Commit Graph

2677 Commits

Author SHA1 Message Date
Hanno Becker
e6a5ee7b72 Add explicit unsigned-to-signed integer conversion
The previous code triggered a compiler warning because of a comparison
of a signed and an unsigned integer.

The conversion is safe because `len` is representable by 16-bits,
hence smaller than the maximum integer.
2018-10-10 15:50:17 +01:00
Hanno Becker
bab079e85e Fix bounds check in ssl_parse_server_psk_hint()
In the previous bounds check `(*p) > end - len`, the computation
of `end - len` might underflow if `end` is within the first 64KB
of the address space (note that the length `len` is controlled by
the peer). In this case, the bounds check will be bypassed, leading
to `*p` exceed the message bounds by up to 64KB when leaving
`ssl_parse_server_psk_hint()`. In a pure PSK-based handshake,
this doesn't seem to have any consequences, as `*p*` is not accessed
afterwards. In a PSK-(EC)DHE handshake, however, `*p` is read from
in `ssl_parse_server_ecdh_params()` and `ssl_parse_server_dh_params()`
which might lead to an application crash of information leakage.
2018-10-08 13:55:30 +01:00
Simon Butcher
86d32e690c Merge remote-tracking branch 'public/pr/1973' into mbedtls-2.1 2018-09-26 22:40:09 +01:00
Simon Butcher
d3a5393a38 Update library version number to 2.1.15 2018-08-31 16:10:48 +01:00
Simon Butcher
8d408fac1d Merge remote-tracking branch 'restricted/pr/438' into mbedtls-2.1-restricted 2018-08-28 15:35:41 +01:00
Simon Butcher
9add36bbcb Merge remote-tracking branch 'restricted/pr/497' into mbedtls-2.1-restricted 2018-08-28 15:31:41 +01:00
Simon Butcher
d22de0aaa7 Merge remote-tracking branch 'restricted/pr/492' into mbedtls-2.1-restricted 2018-08-28 15:23:56 +01:00
Simon Butcher
85e5bfd00c Merge remote-tracking branch 'public/pr/1889' into mbedtls-2.1 2018-08-28 12:26:33 +01:00
Simon Butcher
263ca7282e Merge remote-tracking branch 'public/pr/1957' into mbedtls-2.1 2018-08-28 12:17:38 +01:00
Simon Butcher
d288ac0e83 Merge remote-tracking branch 'public/pr/1959' into mbedtls-2.1 2018-08-28 11:53:47 +01:00
Hanno Becker
d636dd0cbb Fix bug in SSL ticket implementation removing keys of age < 1s
Fixes #1968.
2018-08-22 15:05:07 +01:00
Hanno Becker
42d267bbe4 Compute record expansion in steps to ease readability 2018-08-17 15:29:48 +01:00
Hanno Becker
07eb7ca17c Fix mbedtls_ssl_get_record_expansion() for CBC modes
`mbedtls_ssl_get_record_expansion()` is supposed to return the maximum
difference between the size of a protected record and the size of the
encapsulated plaintext.

Previously, it did not correctly estimate the maximum record expansion
in case of CBC ciphersuites in (D)TLS versions 1.1 and higher, in which
case the ciphertext is prefixed by an explicit IV.

This commit fixes this bug. Fixes #1914.
2018-08-17 10:11:28 +01:00
Hanno Becker
9e2237ac47 Fix overly strict bounds check in ssl_parse_certificate_request() 2018-08-16 15:53:17 +01:00
Hanno Becker
3328d8cf88 Reset session_in/out pointers in ssl_session_reset_int()
Fixes #1941.
2018-08-14 15:50:02 +01:00
Jaeden Amero
942cfea65f Merge remote-tracking branch 'upstream-public/pr/1815' into mbedtls-2.1 2018-08-10 11:00:40 +01:00
Jaeden Amero
e3bcd9a432 Merge remote-tracking branch 'upstream-public/pr/1887' into mbedtls-2.1 2018-08-10 10:50:03 +01:00
k-stachowiak
83f9fba987 Revert change of a return variable name 2018-07-31 17:13:26 +02:00
Philippe Antoine
795eea6e1c Fix undefined shifts
- in x509_profile_check_pk_alg
- in x509_profile_check_md_alg
- in x509_profile_check_key

