Commit Graph

942 Commits

Author SHA1 Message Date
Simon Butcher
ea27c997c0 Improve documentation of PKCS1 decryption functions
Document the preconditions on the input and output buffers for
the PKCS1 decryption functions
 - mbedtls_rsa_pkcs1_decrypt,
 - mbedtls_rsa_rsaes_pkcs1_v15_decrypt
 - mbedtls_rsa_rsaes_oaep_decrypt
2017-08-01 23:00:34 +01:00
Hanno Becker
223f88dd2e Adapt ChangeLog 2017-07-28 22:15:31 +01:00
Hanno Becker
3948a101b6 Adapt ChangeLog 2017-07-28 21:42:50 +01:00
Simon Butcher
246bf6932d Fix duplication in Changelog introduced by merge 2017-07-28 13:08:07 +01:00
Ron Eldor
b5851193eb Backport 2.1: check if iv is zero in gcm.
1) found by roberto in mbedtls forum
2) if iv_len is zero, return an error
3) add tests for invalid parameters
2017-07-28 12:21:38 +01:00
Hanno Becker
58897fbd7d Correct indentation and labelling in ChangeLog 2017-07-28 12:20:48 +01:00
Janos Follath
4721831ffb Fix typos 2017-07-28 12:20:48 +01:00
Manuel Pégourié-Gonnard
83765655dd Add ChangeLog entry for the security issue 2017-07-28 12:20:48 +01:00
Manuel Pégourié-Gonnard
c386317298 Only return VERIFY_FAILED from a single point
Everything else is a fatal error. Also improve documentation about that for
the vrfy callback.
2017-07-28 12:20:48 +01:00
Manuel Pégourié-Gonnard
489939f829 Improve behaviour on fatal errors
If we didn't walk the whole chain, then there may be any kind of errors in the
part of the chain we didn't check, so setting all flags looks like the safe
thing to do.
2017-07-28 12:20:47 +01:00
Andres AG
b322be507b Prevent signed integer overflow in CSR parsing
Modify the function mbedtls_x509_csr_parse_der() so that it checks the
parsed CSR version integer before it increments the value. This prevents
a potential signed integer overflow, as these have undefined behaviour
in the C standard.
2017-07-26 17:59:20 +01:00
Andres AG
1f06d9bac7 Fix potential integer overflow parsing DER CRT
This patch prevents a potential signed integer overflow during the
certificate version verification checks.
2017-07-26 17:57:43 +01:00
Andres AG
0ff660e0a6 Fix potential integer overflow parsing DER CRL
This patch prevents a potential signed integer overflow during the
CRL version verification checks.
2017-07-26 17:56:42 +01:00
Ron Eldor
a886ce3c88 Backport 2.1: Check rc of mbedtls_mpi_fill_random
Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
Reported and fix suggested by guidovranken in #740
2017-07-20 01:25:53 +02:00
Ron Eldor
0fb3e0afb9 Backport: Resource leak fix on windows platform
Fix a resource leak on windows platform, in mbedtls_x509_crt_parse_path,
in case a failure. when an error occurs, goto cleanup, and free the
resource, instead of returning error code immediately.
2017-07-20 01:05:47 +02:00
Ron Eldor
ee709f4d13 Backport 2.1: Wrong preproccessor condition fix
Fix for issue #696
Change #if defined(MBEDTLS_THREADING_PTHREAD)
to #if defined(MBEDTLS_THREADING_C)
2017-07-20 00:47:20 +02:00
Ron Eldor
5ff277ee1e Backport 2.1: check if iv is zero in gcm.
1) found by roberto in mbedtls forum
2) if iv_len is zero, return an error
3) add tests for invalid parameters
2017-07-20 00:30:44 +02:00
Simon Butcher
fbb9837ad5 Update the version number to 2.1.8 2017-06-20 23:31:06 +01:00
Janos Follath
3fb1cc37a6 Improve Changelog 2017-06-16 14:15:08 +01:00
Manuel Pégourié-Gonnard
89930b354c Merge remote-tracking branch 'restricted/iotssl-1398_backport-2.1' into mbedtls-2.1-restricted
* restricted/iotssl-1398_backport-2.1:
  Add ChangeLog entry
  Ensure application data records are not kept when fully processed
  Add hard assertion to mbedtls_ssl_read_record_layer
  Fix mbedtls_ssl_read
  Simplify retaining of messages for future processing
2017-06-09 15:06:31 +02:00
Manuel Pégourié-Gonnard
43df7e6bb7 Merge near-duplicate ChangeLog entries
As agreed with Gilles on the PR discussion page
2017-06-09 14:47:42 +02:00
Hanno Becker
88647ace2b Add ChangeLog entry 2017-06-09 11:30:33 +01:00
Manuel Pégourié-Gonnard
e2356722c0 ChangeLog cosmetics 2017-06-08 20:36:58 +02:00
Manuel Pégourié-Gonnard
1defa8fd6d Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-2.1-restricted' into mbedtls-2.1-restricted
* restricted/iotssl-1138-rsa-padding-check-2.1-restricted:
  RSA PKCS1v1.5 verification: check padding length
2017-06-08 20:33:53 +02:00
Manuel Pégourié-Gonnard
63906d9200 Merge remote-tracking branch 'restricted/IOTSSL-1366/mbedtls-2.1' into mbedtls-2.1-restricted
* restricted/IOTSSL-1366/mbedtls-2.1:
  More length checks in RSA PKCS1v15 verify
  More length checks in RSA PKCS1v15 verify
2017-06-08 20:26:06 +02:00
Manuel Pégourié-Gonnard
640edc7810 Merge remote-tracking branch 'hanno/mpi_read_file_underflow_backport-2.1' into mbedtls-2.1
* hanno/mpi_read_file_underflow_backport-2.1:
  Fix potential stack underflow in mpi_read_file.
2017-06-08 19:51:19 +02:00
Manuel Pégourié-Gonnard
ebe391d1cd Merge remote-tracking branch 'hanno/sliding_exponentiation_backport-2.1' into mbedtls-2.1
* hanno/sliding_exponentiation_backport-2.1:
  Adapt ChangeLog
  Abort modular inversion when modulus is one.
  Correct sign in modular exponentiation algorithm.
2017-06-08 19:49:50 +02:00
Manuel Pégourié-Gonnard
431c2afe3e Merge remote-tracking branch 'janos/mbedtls-2.1-iotssl-1156-ecdsa-sample-and-doc-clarification' into mbedtls-2.1
* janos/mbedtls-2.1-iotssl-1156-ecdsa-sample-and-doc-clarification:
  Clarify the use of ECDSA API
2017-06-08 10:17:54 +02:00
Janos Follath
5ad678971d Clarify the use of ECDSA API
In the ecdsa.c sample application we don't use hashing, we use ecdsa
directly on a buffer containing plain text. Although the text explains
that it should be the message hash it still can be confusing.

