^ x9  ^ x12 ^ x14,
      y12 = x1 ^ x2 ^ x6 ^ x7  ^ x9  ^ x11 ^ x12,
      y13 = x0 ^ x3 ^ x6 ^ x7  ^ x8  ^ x10 ^ x13,
      y14 = x0 ^ x3 ^ x4 ^ x5  ^ x9  ^ x11 ^ x14,
      y15 = x1 ^ x2 ^ x4 ^ x5  ^ x8  ^ x10 ^ x15.
"""

matrix = []
for l in RFC_A.split('\n')[1:-1]:
    rhs = l.split('=')[1][:-1]
    row = tuple(hex(int(t[2:]))[2:] for t in rhs.split('^'))
    matrix.append(row)

out = {}
out['a'] = tuple(''.join(w) for w in zip(*(matrix[0:4])))
out['b'] = tuple(''.join(w) for w in zip(*(matrix[4:8])))
out['c'] = tuple(''.join(w) for w in zip(*(matrix[8:12])))
out['d'] = tuple(''.join(w) for w in zip(*(matrix[12:])))

out2 = {}
for o, r in out.items():
    row = list(r)
    for i in range(len(r) - 1):
        w1 = row[i]
        if len(set(w1)) == 2:
            w2 = row[i+1]
            nw1 = nw2 = ''
            for j in range(len(w1)):
                if w1[j] in nw1:
                    nw1 += w2[j]
                    nw2 += w1[j]
                else:
                    nw1 += w1[j]
                    nw2 += w2[j]
            row[i] = nw1
            row[i+1] = nw2

    out2[o] = row

for o in 'abcd':
    print(o,   '=', ' + '.join(out[o]))
    print(' ', '=', ' + '.join(out2[o]))
2018-03-01 14:48:10 +01:00
Manuel Pégourié-Gonnard
21662148f7 aria: improve compiler compat by using __asm
gcc --std=c99 doesn't like the shorter "asm" (this broke all.sh)
2018-03-01 11:28:51 +01:00
Manuel Pégourié-Gonnard
2078725feb aria: check arm arch version for asm
rev and rev16 are only supported from v6 (all profiles) and up.

arm-none-eabi-gcc picks a lower architecture version by default, which means
before this commit it would fail to build (assembler error) unless you
manually specified -march=armv6-m -mthumb or similar, which broke all.sh.

Source for version-checking macros:
- GCC/Clang: use the -E -dM - </dev/null trick
- armcc5: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0472k/chr1359125007083.html
- armclang 6: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0774g/chr1383660321827.html

Tested with the following script:

 #!/bin/sh

set -eu

ARMCLANG="env ARM_TOOL_VARIANT=ult $ARMC6_BIN_DIR/armclang"

build() {
    echo "$@"
    "$@" -Iinclude -c library/aria.c

}

build arm-none-eabi-gcc
build arm-none-eabi-gcc -march=armv5

build clang --target=arm-none-eabi
build clang --target=arm-none-eabi -march=armv5

build armcc
build armcc --gnu
build armcc --cpu=5T
build armcc --cpu=5T --gnu

build $ARMCLANG --target=arm-arm-none-eabi

check_asm() {
    rm -f aria.o
    build "$@"
    arm-none-eabi-objdump -d aria.o | grep rev16
}

check_asm arm-none-eabi-gcc -march=armv6-m -mthumb
check_asm arm-none-eabi-gcc -march=armv7-m -mthumb
check_asm arm-none-eabi-gcc -march=armv8-m.base -mthumb

check_asm arm-none-eabi-gcc -march=armv7-a -mthumb
check_asm arm-none-eabi-gcc -march=armv8-a -mthumb
check_asm arm-none-eabi-gcc -march=armv7-a -marm
check_asm arm-none-eabi-gcc -march=armv8-a -marm

check_asm clang --target=arm-none-eabi -march=armv6-m
check_asm clang --target=arm-none-eabi -march=armv7-a
check_asm clang --target=arm-none-eabi -march=armv7-m
check_asm clang --target=arm-none-eabi -march=armv7-r
check_asm clang --target=arm-none-eabi -march=armv8-a

check_asm armcc -O0 --cpu=6-M
check_asm armcc -O0 --cpu=7-M
check_asm armcc -O0 --cpu=6
check_asm armcc -O0 --cpu=7-A

check_asm $ARMCLANG --target=arm-arm-none-eabi -march=armv6-m
check_asm $ARMCLANG --target=arm-arm-none-eabi -march=armv7-a
check_asm $ARMCLANG --target=arm-arm-none-eabi -march=armv7-m
check_asm $ARMCLANG --target=arm-arm-none-eabi -march=armv7-r
check_asm $ARMCLANG --target=arm-arm-none-eabi -march=armv8-a
check_asm $ARMCLANG --target=arm-arm-none-eabi -march=armv8-m.base
2018-03-01 11:28:51 +01:00
Manuel Pégourié-Gonnard
7fc08795c1 aria: more whitespace fixes 2018-03-01 09:33:20 +01:00
Manuel Pégourié-Gonnard
5ad88b6d0d aria: define constants for block size and max rounds 2018-03-01 09:25:31 +01:00
Manuel Pégourié-Gonnard
3c80009615 aria: add error codes for hw implementations 2018-03-01 09:25:05 +01:00
Manuel Pégourié-Gonnard
f3a46a9b4f aria: fix some typos in comments 2018-03-01 09:25:05 +01:00
Manuel Pégourié-Gonnard
c0bb66f47e aria: improve compiler inline compatibility 2018-03-01 09:25:05 +01:00
mohammad1603
5bd15cbfa0 Avoid wraparound for ssl->in_left
Add check to avoid wraparound for ssl->in_left
2018-02-28 04:30:59 -08:00
Manuel Pégourié-Gonnard
4231e7f46f Fix some whitespace and other style issues
In addition to whitespace:
- wrapped a few long lines
- added parenthesis to return statements
2018-02-28 11:34:01 +01:00
Manuel Pégourié-Gonnard
377b2b624d aria: optimize byte perms on Arm
Use specific instructions for moving bytes around in a word. This speeds
things up, and as a side-effect, slightly lowers code size.

ARIA_P3 and ARIA_P1 are now 1 single-cycle instruction each (those
instructions are available in all architecture versions starting from v6-M).
Note: ARIA_P3 was already translated to a single instruction by Clang 3.8 and
armclang 6.5, but not arm-gcc 5.4 nor armcc 5.06.

ARIA_P2 is already efficiently translated to the minimal number of
instruction (1 in ARM mode, 2 in thumb mode) by all tested compilers

Manually compiled and inspected generated code with the following compilers:
arm-gcc 5.4, clang 3.8, armcc 5.06 (with and without --gnu), armclang 6.5.

Size reduction (arm-none-eabi-gcc -march=armv6-m -mthumb -Os): 5288 -> 5044 B

Effect on executing time of self-tests on a few boards:
FRDM-K64F   (Cortex-M4):    444 ->  385 us (-13%)
LPC1768     (Cortex-M3):    488 ->  432 us (-11%)
FRDM-KL64Z  (Cortex-M0):   1429 -> 1134 us (-20%)

Measured using a config.h with no cipher mode and the following program with
aria.c and aria.h copy-pasted to the online compiler:

 #include "mbed.h"
 #include "aria.h"

int main() {
    Timer t;
    t.start();
    int ret = mbedtls_aria_self_test(0);
    t.stop();
    printf("ret = %d; time = %d us\n", ret, t.read_us());
}
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
fb0e4f0d1a aria: optimise byte perms on Intel
(A similar commit for Arm follows.)

Use specific instructions for moving bytes around in a word. This speeds
things up, and as a side-effect, slightly lowers code size.

ARIA_P3 (aka reverse byte order) is now 1 instruction on x86, which speeds up
key schedule. (Clang 3.8 finds this but GCC 5.4 doesn't.)

I couldn't find an Intel equivalent of ARM's ret16 (aka ARIA_P1), so I made it
two instructions, which is still much better than the code generated with
the previous mask-shift-or definition, and speeds up en/decryption. (Neither
Clang 3.8 nor GCC 5.4 find this.)

Before:
O	aria.o	ins
s	7976	43,865
2	10520	37,631
3	13040	28,146

After:
O	aria.o	ins
s	7768	33,497
2	9816	28,268
3	11432	20,829

For measurement method, see previous commit:
"aria: turn macro into static inline function"
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
cac5008b17 aria: define P3 macro
This will allow to replace it with an optimised implementation later
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
f205a012b8 aria: comment implementation of A transform
The line-by-line comments were generated using the following Python 3 script:

 #!/usr/bin/python3

class Atom:
    def __init__(self, val):
        self.v = val

    def __str__(self):
        return self.v

    def p1(self):
        v = self.v
        return Atom(v[1] + v[0] + v[3] + v[2])

    def p2(self):
        v = self.v
        return Atom(v[2] + v[3] + v[0] + v[1])

    def __xor__(self, other):
        return Sum(self.tuple() + other.tuple())

    def tuple(self):
        return (self,)

class Sum:
    def __init__(self, terms):
        self.t = terms
        assert(type(terms) == tuple)
        for t in terms:
            assert(type(t) == Atom)

    def __str__(self):
        return '+'.join(sorted((str(t) for t in self.t),
                        key=lambda v: int(v, 16)))

    def p1(self):
        return Sum(tuple(t.p1() for t in self.t))

    def p2(self):
        return Sum(tuple(t.p2() for t in self.t))

    def tuple(self):
        return self.t

    def __xor__(self, other):
        return Sum(self.t + other.tuple())

class LoggingDict(dict):
    def __setitem__(self, key, val):
        print(key, '=', val)
        dict.__setitem__(self, key, val)

    def set(self, key, val):
        dict.__setitem__(self, key, val)

env = LoggingDict()

env.set('ra', Atom('0123'))
env.set('rb', Atom('4567'))
env.set('rc', Atom('89ab'))
env.set('rd', Atom('cdef'))
env.set('ARIA_P1', lambda x: x.p1())
env.set('ARIA_P2', lambda x: x.p2())

code = """
ta  =   rb;
rb  =   ra;
ra  =   ARIA_P2( ta );
tb  =   ARIA_P2( rd );
rd  =   ARIA_P1( rc );
rc  =   ARIA_P1( tb );
ta  ^=  rd;
tc  =   ARIA_P2( rb );
ta  =   ARIA_P1( ta ) ^ tc ^ rc;
tb  ^=  ARIA_P2( rd );
tc  ^=  ARIA_P1( ra );
rb  ^=  ta ^ tb;
tb  =   ARIA_P2( tb ) ^ ta;
ra  ^=  ARIA_P1( tb );
ta  =   ARIA_P2( ta );
rd  ^=  ARIA_P1( ta ) ^ tc;
tc  =   ARIA_P2( tc );
rc  ^=  ARIA_P1( tc ) ^ ta;
"""

exec(code, env)
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
35ad891aee aria: internal names closer to standard document 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
64744f88b6 aria: define SLA() as sl(a())
This decreases the size with -Os by nearly 1k while
not hurting performance too much with -O2 and -O3

Before:
O	aria.o	ins
s	8784	41,408
2	11112	37,001
3	13096	27,438

After:
O	aria.o	ins
s	7976	43,865
2	10520	37,631
3	13040	28,146

(See previous commit for measurement details.)
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
8c76a9489e aria: turn macro into static inline function
Besides documenting types better and so on, this give the compiler more room
to optimise either for size or performance.