and in ssl_cli.c : unsigned char gets promoted to signed integer
2018-07-26 22:51:18 +01:00
Angus Gratton
ba25ffef87 Fix memory leak in ecp_mul_comb() if ecp_precompute_comb() fails
In ecp_mul_comb(), if (!p_eq_g && grp->T == NULL) and then ecp_precompute_comb() fails (which can
happen due to OOM), then the new array of points T will be leaked (as it's newly allocated, but
hasn't been asigned to grp->T yet).

Symptom was a memory leak in ECDHE key exchange under low memory conditions.
2018-07-26 11:09:37 +03:00
Jaeden Amero
dcec5bb527 Update version to 2.1.14 2018-07-25 15:42:55 +01:00
Simon Butcher
3339fe9a02 Merge remote-tracking branch 'restricted/pr/495' into mbedtls-2.1 2018-07-24 23:42:13 +01:00
Simon Butcher
642ddb555e Merge remote-tracking branch 'public/pr/1864' into mbedtls-2.1 2018-07-24 13:01:02 +01:00
k-stachowiak
d21e958c3e Fix code formatting 2018-07-24 12:53:54 +02:00
Simon Butcher
eebee76f93 Merge remote-tracking branch 'public/pr/1846' into mbedtls-2.1 2018-07-19 19:48:40 +01:00
Angus Gratton
fd1c5e8453 Check for invalid short Alert messages
(Short Change Cipher Spec & Handshake messages are already checked for.)
2018-07-16 20:20:51 +01:00
Angus Gratton
485b3930c9 TLSv1.2: Treat zero-length fragments as invalid, unless they are application data
TLS v1.2 explicitly disallows other kinds of zero length fragments (earlier standards
don't mention zero-length fragments at all).
2018-07-16 20:20:49 +01:00
Angus Gratton
1226dd7715 CBC mode: Allow zero-length message fragments (100% padding)
Fixes https://github.com/ARMmbed/mbedtls/issues/1632
2018-07-16 20:20:44 +01:00
k-stachowiak
2d2d80b916 Prevent buffer overread by one byte 2018-07-16 12:27:23 +02:00
Manuel Pégourié-Gonnard
671f932a87 Avoid debug message that might leak length
The length to the debug message could conceivably leak through the time it
takes to print it, and that length would in turn reveal whether padding was
correct or not.
2018-07-12 10:20:33 +02:00
Manuel Pégourié-Gonnard
99b6a711c8 Add counter-measure to cache-based Lucky 13
The basis for the Lucky 13 family of attacks is for an attacker to be able to
distinguish between (long) valid TLS-CBC padding and invalid TLS-CBC padding.
Since our code sets padlen = 0 for invalid padding, the length of the input to
the HMAC function, and the location where we read the MAC, give information
about that.

A local attacker could gain information about that by observing via a
cache attack whether the bytes at the end of the record (at the location of
would-be padding) have been read during MAC verification (computation +
comparison).

Let's make sure they're always read.
2018-07-12 10:20:33 +02:00
Manuel Pégourié-Gonnard
69675d056a Fix Lucky 13 cache attack on MD/SHA padding
The basis for the Lucky 13 family of attacks is for an attacker to be able to
distinguish between (long) valid TLS-CBC padding and invalid TLS-CBC padding.
Since our code sets padlen = 0 for invalid padding, the length of the input to
the HMAC function gives information about that.