Any misunderstandings here are potentially very dangerous, because ECDSA
truncates the message hash if necessary and this can lead to trivial
signature forgeries if the API is misused and the message is passed
directly to the function without hashing.

This commit adds a hash computation step to the ecdsa.c sample
application and clarification to the doxygen documentation of the
ECDSA functions involved.
2017-06-07 15:59:21 +01:00
Hanno Becker
a3929bac1e Fix implementation of VERIFY_OPTIONAL verification mode
This commit changes the behaviour of mbedtls_ssl_parse_certificate
to make the two authentication modes MBEDTLS_SSL_VERIFY_REQUIRED and
MBEDTLS_SSL_VERIFY_OPTIONAL be in the following relationship:

    Mode == MBEDTLS_SSL_VERIFY_REQUIRED
<=> Mode == MBEDTLS_SSL_VERIFY_OPTIONAL + check verify result

Also, it changes the behaviour to perform the certificate chain
verification even if the trusted CA chain is empty. Previously, the
function failed in this case, even when using optional verification,
which was brought up in #864.
2017-06-07 11:36:09 +01:00
Manuel Pégourié-Gonnard
b55f613601 Merge remote-tracking branch 'gilles/iotssl-1223/mbedtls-2.1' into mbedtls-2.1
* gilles/iotssl-1223/mbedtls-2.1:
  Fix FALLBACK_SCSV parsing
2017-06-06 20:12:51 +02:00
Gilles Peskine
7344e1bd05 SHA-1 deprecation: allow it in key exchange
By default, keep allowing SHA-1 in key exchange signatures. Disabling
it causes compatibility issues, especially with clients that use
TLS1.2 but don't send the signature_algorithms extension.

SHA-1 is forbidden in certificates by default, since it's vulnerable
to offline collision-based attacks.
2017-06-06 19:09:02 +02:00
Gilles Peskine
955738a4f2 Remove SHA-1 in TLS by default
Default to forbidding the use of SHA-1 in TLS where it is unsafe: for
certificate signing, and as the signature hash algorithm for the TLS
1.2 handshake signature. SHA-1 remains allowed in HMAC-SHA-1 in the
XXX_SHA ciphersuites and in the PRF for TLS <= 1.1.