Here are some before/after measurements of:
- size of aria.o in bytes (less is better)
- instruction count for the selftest function (less is better)
with various -O flags.

Before:
O	aria.o	ins
s	10896	37,256
2	11176	37,199
3	12248	27,752

After:
O	aria.o	ins
s	8784	41,408
2	11112	37,001
3	13096	27,438

The new version allows the compiler to reach smaller size with -Os while
maintaining (actually slightly improving) performance with -O2 and -O3.

Measurements were done on x86_64 (but since this is mainly about inlining
code, this should transpose well to other platforms) using the following
helper program and script, after disabling CBC, CFB and CTR in config.h, in
order to focus on the core functions.

==> st.c <==
 #include "mbedtls/aria.h"

int main( void ) {
    return mbedtls_aria_self_test( 0 );
}

==> p.sh <==
 #!/bin/sh

set -eu

ccount () {
    (
    valgrind --tool=callgrind --dump-line=no --callgrind-out-file=/dev/null --collect-atstart=no --toggle-collect=main $1
    ) 2>&1 | sed -n -e 's/.*refs: *\([0-9,]*\)/\1/p'
}

printf "O\taria.o\tins\n"
for O in s 2 3; do
    GCC="gcc -Wall -Wextra -Werror -Iinclude"

    $GCC -O$O -c library/aria.c
    $GCC -O1 st.c aria.o -o st
   ./st

    SIZE=$( du -b aria.o | cut -f1 )
    INS=$( ccount ./st )

    printf "$O\t$SIZE\t$INS\n"
done
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
a41ecdabed aria: closer to usual comment style
We're not absolutely consistent in the rest of the library, but we tend to use
C99-style comments less often.

Change to use C89-style comments everywhere except for end-of-line comments
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
56453937a1 aria: use mbedtls_zeroize() 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
c76ceb677b aria: move conditional outside of loop 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
9cc89248fe aria: use unsigned type for bit count 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
e1ad7491c5 aria: clean up interface of internal macros 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
a6d639e553 aria: improve some comments & internal names 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
af37f0f68f Add remaining ARIA suites to priority list
Those suites were defined in ciphersuite_definitions[] but not included in
ciphersuite_preference[] which meant they couldn't be negotiated unless
explicitly added by the user. Add them so that they're usable by default like
any other suite.
2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen
c06e1014e1 ARIA ciphersuites for TLS 1.2 2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen
07478d6f30 something to do with whitespaces 2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen
0fb47fe71f MBEDTLS_ARIA_ALT added as a feature 2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen
6ba68d4a3b ARIA init and free 2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen
3c0b53b2b0 ARIA build integration 2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen
259fa60f6c ARIA test vectors for CBC CFB CTR modes 2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen
41efbaabc9 ARIA cipher implementation 2018-02-27 12:39:12 +01:00
ILUXONCHIK
060fe37496 fix typo in pem.c 2018-02-25 20:59:09 +00:00
Gilles Peskine
b7f6086ba3 Merge branch 'prr_424' into development-proposed 2018-02-22 16:15:01 +01:00
Hanno Becker
e80cd463ef Adapt version_features.c 2018-02-22 15:02:47 +00:00
mohammad1603
4bbaeb4ffa Add guard to out_left to avoid negative values
return error when f_send return a value greater than out_left
2018-02-22 05:04:48 -08:00
Jaeden Amero
041039f81e MD: Make deprecated functions not inline
In 2.7.0, we replaced a number of MD functions with deprecated inline
versions. This causes ABI compatibility issues, as the functions are no
longer guaranteed to be callable when built into a shared library.
Instead, deprecate the functions without also inlining them, to help
maintain ABI backwards compatibility.
2018-02-22 10:24:30 +00:00
Gilles Peskine
8db3efbc76 Add missing MBEDTLS_DEPRECATED_REMOVED guards
Add missing MBEDTLS_DEPRECATED_REMOVED guards around the definitions
of mbedtls_aes_decrypt and mbedtls_aes_encrypt.
This fixes the build under -Wmissing-prototypes -Werror.

Fixes #1388
2018-02-21 19:16:20 +01:00
Gilles Peskine
d76d8bc9a5 Merge branch 'pr_1352' into development-proposed 2018-02-20 16:42:08 +01:00
Gilles Peskine
e6844ccf2b Merge branch 'pr_1135' into development-proposed 2018-02-14 17:20:42 +01:00
Gilles Peskine
42a97ac693 Merge branch 'pr_1219' into development-proposed 2018-02-14 16:17:21 +01:00
Paul Sokolovsky
8d6d8c84b1 ctr_drbg: Typo fix in the file description comment.
Signed-off-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>
2018-02-10 11:11:41 +02:00
Antonio Quartulli
12ccef2761
pkcs5v2: add support for additional hmacSHA algorithms
Currently only SHA1 is supported as PRF algorithm for PBKDF2
(PKCS#5 v2.0).
This means that keys encrypted and authenticated using
another algorithm of the SHA family cannot be decrypted.

This deficiency has become particularly incumbent now that
PKIs created with OpenSSL1.1 are encrypting keys using
hmacSHA256 by default (OpenSSL1.0 used PKCS#5 v1.0 by default
and even if v2 was forced, it would still use hmacSHA1).

Enable support for all the digest algorithms of the SHA
family for PKCS#5 v2.0.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-08 17:18:15 +08:00
Ron Eldor
9566ff7913 Fix minor issues raised in PR review
1. Style issues fixes - remove redundant spacing.
2. Remove depency of `MBEDTLS_RSA_C` in `pk_parse_public_keyfile_rsa()`
tests, as the function itself is dependent on it.
2018-02-07 18:59:41 +02:00
Ron Eldor
85e1dcff6a Fix handshake failure in suite B
Fix handshake failure where PK key is translated as `MBEDTLS_ECKEY`
instead of `MBEDTLS_ECDSA`
2018-02-06 15:59:38 +02:00
Jaeden Amero
3b438d33c1 Update version to 2.7.0 2018-02-02 18:09:45 +00:00
Jaeden Amero
9564e97460 Merge branch 'development' into development-restricted 2018-01-30 17:04:47 +00:00
Rose Zadik
2f8163d3cd Improve CTR-DRBG documentation
- Rephrase file/function/parameter/enum/define/error descriptions into full
  and clear sentences.
- Make sure to adhere to the Arm writing guidelines.
- Fix missing/incorrect Doxygen tags.
- Standardize terminology used within the file.
- Add full standard name in file description.

GitHub PR: #1316
2018-01-30 16:22:05 +00:00
Rose Zadik
042e97fa75 Improve RSA documentation
- Rephrase file/function/parameter/enum/define/error descriptions into full
  and clear sentences.
- Make sure to adhere to the Arm writing guidelines.
- Fix missing/incorrect Doxygen tags.
- Standardize terminology used within the file.
- Rephrase the descriptions of all md_alg and hashlen parameters.

GitHub PR: #1327
2018-01-30 16:22:05 +00:00
Rose Zadik
41ad082484 Improve DHM documentation
- Rephrase file/function/parameter/enum/define/error descriptions into full
  and clear sentences.
- Make sure to adhere to the Arm writing guidelines.
- Fix missing/incorrect Doxygen tags.
- Standardize terminology used within the file.
- Standardize defines documentation

GitHub PR: #1323
2018-01-30 16:22:05 +00:00
Rose Zadik
9ba6b621de Improve cipher documentation
- Rephrase function/parameter/enum/define/error descriptions into full and
  clear sentences.
- Make sure to adhere to the Arm writing guidelines.
- Fix missing/incorrect Doxygen tags.
- Standardize terminology used within the file.

GitHub PR: #1306
2018-01-30 16:22:04 +00:00
Rose Zadik
eecdbea30f Improve CCM documentation
- Rephrase function/parameter/enum/define/error descriptions into full and
  clear sentences.
- Make sure to adhering to the Arm writing guidelines.
- Fix missing/incorrect Doxygen tags.
- Standardize terminology used within the file.
- Fix iv_len values per the standard.

GitHub PR: #1305
2018-01-30 16:22:04 +00:00
Rose Zadik
7f44127c71 Improve AES documentation
- Separate "\file" blocks from copyright, so that Doxygen doesn't repeat
  the copyright information in all the Detailed Descriptions.
- Improve phrasing and clarity of functions, parameters, defines and enums.

GitHub PR: #1292
2018-01-30 16:22:04 +00:00
Jaeden Amero
26342e54f5 Merge branch 'development' into development-restricted 2018-01-29 12:49:52 +00:00
Jaeden Amero
3b8fbaab87 Merge remote-tracking branch 'upstream-public/pr/1328' into development 2018-01-29 12:49:46 +00:00
Manuel Pégourié-Gonnard
5405962954 Fix alarm(0) failure on mingw32
A new test for mbedtls_timing_alarm(0) was introduced in PR 1136, which also
fixed it on Unix. Apparently test results on MinGW were not checked at that
point, so we missed that this new test was also failing on this platform.
2018-01-29 10:24:50 +01:00
Jaeden Amero
2acbf17b97 Merge branch 'development' into development-restricted 2018-01-26 20:57:38 +00:00
Jaeden Amero
751aa510c0 Merge remote-tracking branch 'upstream-public/pr/1303' into development 2018-01-26 20:48:55 +00:00
Jaeden Amero
784de59ccd Merge remote-tracking branch 'upstream-restricted/pr/410' into development-restricted
- Resolve ChangeLog conflicts
- Update Doxygen warning block in dhm.h to render correctly
- Prefix the exported identifier deprecated_constant_t with mbedtls_
2018-01-26 18:43:04 +00:00
Gilles Peskine
7ecab3df4c Error codes for hardware accelerator failures
Add MBEDTLS_ERR_XXX_HW_ACCEL_FAILED error codes for all cryptography
modules where the software implementation can be replaced by a hardware
implementation.

This does not include the individual message digest modules since they
currently have no way to return error codes.

This does include the higher-level md, cipher and pk modules since
alternative implementations and even algorithms can be plugged in at
runtime.
2018-01-26 17:56:38 +01:00
Jaeden Amero
a03587b848 Merge branch 'development' into development-restricted 2018-01-26 12:48:04 +00:00
Dvir Markovich
1b36499062 Improve CTR_DRBG error handling and cleanup
Check AES return values and return error when needed. Propagate the
underlying AES return code.