Information about this length (modulo the MD/SHA block size) can be deduced
from how much MD/SHA padding (this is distinct from TLS-CBC padding) is used.
If MD/SHA padding is read from a (static) buffer, a local attacker could get
information about how much is used via a cache attack targeting that buffer.

Let's get rid of this buffer. Now the only buffer used is the internal MD/SHA
one, which is always read fully by the process() function.
2018-07-12 10:20:33 +02:00
Ron Eldor
2e7b686f71 Remove reference to ECJPAKE
Remove reference to `MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED` as branch
`mbedtls-2.1` doesn't have `ECJPAKE`. This definition was accidently
inserted in a backport.
2018-07-11 13:37:38 +03:00
Simon Butcher
57e9fe2df4 Merge remote-tracking branch 'public/pr/1808' into mbedtls-2.1 2018-07-10 14:59:56 +01:00
Simon Butcher
ec971d7434 Merge remote-tracking branch 'public/pr/1828' into mbedtls-2.1 2018-07-10 12:51:03 +01:00
k-stachowiak
4772a1fd3c Fix memory leak in ssl_setup 2018-07-09 10:43:37 +02:00
Philippe Antoine
bbc7918b6b Fixes different off by ones 2018-07-09 10:33:08 +02:00
Brendan Shanks
9e31693f67 x509.c: Remove unused includes
Remove unused includes guarded by MBEDTLS_FS_IO, which doesn't appear
anywhere else in the file.
2018-07-02 12:17:44 +01:00
niisato
8ba6ff578d about a issue Replace "new" variable #1782 2018-06-29 11:30:03 +01:00
Ron Eldor
b847d8f2a9 Add ecc extensions only if ecc ciphersuite is used
Fix compliancy to RFC4492. ECC extensions should be included
only if ec ciphersuites are used. Interoperability issue with
bouncy castle. #1157
2018-06-28 16:07:22 +03:00
Simon Butcher
e5828ce06c Merge remote-tracking branch 'public/pr/1771' into mbedtls-2.1 2018-06-28 11:38:18 +01:00
Ron Eldor
3dfbf406e5 Move definition of MBEDTLS_CIPHER_MODE_STREAM
Move definition of `MBEDTLS_CIPHER_MODE_STREAM` to header file
(`mbedtls_cipher_internal.h`), because it is used by more than
one file. Raised by TrinityTonic in #1719
2018-06-28 08:49:25 +03:00
Simon Butcher
b1c796ec48 Merge remote-tracking branch 'public/pr/1769' into mbedtls-2.1 2018-06-22 15:05:34 +01:00
Philippe Antoine
2c3c18039b Fix memory leak in mbedtls_x509_csr_parse 2018-06-22 12:19:33 +01:00
Simon Butcher
ad761c45b9 Fix multiple quality issues in the source
This PR fixes multiple issues in the source code to address issues raised by
tests/scripts/check-files.py. Specifically:
 * incorrect file permissions
 * missing newline at the end of files
 * trailing whitespace
 * Tabs present
 * TODOs in the souce code
2018-06-22 11:22:44 +01:00
Andres Amaya Garcia
b999a73eb4 Document ssl_write_real() behaviour in detail 2018-06-21 19:37:27 +01:00
Simon Butcher
6fc9ceece3 Change the library version to 2.1.13 2018-06-18 14:49:02 +01:00
Simon Butcher
0a715b1587 Merge remote-tracking branch 'public/pr/1656' into mbedtls-2.1 2018-06-17 18:02:57 +01:00
Simon Butcher
fd436b34eb Merge remote-tracking branch 'public/pr/1673' into mbedtls-2.1 2018-06-17 18:02:21 +01:00
Simon Butcher
577d39b930 Compilation warning fixes on 32b platfrom with IAR
Fix compilation warnings with IAR toolchain, on 32 bit platform.
Reported by rahmanih in #683

This is based on work by Ron Eldor in PR #750.
2018-06-14 09:10:23 +01:00