For easy backward compatibility for use in controlled environments,
turn on the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 compiled-time option.
2017-06-06 19:08:19 +02:00
Manuel Pégourié-Gonnard
cd6e4d5bcc Merge remote-tracking branch 'restricted/mbedtls-2.1' into mbedtls-2.1
* restricted/mbedtls-2.1:
  Remove obsolete macros from compat-1.3.h
  Add fix for #667 to ChangeLog
  Fix bug in threading sample implementation #667
  Fix check-doxy-blocks.pl to run from root dir
  RSA: wipe more stack buffers
  RSA: wipe stack buffers
2017-06-06 18:23:05 +02:00
Manuel Pégourié-Gonnard
61946d2c68 Merge remote-tracking branch 'hanno/iotssl-1241-backport-2.1' into mbedtls-2.1
* hanno/iotssl-1241-backport-2.1:
  Improve documentation
  Split long lines.
  Remember suitable hash function for any signature algorithm.
  Introduce macros and functions to characterize certain ciphersuites.
2017-06-06 18:21:01 +02:00
Manuel Pégourié-Gonnard
6820eba2bb Merge branch 'iotssl-1272-fix-RSA-cache-attack-2.1-restricted' into mbedtls-2.1
* iotssl-1272-fix-RSA-cache-attack-2.1-restricted:
  Add Changelog entry for RSA exponent blinding
  Add exponent blinding to RSA with CRT
  Add exponent blinding to RSA without CRT
2017-06-06 16:12:33 +02:00
Hanno Becker
aa8a2bd05a Remember suitable hash function for any signature algorithm.
This commit changes `ssl_parse_signature_algorithms_ext` to remember
one suitable ( := supported by client and by our config ) hash
algorithm per signature algorithm.

It also modifies the ciphersuite checking function
`ssl_ciphersuite_match` to refuse a suite if there
is no suitable hash algorithm.

Finally, it adds the corresponding entry to the ChangeLog.
2017-05-24 11:04:50 +01:00
Gilles Peskine
39e2981b22 Fix FALLBACK_SCSV parsing
Fixed a bug in ssl_srv.c when parsing TLS_FALLBACK_SCSV in the
ciphersuite list that caused it to miss it sometimes. Reported by Hugo
Leisink as issue #810. Fix initially by @andreasag01; this commit
isolates the bug fix and adds a non-regression test.
2017-05-16 18:03:02 +02:00
Andres Amaya Garcia
71e37e1205 Remove obsolete macros from compat-1.3.h 2017-05-15 13:23:22 +01:00
Simon Butcher
67746c35c7 Add fix for #667 to ChangeLog 2017-05-15 13:23:22 +01:00
Andres Amaya Garcia
b9dee359b4 Remove obsolete macros from compat-1.3.h 2017-05-15 11:48:49 +01:00
Simon Butcher
93d0f4b0c3 Add fix for #667 to ChangeLog 2017-05-15 11:24:22 +01:00
Hanno Becker
4195e80649 Fix potential stack underflow in mpi_read_file.
When provided with an empty line, mpi_read_file causes a numeric
underflow resulting in a stack underflow. This commit fixes this and
adds some documentation to mpi_read_file.
2017-05-12 07:21:37 +01:00
Manuel Pégourié-Gonnard
230ee31a54 RSA PKCS1v1.5 verification: check padding length
The test case was generated by modifying our signature code so that it
produces a 7-byte long padding (which also means garbage at the end, so it is
essential to check that the error that is detected first is indeed the
padding rather than the final length check).
2017-05-11 13:33:13 +02:00
Hanno Becker
b18f9e83bc Adapt ChangeLog 2017-05-11 11:24:20 +01:00
Janos Follath
4477bcabc3 Add Changelog entry for RSA exponent blinding 2017-05-11 10:58:24 +02:00
Gilles Peskine
fd8f79d89f More length checks in RSA PKCS1v15 verify
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.

Backport to 2.1.x
2017-05-03 18:45:15 +02:00
Gilles Peskine
8877ec23a3 RSA: wipe stack buffers
The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.

Thanks to Laurent Simon for reporting this issue.
2017-03-23 15:29:45 +01:00
Simon Butcher
2323477699 Update version number to 2.1.7 for release 2017-03-08 16:29:31 +00:00
Simon Butcher
340bb1bab1 Added missing credit to ChangeLog for #555 2017-03-08 11:16:35 +00:00