Perform more memory cleanup.
2018-01-26 11:40:31 +00:00
Jaeden Amero
66954e1c1f Merge branch 'development' into development-restricted 2018-01-25 17:28:31 +00:00
Jaeden Amero
005239e3ed Merge remote-tracking branch 'upstream-public/pr/1294' into development 2018-01-25 14:47:39 +00:00
Jaeden Amero
65ba60a975 Merge branch 'development' into development-restricted 2018-01-25 10:09:03 +00:00
Jaeden Amero
cef0c5a2c8 Merge remote-tracking branch 'upstream-public/pr/1304' into development 2018-01-25 10:07:39 +00:00
Jaeden Amero
3c082ce293 Merge branch 'development' into development-restricted 2018-01-24 15:17:15 +00:00
Jaeden Amero
fbeed6e2a5 Merge remote-tracking branch 'upstream-public/pr/1236' into development 2018-01-24 10:43:39 +00:00
Hanno Becker
616d1ca605 Add support for alternative ECJPAKE implementation
This commit allows users to provide alternative implementations of the
ECJPAKE interface through the configuration option MBEDTLS_ECJPAKE_ALT.
When set, the user must add `ecjpake_alt.h` declaring the same
interface as `ecjpake.h`, as well as add some compilation unit which
implements the functionality. This is in line with the preexisting
support for alternative implementations of other modules.
2018-01-24 10:36:22 +00:00
Andres Amaya Garcia
e9124b943d Ensure that mbedtls_pk_parse_key() does not allocate 0 bytes 2018-01-23 20:03:52 +00:00
Andres Amaya Garcia
c9d6226d2c Change formatting of allocation check in x509_crl 2018-01-23 19:37:44 +00:00
Andres Amaya Garcia
cb5123fa86 Ensure memcpy is not called with NULL and 0 args in x509 module 2018-01-23 19:37:44 +00:00
Andres Amaya Garcia
f1ee63562a Style fixes in pem, x509_crl and buf_alloc 2018-01-23 19:37:44 +00:00
Andres AG
9cf1f96a7b Fix corner case uses of memory_buffer_alloc.c
The corner cases fixed include:
    * Allocating a buffer of size 0. With this change, the allocator now
      returns a NULL pointer in this case. Note that changes in pem.c and
      x509_crl.c were required to fix tests that did not work under this
      assumption.
    * Initialising the allocator with less memory than required for headers.
    * Fix header chain checks for uninitialised allocator.
2018-01-23 19:37:44 +00:00
Gilles Peskine
342d928e8d Fix proprocessor directives for MBEDTLS_RIPEMD160_ALT 2018-01-23 18:21:21 +01:00
Gilles Peskine
a381fe84ce Add HW_FAILED error codes for message digest modules
New error codes to report failures from alternative implementations of
MD2, MD4, MD5, RIPEMD160, SHA-1, SHA-256, SHA-512.
2018-01-23 18:16:11 +01:00
Gilles Peskine
41b40e6463 Merge remote-tracking branch 'upstream-restricted/pr/441' into development-restricted 2018-01-23 00:59:51 +01:00
Gilles Peskine
aaaa98cd60 Merge branch 'development-proposed' into development-restricted 2018-01-23 00:59:17 +01:00
Gilles Peskine
ff812804fb Merge branch 'pr_1239' into development-proposed 2018-01-23 00:58:13 +01:00
Gilles Peskine
50346e9f22 Merge remote-tracking branch 'upstream-public/pr/1150' into development-proposed 2018-01-23 00:56:48 +01:00
Ron Eldor
5e9f14d4d9 Set correct minimal versions in default conf
Set `MBEDTLS_SSL_MIN_MAJOR_VERSION` and `MBEDTLS_SSL_MIN_MINOR_VERSION`
instead of `MBEDTLS_SSL_MAJOR_VERSION_3` and `MBEDTLS_SSL_MINOR_VERSION_1`
2018-01-22 22:06:44 +01:00
Gilles Peskine
9e4f77c606 New MD API: rename functions from _ext to _ret
The _ext suffix suggests "new arguments", but the new functions have
the same arguments. Use _ret instead, to convey that the difference is
that the new functions return a value.
2018-01-22 11:54:42 +01:00
Gilles Peskine
d91f2a26cb Merge branch 'development' into iotssl-1251-2.7
Conflict resolution:

* ChangeLog: put the new entries in their rightful place.
* library/x509write_crt.c: the change in development was whitespace
  only, so use the one from the iotssl-1251 feature branch.
2018-01-19 11:25:10 +01:00
Gilles Peskine
d40c22ba20 Merge branch 'development' into development-restricted 2018-01-17 08:03:33 +01:00
Hanno Becker
87ae197f3e Add explicit uint truncation casts
This commit adds some explicit downcasts from `size_t` to `uint8_t` in
the RSASSA signature encoding function `rsa_rsassa_pkcs1_v15_encode`.
The truncation is safe as it has been checked beforehand that the
respective values are in the range of a `uint8_t`.
2018-01-15 15:27:56 +00:00
Hanno Becker
71b0060af7 Merge branch 'development' into iotssl-247 2018-01-15 11:31:34 +00:00
Jaeden Amero
31f3f0b87b Merge branch 'development' into development-restricted 2018-01-10 13:17:02 +00:00
Hanno Becker
d4d60579e4 Address issues found by coverity
1) `mbedtls_rsa_import_raw` used an uninitialized return
   value when it was called without any input parameters.
   While not sensible, this is allowed and should be a
   succeeding no-op.

2) The MPI test for prime generation missed a return value
   check for a call to `mbedtls_mpi_shift_r`. This is neither
   critical nor new but should be fixed.

3) Both the RSA keygeneration example program and the
   RSA test suites contained code initializing an RSA context
   after a potentially failing call to CTR DRBG initialization,
   leaving the corresponding RSA context free call in the
   cleanup section of the respective function orphaned.
   While this defect existed before, Coverity picked up on
   it again because of newly introduced MPI's that were
   also wrongly initialized only after the call to CTR DRBG
   init. The commit fixes both the old and the new issue
   by moving the initializtion of both the RSA context and
   all MPI's prior to the first potentially failing call.
2018-01-10 07:30:47 +00:00
nirekh01
d569ecfc2c Add some corrections based on code review
-Add the DHM_ALT in an alphabetical order
-Close correctly the 'extern "C" { ...'
2018-01-09 16:43:21 +00:00
Jaeden Amero
f342cb791b Merge branch 'development' into development-restricted 2018-01-09 13:16:37 +00:00
Manuel Pégourié-Gonnard
239987fd31 Fix heap-buffer overread in ALPN ext parsing 2018-01-09 13:48:38 +01:00
Jaeden Amero
0bc9e30435 Merge remote-tracking branch 'upstream-public/pr/1060' into development 2018-01-09 12:20:54 +00:00
Jaeden Amero
7de0b8aae7 Merge remote-tracking branch 'upstream-public/pr/1046' into development 2018-01-09 11:31:55 +00:00
Jaeden Amero
35285cca67 Merge remote-tracking branch 'upstream-public/pr/1027' into development 2018-01-09 10:42:03 +00:00
Johannes H
4e5d23fad7 corrected a typo in a comment 2018-01-06 09:46:57 +01:00
Hanno Becker
3a760a1857 Add size check for RSA modulus to mbedtls_rsa_complete
The function `mbedtls_rsa_complete` is supposed to guarantee that
RSA operations will complete without failure. In contrast, it does
not ensure consistency of parameters, which is the task of the
checking functions `rsa_check_pubkey` and `rsa_check_privkey`.

Previously, the maximum allowed size of the RSA modulus was checked
in `mbedtls_rsa_check_pubkey`. However, exceeding this size would lead
to failure of some RSA operations, hence this check belongs to
`mbedtls_rsa_complete` rather than `mbedtls_rsa_check_pubkey`.
This commit moves it accordingly.
2018-01-05 08:14:49 +00:00
Hanno Becker
895c5ab88e Preserve old behavior by checking public key in RSA parsing function
The function `pk_get_rsapubkey` originally performed some basic
sanity checks (e.g. on the size of public exponent) on the parsed
RSA public key by a call to `mbedtls_rsa_check_pubkey`.
This check was dropped because it is not possible to thoroughly
check full parameter sanity (i.e. that (-)^E is a bijection on Z/NZ).

Still, for the sake of not silently changing existing behavior,
this commit puts back the call to `mbedtls_rsa_check_pubkey`.
2018-01-05 08:08:09 +00:00
Hanno Becker
88683b2c6d Correct all.sh and config.h after merge commit
- Adapt the change in all.sh to the new keep-going mode
- Restore alphabetical order of configuration flags for
  alternative implementations in config.h and rebuild
  library/version_features.c
2018-01-04 18:48:32 +00:00
Hanno Becker
8bc74d6f2f Merge branch 'development' into iotssl-1619 2018-01-03 10:24:02 +00:00
Hanno Becker
4952e7a8d6 Add explicit type cast to avoid truncation warning
`mbedtls_rsa_deduce_primes` implicitly casts the result of a call to
`mbedtls_mpi_lsb` to a `uint16_t`. This is safe because of the size
of MPI's used in the library, but still may have compilers complain
about it. This commit makes the cast explicit.
2018-01-03 09:27:40 +00:00
Gilles Peskine
07d1078cdc Merge branch 'development' into development-restricted 2018-01-02 17:45:08 +01:00
Gilles Peskine
17196cd3be Merge remote-tracking branch 'upstream-public/pr/964' into development 2018-01-02 16:24:29 +01:00
Gilles Peskine
197a6d454b Merge remote-tracking branch 'upstream-public/pr/1097' into development 2018-01-02 16:09:15 +01:00
Gilles Peskine
3fcc045c23 Merge remote-tracking branch 'upstream-public/pr/866' into development
Conflict resolution: additions in the same places as
upstream-public/pr/865, both adding into lexicographically sorted
lists, resolved by taking the additions in lexicographic order.
2018-01-02 15:55:55 +01:00
Gilles Peskine
7c483b6765 Merge remote-tracking branch 'upstream-public/pr/865' into development 2018-01-02 15:35:18 +01:00
nirekh01
08ba530bff Remove some extra lines
Remove some extra lines as was requested in code review
2017-12-28 16:21:38 +00:00
Manuel Pégourié-Gonnard
eb2a6ab518 Merge branch 'development' into development-restricted
* development:
  Timing self test: shorten redundant tests
  Timing self test: increased duration
  Timing self test: increased tolerance
  Timing unit tests: more protection against infinite loops
  Unit test for mbedtls_timing_hardclock
  New timing unit tests
  selftest: allow excluding a subset of the tests
  selftest: allow running a subset of the tests
  selftest: refactor to separate the list of tests from the logic
  Timing self test: print some diagnosis information
  mbedtls_timing_get_timer: don't use uninitialized memory
  timing interface documentation: minor clarifications
  Timing: fix mbedtls_set_alarm(0) on Unix/POSIX
2017-12-26 10:42:50 +01:00
Manuel Pégourié-Gonnard
ae3925c774 Merge remote-tracking branch 'public/pr/1136' into development
* public/pr/1136:
  Timing self test: shorten redundant tests
  Timing self test: increased duration
  Timing self test: increased tolerance
  Timing unit tests: more protection against infinite loops
  Unit test for mbedtls_timing_hardclock
  New timing unit tests
  selftest: allow excluding a subset of the tests
  selftest: allow running a subset of the tests
  selftest: refactor to separate the list of tests from the logic
  Timing self test: print some diagnosis information
  mbedtls_timing_get_timer: don't use uninitialized memory
  timing interface documentation: minor clarifications
  Timing: fix mbedtls_set_alarm(0) on Unix/POSIX
2017-12-26 10:42:20 +01:00
nirekh01
49762fa21f Add 'MBEDTLS_DHM_ALT' #DEFINE to library/config.h
Add 'MBEDTLS_DHM_ALT' #DEFINE to library/config.h to support alternate DHM
2017-12-25 06:46:48 +00:00
Reuven Levin
1f35ca9471 Added alternated Diffie-Hellman module.
1. Add modified files dhm.c and dhm.h
2017-12-25 06:42:59 +00:00
Micha Kraus
ba8316f790 fix bug in get_one_and_zeros_padding()
add test case (“0000000082”) which fails with the old implementation.
2017-12-23 23:40:08 +01:00
Hanno Becker
32297e8314 Merge branch 'development' into iotssl-1619 2017-12-22 10:24:32 +00:00
Ron Eldor
621080d7c6 Fix compilation issue weh self test defined
1. Surround the generate keys with
`#if ! defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)`
to resolve build issue when `MBEDTLS_SELF_TEST` is defined for
alternative CMAC as well
2. Update ChangeLog
2017-12-21 10:57:43 +02:00
Gilles Peskine
ada3ee8b9d Timing self test: shorten redundant tests
We don't need to test multiple delays in a self-test.
Save 5s of busy-wait.
2017-12-20 22:31:17 +01:00
Gilles Peskine
8873bcc4de Timing self test: increased duration
Increase the duration of the self test, otherwise it tends to fail on
a busy machine even with the recently upped tolerance. But run the
loop only once, it's enough for a simple smoke test.
2017-12-20 21:57:48 +01:00
Gilles Peskine
0f59b130a9 Timing self test: increased tolerance
mbedtls_timing_self_test fails annoyingly often when running on a busy
machine such as can be expected of a continous integration system.
Increase the tolerances in the delay test, to reduce the chance of
failures that are only due to missing a deadline on a busy machine.
2017-12-20 21:57:48 +01:00
Gilles Peskine
0827d5c07d Timing self test: print some diagnosis information
Print some not-very-nice-looking but helpful diagnosis information if
the timing selftest fails. Since the failures tend to be due to heavy
system load that's hard to reproduce, this information is necessary to
understand what's going on.
2017-12-20 19:22:30 +01:00
Gilles Peskine
d92f0aa3be mbedtls_timing_get_timer: don't use uninitialized memory
mbedtls_timing_get_timer with reset=1 is called both to initialize a
timer object and to reset an already-initialized object. In an
initial call, the content of the data structure is indeterminate, so
the code should not read from it. This could crash if signed overflows
trap, for example.

As a consequence, on reset, we can't return the previously elapsed
time as was previously done on Windows. Return 0 as was done on Unix.
2017-12-20 18:53:52 +01:00
Gilles Peskine
a0af95f052 Timing: fix mbedtls_set_alarm(0) on Unix/POSIX
The POSIX/Unix implementation of mbedtls_set_alarm did not set the
mbedtls_timing_alarmed flag when called with 0, which was inconsistent
with what the documentation implied and with the Windows behavior.
2017-12-20 18:50:03 +01:00
Manuel Pégourié-Gonnard
a268da9478 Fix undefined function in platform.c
The bug was introduced in 79a2e7ef06 and is not present in the default
configuration, which let it go unnoticed so far.
2017-12-20 12:52:49 +01:00
Gilles Peskine
82d607eb9e Merge remote-tracking branch 'upstream-restricted/pr/433' into development-restricted 2017-12-19 19:20:27 +01:00
Manuel Pégourié-Gonnard
4813f15ce5 Merge branch 'development' into development-restricted
* development:
  Address PR review comments
  Fix crash when calling `mbedtls_ssl_cache_free` twice
2017-12-19 11:39:35 +01:00
Manuel Pégourié-Gonnard
705c52f5ec Merge remote-tracking branch 'public/pr/1145' into development
* public/pr/1145:
  Address PR review comments
  Fix crash when calling `mbedtls_ssl_cache_free` twice
2017-12-19 11:37:36 +01:00
Manuel Pégourié-Gonnard
d04c623ed6 Merge remote-tracking branch 'restricted/pr/403' into development-restricted
* restricted/pr/403:
  Correct record header size in case of TLS
  Don't allocate space for DTLS header if DTLS is disabled
  Improve debugging output
  Adapt ChangeLog
  Add run-time check for handshake message size in ssl_write_record
  Add run-time check for record content size in ssl_encrypt_buf
  Add compile-time checks for size of record content and payload
2017-12-19 11:31:20 +01:00
Manuel Pégourié-Gonnard
1827368b01 Merge branch 'development' into development-restricted
* development:
  Don't split error code description across multiple lines
  Register new error code in error.h
  Move deprecation to separate section in ChangeLog
  Extend scope of ERR_RSA_UNSUPPORTED_OPERATION error code
  Adapt RSA test suite
  Adapt ChangeLog
  Deprecate usage of RSA primitives with wrong key type
2017-12-19 11:28:36 +01:00
Manuel Pégourié-Gonnard
4712119687 Merge remote-tracking branch 'restricted/pr/397' into development
* restricted/pr/397:
  Don't split error code description across multiple lines
  Register new error code in error.h
  Move deprecation to separate section in ChangeLog
  Extend scope of ERR_RSA_UNSUPPORTED_OPERATION error code
  Adapt RSA test suite
  Adapt ChangeLog
  Deprecate usage of RSA primitives with wrong key type
2017-12-19 11:27:22 +01:00
Manuel Pégourié-Gonnard
b053efb295 Fix magic constant in previous commit 2017-12-19 10:03:46 +01:00
Manuel Pégourié-Gonnard
464147cadc Fix SSLv3 MAC computation
In a previous PR (Fix heap corruption in implementation of truncated HMAC
extension #425) the place where MAC is computed was changed from the end of
the SSL I/O buffer to a local buffer (then (part of) the content of the local
buffer is either copied to the output buffer of compare to the input buffer).

Unfortunately, this change was made only for TLS 1.0 and later, leaving SSL
3.0 in an inconsistent state due to ssl_mac() still writing to the old,
hard-coded location, which, for MAC verification, resulted in later comparing
the end of the input buffer (containing the computed MAC) to the local buffer
(uninitialised), most likely resulting in MAC verification failure, hence no
interop (even with ourselves).

This commit completes the move to using a local buffer by using this strategy
for SSL 3.0 too. Fortunately ssl_mac() was static so it's not a problem to
change its signature.
2017-12-18 18:04:59 +01:00
Manuel Pégourié-Gonnard
6774fa6e87 Merge branch 'development' into development-restricted
* development:
  Add --no-yotta option to all.sh
  Fix build without MBEDTLS_FS_IO
2017-12-18 11:43:35 +01:00
Manuel Pégourié-Gonnard
535553e7d8 Merge remote-tracking branch 'public/pr/1184' into development
* public/pr/1184:
  Add --no-yotta option to all.sh
  Fix build without MBEDTLS_FS_IO
2017-12-18 11:42:30 +01:00
Hanno Becker
1434a365a6 Don't split error code description across multiple lines 2017-12-13 11:24:49 +00:00
Gilles Peskine
880c6e74a1 Merge branch 'development' into development-restricted 2017-12-04 18:00:26 +00:00
Gilles Peskine
ff01e009e6 Merge branch 'pr_1043' into development 2017-12-01 23:42:17 +01:00
Gilles Peskine
e3783da0b2 Merge remote-tracking branch 'upstream-public/pr/1172' into development 2017-12-01 22:36:21 +01:00
Gilles Peskine
02e28fe0fd Merge remote-tracking branch 'upstream-restricted/pr/425' into development-restricted 2017-12-01 17:58:12 +01:00
Gilles Peskine
832f349f93 Fix build without MBEDTLS_FS_IO
Fix missing definition of mbedtls_zeroize when MBEDTLS_FS_IO is
disabled in the configuration.

Introduced by e7707228b4
    Merge remote-tracking branch 'upstream-public/pr/1062' into development
2017-11-30 12:03:27 +01:00
Gilles Peskine
0960f0663e Merge branch 'development' into development-restricted 2017-11-29 21:07:55 +01:00
Gilles Peskine
0884f4811b Merge remote-tracking branch 'upstream-public/pr/1141' into development 2017-11-29 20:50:59 +01:00
Gilles Peskine
183de312f9 Merge remote-tracking branch 'upstream-public/pr/895' into development 2017-11-29 20:49:21 +01:00
Hanno Becker
1df4923eb1 Remove compile-time deprecation warning for TRUNCATED_HMAC_COMPAT 2017-11-29 16:55:56 +00:00
Gilles Peskine
7fb29b17c7 Merge branch 'development' into development-restricted 2017-11-28 18:46:09 +01:00
Gilles Peskine
4daffe236a Merge branch 'pr_1025' into development
Merge PR #1025 + ChangeLog entry
2017-11-28 18:23:53 +01:00
Gilles Peskine
ea8d697fa2 Merge remote-tracking branch 'upstream-public/pr/1089' into development
Resolve trivial conflict due to additions in the same place in
tests/data_files/Makefile; minor comment/whitespace presentation
improvements.
2017-11-28 17:32:32 +01:00
Gilles Peskine
f2421210a5 Merge remote-tracking branch 'upstream-public/pr/828' into development 2017-11-28 17:22:37 +01:00
Gilles Peskine
9c3573a962 Merge remote-tracking branch 'upstream-public/pr/988' into development 2017-11-28 17:08:03 +01:00
Gilles Peskine
41e974178f Merge remote-tracking branch 'upstream-restricted/pr/419' into development-restricted
Resolved simple conflicts caused by the independent addition of
calls to mbedtls_zeroize with sometimes whitespace or comment
differences.
2017-11-28 16:16:27 +01:00
Gilles Peskine
9c8ac0ce2c Merge remote-tracking branch 'upstream-restricted/pr/404' into development-restricted 2017-11-28 15:50:02 +01:00
Hanno Becker
6e5dd79a43 Fix compilation warning on MSVC
MSVC complains about the negation in `(uint32_t) -1u`. This commit fixes this by
using `(uint32_t) -1` instead.
2017-11-28 14:34:04 +00:00
Gilles Peskine
7ca6d1fdd4 Merge remote-tracking branch 'upstream-restricted/pr/399' into development-restricted 2017-11-28 14:17:53 +01:00
Gilles Peskine
c753f5daf4 Merge remote-tracking branch 'upstream-restricted/pr/369' into development-restricted 2017-11-28 14:16:47 +01:00
Hanno Becker
63073aa3d3 Don't require P,Q in rsa_private in case of non-blinded non-CRT
For non-CRT, P and Q are only used for the purpose of blinding the exponent.
2017-11-27 15:33:18 +00:00
Gilles Peskine
2507267cd4 Merge branch 'development' into development-restricted 2017-11-24 16:05:49 +01:00
Gilles Peskine
e7707228b4 Merge remote-tracking branch 'upstream-public/pr/1062' into development 2017-11-24 15:35:50 +01:00
Gilles Peskine
7635cde35c Merge branch 'development' into development-restricted 2017-11-23 20:06:04 +01:00
Gilles Peskine
68306ed31f Merge remote-tracking branch 'upstream-public/pr/1094' into development 2017-11-23 20:02:46 +01:00
Gilles Peskine
1a2640c025 Merge branch 'iotssl-1368-unsafe-bounds-check-psk-identity-merge' into development-restricted 2017-11-23 18:58:30 +01:00
Manuel Pégourié-Gonnard
bfa8df4c7e Merge remote-tracking branch 'restricted/pr/416' into development-restricted
* restricted/pr/416:
  RSA PSS: remove redundant check; changelog
  RSA PSS: fix first byte check for keys of size 8N+1
  RSA PSS: fix minimum length check for keys of size 8N+1
  RSA: Fix another buffer overflow in PSS signature verification
  RSA: Fix buffer overflow in PSS signature verification
2017-11-23 12:10:01 +01:00
Hanno Becker
4c2ac7ef58 Deprecate MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT 2017-11-21 18:28:35 +00:00
Hanno Becker
563423fb21 Improve documentation of MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT option
Explain more clearly when this option should be used and which versions of Mbed
TLS build on the non-compliant implementation.
2017-11-21 17:20:17 +00:00
Hanno Becker
e89353a6b4 Add fallback to non-compliant truncated HMAC for compatibiltiy
In case truncated HMAC must be used but the Mbed TLS peer hasn't been updated
yet, one can use the compile-time option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT to
temporarily fall back to the old, non-compliant implementation of the truncated
HMAC extension.
2017-11-20 16:50:43 +00:00
Hanno Becker
81c7b18351 Don't truncate MAC key when truncated HMAC is negotiated
The truncated HMAC extension as described in
https://tools.ietf.org/html/rfc6066.html#section-7 specifies that when truncated
HMAC is used, only the HMAC output should be truncated, while the HMAC key
generation stays unmodified. This commit fixes Mbed TLS's behavior of also
truncating the key, potentially leading to compatibility issues with peers
running other stacks than Mbed TLS.

Details:
The keys for the MAC are pieces of the keyblock that's generated from the
master secret in `mbedtls_ssl_derive_keys` through the PRF, their size being
specified as the size of the digest used for the MAC, regardless of whether
truncated HMAC is enabled or not.

             /----- MD size ------\ /------- MD size ----\
Keyblock    +----------------------+----------------------+------------------+---
now         |     MAC enc key      |      MAC dec key     |     Enc key      |  ...
(correct)   +----------------------+----------------------+------------------+---

In the previous code, when truncated HMAC was enabled, the HMAC keys
were truncated to 10 bytes:

             /-10 bytes-\  /-10 bytes-\
Keyblock    +-------------+-------------+------------------+---
previously  | MAC enc key | MAC dec key |     Enc key      |  ...
(wrong)     +-------------+-------------+------------------+---

The reason for this was that a single variable `transform->maclen` was used for
both the keysize and the size of the final MAC, and its value was reduced from
the MD size to 10 bytes in case truncated HMAC was negotiated.

This commit fixes this by introducing a temporary variable `mac_key_len` which
permanently holds the MD size irrespective of the presence of truncated HMAC,
and using this temporary to obtain the MAC key chunks from the keyblock.
2017-11-20 16:25:50 +00:00
Hanno Becker
992b6872f3 Fix heap corruption in ssl_decrypt_buf
Previously, MAC validation for an incoming record proceeded as follows:

1) Make a copy of the MAC contained in the record;
2) Compute the expected MAC in place, overwriting the presented one;
3) Compare both.

This resulted in a record buffer overflow if truncated MAC was used, as in this
case the record buffer only reserved 10 bytes for the MAC, but the MAC
computation routine in 2) always wrote a full digest.

For specially crafted records, this could be used to perform a controlled write of
up to 6 bytes past the boundary of the heap buffer holding the record, thereby
corrupting the heap structures and potentially leading to a crash or remote code
execution.

This commit fixes this by making the following change:
1) Compute the expected MAC in a temporary buffer that has the size of the
   underlying message digest.
2) Compare to this to the MAC contained in the record, potentially
   restricting to the first 10 bytes if truncated HMAC is used.

A similar fix is applied to the encryption routine `ssl_encrypt_buf`.
2017-11-20 08:52:25 +00:00
Darryl Green
c64a48bec7 Add checks for private parameter in mbedtls_ecdsa_sign() 2017-11-17 17:09:17 +00:00
Manuel Pégourié-Gonnard
888fedea06 Merge branch 'development' into development-restricted
* development: (30 commits)
  update README file (#1144)
  Fix typo in asn1.h
  Improve leap year test names in x509parse.data
  Correctly handle leap year in x509_date_is_valid()
  Renegotiation: Add tests for SigAlg ext parsing
  Parse Signature Algorithm ext when renegotiating
  Minor style fix
  config.pl get: be better behaved
  config.pl get: don't rewrite config.h; detect write errors
  Fixed "config.pl get" for options with no value
  Fix typo and bracketing in macro args
  Ensure failed test_suite output is sent to stdout
  Remove use of GNU sed features from ssl-opt.sh
  Fix typos in ssl-opt.sh comments
  Add ssl-opt.sh test to check gmt_unix_time is good
  Extend ssl-opt.h so that run_test takes function
  Always print gmt_unix_time in TLS client
  Restored note about using minimum functionality in makefiles
  Note in README that GNU make is required
  Fix changelog for ssl_server2.c usage fix
  ...
2017-11-14 08:24:22 +01:00
Hanno Becker
05c4fc8608 Correct typo in debugging message 2017-11-09 14:34:06 +00:00
Andres Amaya Garcia
849bc65bbf Fix x509_get_subject_alt_name to drop invalid tag
Fix the x509_get_subject_alt_name() function to not accept invalid
tags. The problem was that the ASN.1 class for tags consists of two
bits. Simply doing bit-wise and of the CONTEXT_SPECIFIC macro with the
input tag has the potential of accepting tag values 0x10 (private)
which would indicate that the certificate has an incorrect format.
2017-11-07 19:34:35 +00:00
Ron Eldor
22360825ae Address PR review comments
set `cache->chain` to NULL,
instead of setting the whole structure to zero.
2017-10-29 17:53:52 +02:00
Manuel Pégourié-Gonnard
3f81691d29 Revert to old behaviour of profile_check_key()
Was never documented to check for key alg compatibility, so should not start
doing so. Just stop relying on the pk_alg argument instead.
2017-10-26 10:24:16 +02:00
Manuel Pégourié-Gonnard
19773ff835 Avoid comparing size between RSA and EC keys 2017-10-24 10:51:26 +02:00
Hanno Becker
e41158ba10 Add comment on the meaning of ssl->in_offt == NULL 2017-10-23 13:30:32 +01:00
Hanno Becker
e72489de11 Remove internal references and use milder wording for some comments 2017-10-23 13:23:50 +01:00
Hanno Becker
a6fb089efc Don't split debug messages 2017-10-23 13:17:48 +01:00
Hanno Becker
27b34d5bad Wrong identifier used to check Encrypt-then-MAC flag
This commit fixes a comparison of ssl_session->encrypt_then_mac against the
ETM-unrelated constant MBEDTLS_SSL_EXTENDED_MS_DISABLED. Instead,
MBEDTLS_SSL_ETM_DISABLED should be used.

The typo is has no functional effect since both constants have the same value 0.
2017-10-20 14:24:51 +01:00
Gilles Peskine
91048a3aac RSA PSS: remove redundant check; changelog
Remove a check introduced in the previous buffer overflow fix with keys of
size 8N+1 which the subsequent fix for buffer start calculations made
redundant.

Added a changelog entry for the buffer start calculation fix.
2017-10-19 17:46:14 +02:00
Gilles Peskine
b00b0da452 RSA PSS: fix first byte check for keys of size 8N+1
For a key of size 8N+1, check that the first byte after applying the
public key operation is 0 (it could have been 1 instead). The code was
incorrectly doing a no-op check instead, which led to invalid
signatures being accepted. Not a security flaw, since you would need the
private key to craft such an invalid signature, but a bug nonetheless.
2017-10-19 15:23:49 +02:00
Gilles Peskine
139108af94 RSA PSS: fix minimum length check for keys of size 8N+1
The check introduced by the previous security fix was off by one. It
fixed the buffer overflow but was not compliant with the definition of
PSS which technically led to accepting some invalid signatures (but
not signatures made without the private key).
2017-10-18 19:03:42 +02:00
Manuel Pégourié-Gonnard
08c36635cb Avoid possible miscast of PK key
I don't think this can cause a crash as the member accessed is in the
beginning of the context, so wouldn't be outside of valid memory if the actual
context was RSA.

Also, the mismatch will be caught later when checking signature, so the cert
chain will be rejected anyway.
2017-10-18 14:57:11 +02:00
Manuel Pégourié-Gonnard
900fba616f Fix check_wildcard() calling convention
We shouldn't return a surprising value in case there is no wildcard and then
rely on the caller to ensure that this doesn't happen
2017-10-18 14:40:13 +02:00
Manuel Pégourié-Gonnard
08eacecc62 Fix some style issues and comment typos 2017-10-18 14:40:11 +02:00
Hanno Becker
888071184c Zeroize stack before returning from mpi_fill_random 2017-10-18 12:41:30 +01:00
Gilles Peskine
6a54b0240d RSA: Fix another buffer overflow in PSS signature verification
Fix buffer overflow in RSA-PSS signature verification when the masking
operation results in an all-zero buffer. This could happen at any key size.
2017-10-17 19:12:36 +02:00
Gilles Peskine
28a0c72795 RSA: Fix buffer overflow in PSS signature verification
Fix buffer overflow in RSA-PSS signature verification when the hash is
too large for the key size. Found by Seth Terashima, Qualcomm.

Added a non-regression test and a positive test with the smallest
permitted key size for a SHA-512 hash.
2017-10-17 19:01:38 +02:00
Ron Eldor
e1a9a4a826 Fix crash when calling mbedtls_ssl_cache_free twice
Set `cache` to zero at the end of `mbedtls_ssl_cache_free` #1104
2017-10-17 18:15:41 +03:00
Hanno Becker
7c8cb9c28b Fix information leak in ecp_gen_keypair_base
The function mbedtls_ecp_gen_keypair_base did not wipe the stack buffer used to
hold the private exponent before returning. This commit fixes this by not using
a stack buffer in the first place but instead calling mpi_fill_random directly
to acquire the necessary random MPI.
2017-10-17 15:19:38 +01:00
Hanno Becker
073c199224 Make mpi_read_binary time constant
This commit modifies mpi_read_binary to always allocate the minimum number of
limbs required to hold the entire buffer provided to the function, regardless of
its content. Previously, leading zero bytes in the input data were detected and
used to reduce memory footprint and time, but this non-constant behavior turned
out to be non-tolerable for the cryptographic applications this function is used
for.
2017-10-17 15:17:27 +01:00
Ron Eldor
3f2da84bca Resolve PR review comments
1) Fix style comments
2) Fix typo in Makefile
3) Remove the `MBEDTLS_MD5_C` dependency from test data file,
as the used keys are not encrypted
2017-10-17 15:53:32 +03:00
Hanno Becker
40f8b51221 Add comments on the use of the renego SCSV and the renego ext 2017-10-17 11:03:50 +01:00
Hanno Becker
21df7f90d2 Fix handling of HS msgs in mbedtls_ssl_read if renegotiation unused
Previously, if `MBEDTLS_SSL_RENEGOTIATION` was disabled, incoming handshake
messages in `mbedtls_ssl_read` (expecting application data) lead to the
connection being closed. This commit fixes this, restricting the
`MBEDTLS_SSL_RENEGOTIATION`-guard to the code-paths responsible for accepting
renegotiation requests and aborting renegotiation attempts after too many
unexpected records have been received.
2017-10-17 11:03:26 +01:00
Hanno Becker
b4ff0aafd9 Swap branches accepting/refusing renegotiation in in ssl_read 2017-10-17 11:03:04 +01:00
Hanno Becker
580869dae8 Handle RSA_EXPORT_UNSUPPORTED error code in strerror 2017-10-17 10:34:04 +01:00
Hanno Becker
f8c028a2fb Minor corrections 2017-10-17 09:20:57 +01:00
Hanno Becker
4055a3a16f Shorten prime array in mbedtls_rsa_deduce_primes 2017-10-17 09:15:26 +01:00
Hanno Becker
c36aab69b5 Swap D,E parameters in mbedtls_rsa_deduce_primes 2017-10-17 09:15:06 +01:00
Ron Eldor
5472d43ffb Fix issues when MBEDTLS_PEM_PARSE_C not defined
1) Fix compilatoin issues when `MBEDTLS_PEM_PARSE_C` not defined
2) remove dependency for `MBEDTLS_PEM_PARSE_C` in DER tests
2017-10-17 09:50:39 +03:00
Ron Eldor
40b14a894b change order of parsing public key
First parse PEM, and if fails, parse DER. Use some convention as
in parsing the private key (`mbedtls_pk_parse_key`)
2017-10-17 09:40:33 +03:00
Ron Eldor
84df1aeeaf use internal pk_get_rsapubkey function
1) use `pk_get_rsapubkey` function instead of `pk_parse_key_pkcs1_der`
2) revert changes in `pk_parse_key_pkcs1_der`
2017-10-16 17:14:46 +03:00
Ron Eldor
b006518289 Resolve PR review comments
1) use `pk_get_rsapubkey` instead of reimplementing the parsing
2) rename the key files, according to their type and key size
3) comment in the data_files/Makefile hoe the keys were generated
4) Fix issue of failure parsing pkcs#1 DER format parsing, missed in previous commit
2017-10-16 12:40:27 +03:00
Andres Amaya Garcia
735b37eeef Correctly handle leap year in x509_date_is_valid()
This patch ensures that invalid dates on leap years with 100 or 400
years intervals are handled correctly.
2017-10-12 23:21:37 +01:00
Ron Eldor
73a381772b Parse Signature Algorithm ext when renegotiating
Signature algorithm extension was skipped when renegotiation was in
progress, causing the signature algorithm not to be known when
renegotiating, and failing the handshake. Fix removes the renegotiation
step check before parsing the extension.
2017-10-12 23:21:37 +01:00
Andres Amaya Garcia
bd9d42c236 Fix typo and bracketing in macro args 2017-10-12 23:21:37 +01:00
Andres Amaya Garcia
106637fc2d Correctly handle leap year in x509_date_is_valid()
This patch ensures that invalid dates on leap years with 100 or 400
years intervals are handled correctly.
2017-10-12 19:54:46 +01:00
Ron Eldor
3226d36d61 Fix typo in configuration
Change duplicate of MBEDTLS_ECDH_GEN_PUBLIC_ALT to
MBEDTLS_ECDH_COMPUTE_SHARED_ALT
2017-10-12 14:17:48 +03:00
Hanno Becker
ebd2c024dc Don't require P,Q in rsa_private if neither CRT nor blinding used 2017-10-12 10:57:39 +01:00
Hanno Becker
efa14e8b0c Reduce number of MPI's used in pk_parse_key_pkcs1_der
As the optional RSA parameters DP, DQ and QP are effectively discarded (they are only considered for their length to
ensure that the key fills the entire buffer), it is not necessary to read them into separate MPI's.
2017-10-11 19:45:19 +01:00
Hanno Becker
b82a5b554c Fix typos and mixup related to RSA_NO_CRT 2017-10-11 19:12:00 +01:00
Hanno Becker
5d42b53e51 Enhance documentation and performance of mbedtls_rsa_deduce_primes 2017-10-11 16:36:00 +01:00
Hanno Becker
7643d4e30c Fix number of loop iterations in mbedtls_deduce_primes
The number of loop iterations per candidate in `mbedtls_deduce_primes` was off
by one. This commit corrects this and removes a toy non-example from the RSA
test suite, as it seems difficult to have the function fail on small values of N
even if D,E are corrupted.
2017-10-11 16:32:49 +01:00
Hanno Becker
14a00c0578 Add early detection of bad parameters in mbedtls_deduce_primes 2017-10-11 12:58:23 +01:00
Ron Eldor
8dd73e62d2 Parse Signature Algorithm ext when renegotiating
Signature algorithm extension was skipped when renegotiation was in
progress, causing the signature algorithm not to be known when
renegotiating, and failing the handshake. Fix removes the renegotiation
step check before parsing the extension.
2017-10-11 12:49:00 +01:00
Hanno Becker
a565f54c4c Introduce new files rsa_internal.[ch] for RSA helper functions
This commit splits off the RSA helper functions into separate headers and
compilation units to have a clearer separation of the public RSA interface,
intended to be used by end-users, and the helper functions which are publicly
provided only for the benefit of designers of alternative RSA implementations.
2017-10-11 11:00:19 +01:00
Hanno Becker
705fc68d72 Unify sanity checks for RSA private and public keys 2017-10-10 18:01:25 +01:00
Hanno Becker
e867489ff6 Remove outdated comments from mbedtls_rsa_complete 2017-10-10 17:56:14 +01:00
Ron Eldor
a84c1cb355 Address PR cpomments reviews
1) move the change into Features from Changes, in the changLog
2) Change the feature alternative configuration MBEDTLS_ECDH_ALT
definition to function alternative defintions
MBEDTLS_ECDH_COMPUTE_SHARED_ALT and MBEDTLS_ECDH_GEN_PUBLIC_ALT
2017-10-10 19:04:27 +03:00
Hanno Becker
7f25f850ac Adapt uses of mbedtls_rsa_complete to removed PRNG argument 2017-10-10 16:56:22 +01:00
Hanno Becker
f9e184b9df Remove PRNG argument from mbedtls_rsa_complete 2017-10-10 16:55:41 +01:00
Ron Eldor
314adb6baa Address PR review comments
1) update ChangLog to have new feature in Features instead of Changes
2) Change MBEDTLS_ECDSA_ALT to function specific alternative definitions:
MBEDTLS_ECDSA_SIGN_ALT, MBEDTLS_ECDSA_VERIFY_ALT and MBEDTLS_ECDSA_GENKEY_ALT
2017-10-10 18:49:02 +03:00
Hanno Becker
68b4d58bd8 Remove PRNG argument from mbedtls_rsa_deduce_moduli
It is not necessary to pass a CSPRNG to `mbedtls_rsa_deduce_moduli`, as there
exist well-working static strategies, and even if a PRNG is preferred, a
non-secure one would be sufficient.

Further, the implementation is changed to use a static strategy for the choice
of candidates which according to some benchmarks even performs better than the
previous one using random candidate choices.
2017-10-10 16:39:10 +01:00
Hanno Becker
c76c619dd0 Reconcile resending of previous flights
This commit reconciles the code path responsible for resending the
final DTLS handshake flight with the path for handling resending of
the other flights.
2017-10-10 16:04:49 +01:00
Hanno Becker
90333dab85 Replace wrong usage of WANT_READ by CONTINUE_PROCESSING 2017-10-10 16:04:48 +01:00
Hanno Becker
8ec8102c9a Split WANT_READ in two error codes
This commit restricts WANT_READ to indicate that no data is available on the
underlying transport. To signal the need for further processing - which was
previously also handled through this error code - a new internal error code
MBEDTLS_ERR_SSL_CONTINUE_PROCESSING is introduced.
2017-10-10 16:04:48 +01:00
Hanno Becker
4cb1f4d49c Style corrections 2017-10-10 16:04:48 +01:00
Hanno Becker
52c6dc64c6 Correct length check for DTLS records from old epochs.
DTLS records from previous epochs were incorrectly checked against the
current epoch transform's minimal content length, leading to the
rejection of entire datagrams. This commit fixed that and adapts two
test cases accordingly.

Internal reference: IOTSSL-1417
2017-10-10 16:04:32 +01:00
Hanno Becker
8b170a0a0b Enhance and extend checking of message processing state
-  Enhances the documentation of mbedtls_ssl_get_bytes_avail (return
   the number of bytes left in the current application data record, if
   there is any).
-  Introduces a new public function mbedtls_ssl_check_pending for
   checking whether any data in the internal buffers still needs to be
   processed. This is necessary for users implementing event-driven IO
   to decide when they can safely idle until they receive further
   events from the underlying transport.
2017-10-10 16:04:32 +01:00
Hanno Becker
e09ca3d9b6 Add polling function for network contexts
This commit adds a function `mbedtls_net_poll` to the network module
allowing to check if a network context is available for read or write.
2017-10-10 16:03:18 +01:00
Hanno Becker
e65ce7862a Enhance debugging output in ssl_tls.c
Give a note on the debugging output on the following occasions:
(1) The timer expires in mbedtls_ssl_fetch_input
(2) There's more than one records within a single datagram
2017-10-10 16:02:36 +01:00
Ron Eldor
d0c56de934 Add support for public keys encoded with PKCS#1
1) Add support for public keys encoded with PKCS#1
2) Add tests for PKCS#1 PEM and DER, and PKCS#8 DER
2017-10-10 17:12:07 +03:00
Andres Amaya Garcia
86968c6dd1 Fix typo and bracketing in macro args 2017-10-07 18:29:03 +01:00
Andres Amaya Garcia
6bce9cb5ac Always print gmt_unix_time in TLS client
Change ssl_parse_server_hello() so that the parsed first four random
bytes from the ServerHello message are printed by the TLS client as
a Unix timestamp regardless of whether MBEDTLS_DEBUG_C is defined. The
debug message will only be printed if debug_level is 3 or higher.

Unconditionally enabling the debug print enabled testing of this value.
2017-10-06 11:59:13 +01:00
Hanno Becker
1a9a51c7cf Enhance documentation of ssl_write_hostname_ext, adapt ChangeLog.
Add a reference to the relevant RFC, adapt ChangeLog.
2017-10-06 11:58:50 +01:00
Hanno Becker
947194e7cf Make mbedtls_ssl_set_hostname safe to be called multiple times
Zeroize and free previously set hostnames before overwriting
them. Also, allow clearance of hostname by providing NULL parameter.
2017-10-06 11:58:50 +01:00
Andres Amaya Garcia
074c58f08b Always print gmt_unix_time in TLS client
Change ssl_parse_server_hello() so that the parsed first four random
bytes from the ServerHello message are printed by the TLS client as
a Unix timestamp regardless of whether MBEDTLS_DEBUG_C is defined. The
debug message will only be printed if debug_level is 3 or higher.

Unconditionally enabling the debug print enabled testing of this value.
2017-10-06 11:55:32 +01:00
Hanno Becker
bc389d1d3c Extend scope of ERR_RSA_UNSUPPORTED_OPERATION error code 2017-10-05 11:49:53 +01:00
Hanno Becker
3cdc711972 Deprecate usage of RSA primitives with wrong key type
Further, state explicitly that wrong key types need not be supported by alternative RSA implementations, and that those
may instead return the newly introduced error code MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
2017-10-05 10:28:21 +01:00
Hanno Becker
a90658f248 Add ssl_conf_dh_param_bin superseding ssl_conf_dh_param 2017-10-04 15:29:08 +01:00
Hanno Becker
470a8c4d87 Deprecate mbedtls_ssl_conf_dh_param 2017-10-04 15:28:46 +01:00
Hanno Becker
184f675256 Improve debugging output 2017-10-04 13:47:33 +01:00
Hanno Becker
a6dd90de30 Add error string for failure code in mbedtls_dhm_set_group 2017-10-04 13:17:52 +01:00
Hanno Becker
ab74056037 Make use of mbedtls_dhm_set_group when generating DHM params 2017-10-04 13:17:52 +01:00
Hanno Becker
8880e75dcb Add new function mbedtls_dhm_set_group to DHM Group 2017-10-04 13:17:52 +01:00
Hanno Becker
00d0a6834a Adapt code setting default DHM parameters 2017-10-04 13:17:49 +01:00
Hanno Becker
e2fcfa84ea Stick to the use of constant-macros
This commit returns to using constant macros instead of global variables for the DHM group constants. Further, macros
providing the binary encoding of the primes from RFC 3526 and RFC 7919 are added. The hex-string macros are deprecated.
2017-10-04 13:12:15 +01:00
Hanno Becker
0f65e0ca03 Rename rsa_deduce_moduli to rsa_deduce_primes 2017-10-03 14:40:44 +01:00
Hanno Becker
8ba6ce4f4f Rename rsa_deduce_private to rsa_deduce_private_exponent 2017-10-03 14:40:43 +01:00
Hanno Becker
45a0ef32d9 Correct memory leak in mbedtls_rsa_validate_crt 2017-10-03 14:32:56 +01:00
Hanno Becker
e58d38c66f Minor improvements 2017-10-03 07:59:29 +01:00
Hanno Becker
2b2f898cbd Streamline code-path in rsa_rsassa_pkcs1_v15_encode 2017-10-03 07:59:29 +01:00
Hanno Becker
64a8c0acd6 Verify PKCS1 v1.5 signature without parsing
This commit modifies the PKCS1 v1.5 signature verification function `mbedtls_rsa_rsassa_pkcs1_v15_verify` to prepare the
expected PKCS1-v1.5-encoded hash using the function also used by the signing routine `mbedtls_rsa_rsassa_pkcs1_v15_sign`
and comparing it to the provided byte-string afterwards. This comes at the benefits of (1) avoiding any error-prone
parsing, (2) removing the dependency of the RSA module on the ASN.1 parsing module, and (3) reducing code size.
2017-10-03 07:58:00 +01:00
Hanno Becker
fdf38030de Outsource code for generating PKCS1 v1.5 encoding
This commit moves the code preparing PKCS1 v1.5 encoded hashes from `mbedtls_rsa_rsassa_pkcs1_v15_sign` to a separate
non-public function `rsa_rsassa_pkcs1_v15_encode`. This code-path will then be re-used by the signature verification function
`mbetls_rsa_rsassa_pkcs1_v15_verify` in a later commit.
2017-10-03 07:58:00 +01:00
Hanno Becker
171a8f1c95 Move constant time memcmp for signature verification
This commit replaces the ad-hoc code for constant-time double-checking the PKCS1 v1.5 RSA signature by an invocation of
`mbedtls_safer_memcmp`.
2017-10-03 07:58:00 +01:00
Hanno Becker
2dec5e8b00 Correct outdated comment 2017-10-03 07:49:52 +01:00
Hanno Becker
4e1be398f6 Remove FORCE_VERIFICATION and FORCE_BLINDING 2017-10-02 16:02:55 +01:00
Hanno Becker
de6c1644cc Add brackets around arguments of internal macro DHM_MPI_EXPORT 2017-10-02 15:03:15 +01:00
Hanno Becker
b5beaa8995 Check that 1 < D, E < N in mbedtls_rsa_validate_params 2017-10-02 13:20:20 +01:00
Hanno Becker
c6fc878eda Remove mbedtls_rsa_check_crt
This is no longer needed after the decision to not exhaustively validate private key material.
2017-10-02 13:20:15 +01:00
Hanno Becker
98838b04af Minor improvements 2017-10-02 13:17:01 +01:00
Hanno Becker
7471631dde Make input arguments to mbedtls_rsa_import_raw constant
Original intention was to be allowed to perform in-place operations like changing the byte-order before importing
parameters into an HSM. Now a copy is needed in this case, but there's no more danger of a user expecting the arguments
to be left untouched.
2017-10-02 13:17:01 +01:00
Hanno Becker
bdefff1dde Change signature of mbedtls_rsa_deduce_private
Make input arguments constant and adapt the implementation to use a temporary instead of in-place operations.
2017-10-02 09:59:48 +01:00
Hanno Becker
ba5b755f1a Change signature and semantics of mbedtls_rsa_deduce_moduli
Input arguments are marked as constant. Further, no double-checking is performed when a factorization of the modulus has
been found.
2017-10-02 09:55:49 +01:00
Hanno Becker
2f38a43d3a Enhance documentation of ssl_write_hostname_ext, adapt ChangeLog.
Add a reference to the relevant RFC, adapt ChangeLog.
2017-09-30 23:35:21 +01:00
Hanno Becker
39f5d359f5 Make mbedtls_ssl_set_hostname safe to be called multiple times
Zeroize and free previously set hostnames before overwriting
them. Also, allow clearance of hostname by providing NULL parameter.
2017-09-30 23:35:02 +01:00
Hanno Becker
b4274210a4 Improve documentation in pkparse.c
State explicitly that `pk_parse_pkcs8_undencrypted_der` and `pk_parse_key_pkcs8_encrypted_der` are not responsible for
zeroizing and freeing the provided key buffer.
2017-09-29 19:18:51 +01:00
Hanno Becker
f04111f5c5 Fix typo 2017-09-29 19:18:42 +01:00
Hanno Becker
56bae95e1d Improve style and documentation, fix typo 2017-09-29 15:43:49 +01:00
Hanno Becker
2fdffe0da0 Check exactly for the RSA context fields required in rsa_private
Previously, the code was also checking for the presence of D for RSA-CRT, which
is not needed in this case.
2017-09-29 15:28:49 +01:00
Hanno Becker
bead71752e Correct typo in rsa.c 2017-09-29 12:41:06 +01:00
Hanno Becker
ba1ba11a98 Check that length is properly set in mbedtls_rsa_check_pubkey 2017-09-29 11:54:05 +01:00
Hanno Becker
2f8f06aa25 Don't always recompute context length in mbedtls_rsa_get_len
This commit changes the implementation of `mbedtls_rsa_get_len` to return
`ctx->len` instead of always re-computing the modulus' byte-size via
`mbedtls_mpi_size`.
2017-09-29 11:54:05 +01:00
Hanno Becker
2cca6f3290 Always deduce N from P, Q in mbedtls_rsa_complete
Previously, a parameter set of (-, P, Q, -, E) was completed, but (-, P, Q, D,
E) wasn't - this is odd.
2017-09-29 11:54:05 +01:00
Hanno Becker
a6f5539413 Adapt version_features.c to new config options 2017-09-28 13:10:46 +01:00
Hanno Becker
e71ad12cd5 Minor code-improvements in dhm.c 2017-09-28 11:06:31 +01:00
Hanno Becker
2c9f027e32 Don't require P,Q if CRT is not used
Previously, verification used P,Q regardless of whether CRT was used in the
computation, but this has changed in the meantime.
2017-09-28 11:04:13 +01:00
Hanno Becker
8d1dd1b5b9 Fix bug in mbedtls_mpi_exp_mod
Calling `mbedtls_mpi_exp_mod` with a freshly initialized exponent MPI `N`,
i.e. `N.p == NULL`, would lead to a null-pointer dereference.
2017-09-28 11:02:24 +01:00
Hanno Becker
4c72b000cb Add const-qualifiers to prime constants 2017-09-27 16:06:37 +01:00
Hanno Becker
8c8b0ab877 Change default Diffie-Hellman parameters from RFC 5114 to RFC 7919
The origin of the primes in RFC 5114 is undocumented and their use therefore
constitutes a security risk.
2017-09-27 12:43:57 +01:00
Hanno Becker
b2bad800e4 Introduce Diffie-Hellman parameters from RFC 7919 2017-09-27 12:43:55 +01:00
Hanno Becker
0e6dc84f3e Deprecate Diffie-Hellman groups from RFC 5114
Also, change the way the standardized Diffie-Hellman groups are provided from
macro-based string-literals to global variables.
2017-09-27 11:48:02 +01:00
Ron Eldor
2981a0a740 Address Andres PR comments
Address Andres' comments in the PR
2017-09-24 15:41:09 +03:00
Jaeden Amero
1526330931 Allow alternate implementation of GCM
Provide the ability to use an alternative implementation of GCM in place
of the library-provided implementation.
2017-09-22 17:42:44 +01:00
Hanno Becker
d8a6f7cfbe Clarify code-paths in x509write_csr and x509write_crt 2017-09-22 16:05:43 +01:00
Hanno Becker
a20e33ad59 Use X509 CRT version macros for version checks in x509write_crt_der 2017-09-22 15:40:01 +01:00
Janos Follath
1ad1c6d4e1 Fix typo 2017-09-21 12:05:30 +01:00
Janos Follath
aa325d7b7f DHM: Fix dhm_check_range() always returning 0
Although the variable ret was initialised to an error, the
MBEDTLS_MPI_CHK macro was overwriting it. Therefore it ended up being
0 whenewer the bignum computation was successfull and stayed 0
independently of the actual check.
2017-09-21 12:04:41 +01:00
Florin
0b7b83fd91 Fixed SIGSEGV problem when writing with ssl_write_real a buffer that is over MBEDTLS_SSL_MAX_CONTENT_LEN bytes
Signed-off-by: Florin <petriuc.florin@gmail.com>
2017-09-18 16:11:42 +01:00
Hanno Becker
2b187c4d5f Correct typo 2017-09-18 16:11:42 +01:00
Ron Eldor
4a2fb4c6be Addres review comments
Resolves comments raised in the review
2017-09-18 13:43:05 +03:00
Ron Eldor
147d142948 Add log and fix stle issues
Address Andres comments of PR
2017-09-18 13:05:53 +03:00
Ron Eldor
714785dcc2 Write correct number of ciphersuites in log
Change location of log, to fit the correct number of used ciphersuites
2017-09-18 13:05:48 +03:00
Hanno Becker
9648f8b59c Add run-time check for handshake message size in ssl_write_record 2017-09-18 10:56:15 +01:00
Hanno Becker
d33f1ca34c Add run-time check for record content size in ssl_encrypt_buf 2017-09-18 10:56:14 +01:00
Andres Amaya Garcia
01692531c6 Document code silently discarding invalid records 2017-09-14 20:20:31 +01:00
Andres Amaya Garcia
2fad94b193 Dont send alert on invalid DTLS record type
Do not send fatal alerts when receiving a record with an invalid header
while running DTLS as this is not compliant behaviour.
2017-09-14 20:18:37 +01:00
Hanno Becker
d4a872ee67 Rename internal MBEDTLS_ENTROPY_HAVE_STRONG to ENTROPY_HAVE_STRONG
This commit renames the test-only flag MBEDTLS_ENTROPY_HAVE_STRONG to ENTROPY_HAVE_STRONG to make it more transparent
that it's an internal flag, and also to content the testscript tests/scripts/check-names.pl which previously complained
about the macro occurring in a comment in `entropy.c` without being defined in a library file.
2017-09-14 08:04:13 +01:00
Hanno Becker
45037ceac5 Add check for presence of relevant parameters in mbedtls_rsa_private
If CRT is used, check for the presence N, P, Q, D, E, DP, DQ and QP. If CRT is
not used, check for N, P, Q, D, E only.
2017-09-14 08:02:14 +01:00
Hanno Becker
81535d0011 Minor style and typo corrections 2017-09-14 07:51:54 +01:00
Hanno Becker
476986547b Omit version from X.509 v1 certificates
The version field in an X.509 certificate is optional and defaults to v1, so it
may be omitted in this case.
2017-09-14 07:51:54 +01:00
Hanno Becker
d7f3520360 Don't add extensions for X.509 non-v3 certificates
This commit removes extension-writing code for X.509 non-v3 certificates from
mbedtls_x509write_crt_der. Previously, even if no extensions were present an
empty sequence would have been added.
2017-09-14 07:51:54 +01:00
Hanno Becker
fc77144802 Fix extraction of signature-type from PK context instance 2017-09-14 07:51:54 +01:00
Hanno Becker
9be1926b69 Correct parsing checks in mbedtls_pk_parse_key
Two code-paths in `mbedtls_pk_parse_key` returned success on a failure in `mbedtls_pk_setup`.
2017-09-08 12:39:44 +01:00
Hanno Becker
66a0f83d58 Remove unreachable branches in pkparse.c 2017-09-08 12:39:21 +01:00
Hanno Becker
b8d1657148 Mention in-place decryption in pk_parse_key_pkcs8_encrypted_der
Also fixes a typo.
2017-09-07 15:29:01 +01:00
Hanno Becker
2aa80a706f Remove unnecessary cast 2017-09-07 15:28:45 +01:00
Hanno Becker
a988a2702a Emit deprecation warning if MBEDTLS_RSA_FORCE_BLINDING is not set 2017-09-07 13:11:33 +01:00
Ron Eldor
bc18eb3b92 Fix compilation error with Mingw32
Fix compilation error on Mingw32 when `_TRUNCATE` is defined. Use
`_TRUNCATE` only if `__MINGW32__` not defined. Fix suggested by
Thomas Glanzmann and Nick Wilson on issue #355
2017-09-06 17:51:14 +03:00
Ron Eldor
65112b15e6 Adress Hannos's comments
Remove zeroizing buffer, as it was done already in PR #369
Check that buffer is not null by `!= NULL` statement
2017-09-06 17:09:41 +03:00
Ron Eldor
9d84b4c102 update after Andres comments
Update after Andres coments:
1. zeroize the buffer in `mbedtls_pem_read_buffer()` before freeing it
2. use `mbedtls_zeroize()` instead of `memset()`
2017-09-05 17:17:31 +03:00
Ron Eldor
31162e4423 Set PEM buffer to zero before freeing it
Set PEM buffer to zero before freeing it, to avoid private keys
being leaked to memory after releasing it.
2017-09-05 15:34:35 +03:00
Ron Eldor
7268ca9500 remove redundant include
Remove redunadnat include for platform.h which was acciddently pushed,
for debugging purposes
2017-09-05 14:29:20 +03:00
Hanno Becker
9c6cb38ba8 Fix typo in pkparse.c 2017-09-05 10:08:01 +01:00
Manuel Pégourié-Gonnard
4b6e210d00 Merge branch 'mbedtls-2.6' into iotssl-1381-x509-verify-refactor-restricted
* mbedtls-2.6: (27 commits)
  Update version number to 2.6.0
  Fix language in Changelog for clarity
  Improve documentation of PKCS1 decryption functions
  Fix style and missing item in ChangeLog
  Add credit to Changelog to fix for #666
  Fix naked call to time() with platform call
  Fix ChangeLog for duplication after merge
  Rename time and index parameter to avoid name conflict.
  Correct comment
  Adapt ChangeLog
  Reliably zeroize sensitive data in AES sample application
  Reliably zeroize sensitive data in Crypt-and-Hash sample application
  Fix potential integer overflow parsing DER CRT
  Fix potential integer overflow parsing DER CRL
  Move the git scripts to correct path
  Update after @sbutcher-arm comments
  Fix slash direction for linux path
  Add note for the git_hoos README file
  Pre push hook script
  Check return code of mbedtls_mpi_fill_random
  ...
2017-08-31 10:09:43 +02:00
Hanno Becker
fab3569963 Use in-place decryption in pk_parse_pkcs8_encrypted_der
The stack buffer used to hold the decrypted key in pk_parse_pkcs8_encrypted_der
was statically sized to 2048 bytes, which is not enough for DER encoded 4096bit
RSA keys.

This commit resolves the problem by performing the key-decryption in-place,
circumventing the introduction of another stack or heap copy of the key.

There are two situations where pk_parse_pkcs8_encrypted_der is invoked:
1. When processing a PEM-encoded encrypted key in mbedtls_pk_parse_key.
   This does not need adaption since the PEM context used to hold the decoded
   key is already constructed and owned by mbedtls_pk_parse_key.
2. When processing a DER-encoded encrypted key in mbedtls_pk_parse_key.
   In this case, mbedtls_pk_parse_key calls pk_parse_pkcs8_encrypted_der with
   the buffer provided by the user, which is declared const. The commit
   therefore adds a small code paths making a copy of the keybuffer before
   calling pk_parse_pkcs8_encrypted_der.
2017-08-25 13:57:21 +01:00
Hanno Becker
771d30edac Add missing calls to mbedtls_pem_free in mbedtls_pk_parse 2017-08-25 13:57:21 +01:00
Hanno Becker
cc209ca56d Remove signature verification from rsa_rsassa_pkcs1_v15_sign
This verification path is redundant now that verification is uniformly done in
rsa_private.
2017-08-25 11:52:29 +01:00
Hanno Becker
43f94721ab Add quick-check for presence of relevant parameters in rsa_private 2017-08-25 11:52:27 +01:00
Hanno Becker
c6075cc5ac Don't use CRT for signature verification
If CRT is not used, the helper fields CRT are not assumed to be present in the
RSA context structure, so do the verification directly in this case. If CRT is
used, verification could be done using CRT, but we're sticking to ordinary
verification for uniformity.
2017-08-25 11:45:35 +01:00
Hanno Becker
b269a8584a Change mbedtls_rsa_check_privkey to use new helper functions 2017-08-25 08:35:09 +01:00
Hanno Becker
d9431a7817 Minor comments improvement 2017-08-25 08:35:09 +01:00
Hanno Becker
d363799a9d Add mbedtls_rsa_validate_crt
This commit adds the function mbedtls_rsa_validate_crt for validating a set of CRT parameters. The function
mbedtls_rsa_check_crt is simplified accordingly.
2017-08-25 08:35:09 +01:00
Hanno Becker
d56d83a7f3 Remove double-checking code from rsa_deduce_moduli and rsa_complete 2017-08-25 08:35:08 +01:00
Hanno Becker
750e8b4596 Rename rsa_check_params->rsa_validate_params and change error codes 2017-08-25 08:34:55 +01:00
Hanno Becker
fb81c0ec2e Guard primality checks in RSA module by MBEDTLS_GENPRIME
Primality testing is guarded by the configuration flag MBEDTLS_GENPRIME and used in the new RSA helper functions. This
commit adds a corresponding preprocessor directive.
2017-08-24 06:55:11 +01:00
Hanno Becker
ab3773123c Add support for alternative RSA implementations
Alternative RSA implementations can be provided by defining MBEDTLS_RSA_ALT in
config.h, defining an mbedtls_rsa_context struct in a new file rsa_alt.h and
re-implementing the RSA interface specified in rsa.h.

Through the previous reworkings, the adherence to the interface is the only
implementation obligation - in particular, implementors are free to use a
different layout for the RSA context structure.
2017-08-23 16:24:51 +01:00
Hanno Becker
6345dd33b9 Adapt rsa_check_privkey to deal with NO_CRT option 2017-08-23 16:17:28 +01:00
Hanno Becker
bee3aaeb50 Adapt rsa_gen_key to deal with RSA_NO_CRT option 2017-08-23 16:17:28 +01:00