Commit Graph

2825 Commits

Author SHA1 Message Date
Janos Follath
088ce43ffe Implement optional CA list suppression in Certificate Request
According to RFC5246 the server can indicate the known Certificate
Authorities or can constrain the aurhorisation space by sending a
certificate list. This part of the message is optional and if omitted,
the client may send any certificate in the response.

The previous behaviour of mbed TLS was to always send the name of all the
CAs that are configured as root CAs. In certain cases this might cause
usability and privacy issues for example:
- If the list of the CA names is longer than the peers input buffer then
  the handshake will fail
- If the configured CAs belong to third parties, this message gives away
  information on the relations to these third parties

Therefore we introduce an option to suppress the CA list in the
Certificate Request message.

Providing this feature as a runtime option comes with a little cost in
code size and advantages in maintenance and flexibility.
2017-05-16 10:22:37 +01:00
Hanno Becker
cf7ae7e7d3 Improve documentation 2017-05-15 11:50:13 +01:00
Hanno Becker
0d0cd4b30e Split long lines 2017-05-15 11:50:13 +01:00
Hanno Becker
7e5437a972 Remember suitable hash function for any signature algorithm.
This commit changes `ssl_parse_signature_algorithms_ext` to remember
one suitable ( := supported by client and by our config ) hash
algorithm per signature algorithm.

It also modifies the ciphersuite checking function
`ssl_ciphersuite_match` to refuse a suite if there
is no suitable hash algorithm.

Finally, it adds the corresponding entry to the ChangeLog.
2017-05-15 11:50:11 +01:00
Hanno Becker
1aa267cbc3 Introduce macros and functions to characterize certain ciphersuites.
The routine `mbedtls_ssl_write_server_key_exchange` heavily depends on
what kind of cipher suite is active: some don't need a
ServerKeyExchange at all, some need (EC)DH parameters but no server
signature, some require both. Each time we want to restrict a certain
piece of code to some class of ciphersuites, it is guarded by a
lengthy concatentation of configuration checks determining whether at
least one of the relevant cipher suites is enabled in the config; on
the code level, it is guarded by the check whether one of these
cipher suites is the active one.

To ease readability of the code, this commit introduces several helper
macros and helper functions that can be used to determine whether a
certain class of ciphersuites (a) is active in the config, and
(b) contains the currently present ciphersuite.
2017-05-15 11:46:57 +01:00
Andres Amaya Garcia
af610a0baf Fix check-doxy-blocks.pl errors (cmac.c ecjpake.h) 2017-05-12 00:18:04 +01:00
Janos Follath
6c8ccd5be4 Fix cleanup label alignment 2017-05-11 22:42:14 +01:00
Janos Follath
69b2051e76 Update version features with ECP macros 2017-05-11 22:42:14 +01:00
Janos Follath
c44ab97cc9 Apply review feedback on ECP interface
Naming conventions are revised, style issues corrected and minor
optimisation added.
2017-05-11 22:42:14 +01:00
Janos Follath
b8a90fb51c Update ECP hardware abstraction interface
With this commit the Elliptic Curve Point interface is rewised. Two
compile time options has been removed to simplify the interface and
the function names got a new prefix that indicates that these functions
are for internal use and not part of the public interface.
2017-05-11 22:42:14 +01:00
Janos Follath
430d3376c9 Add thread safety to ECP hardware acceleration
The intended use of the abstraction layer for Elliptic Curve Point
arithmetic is to enable using hardware cryptographic accelerators.
These devices are a shared resource and the driver code rarely provides
thread safety.

This commit adds mutexes to the abstraction layer to protect the device
in a multi-threaded environment.
2017-05-11 22:42:14 +01:00
Janos Follath
552f6b6d17 Add global mutex for asymmetric crypto accelerator
The primary use case behind providing an abstraction layer to enable
alternative Elliptic Curve Point arithmetic implementation, is making
use of cryptographic acceleration hardware if it is present.

To provide thread safety for the hardware accelerator we need a mutex
to guard it.
2017-05-11 22:42:14 +01:00
Janos Follath
16e63ea2e2 Fix alternative ECP function names
The alternative Elliptic Curve Point arithmetic functions didn't have
an 'mbedtls_' prefix as required by check-names.sh.
2017-05-11 22:42:14 +01:00
Janos Follath
4d9c69dde8 Fix ECP alternative macro names
The compile time macros enabling the initialisation and deinitialisation
in the alternative Elliptic Curve Point arithmetic implementation had
names that did not end with '_ALT' as required by check-names.sh.
2017-05-11 22:42:14 +01:00
Janos Follath
47d28f08a6 Remove alt_internal directory 2017-05-11 22:42:14 +01:00
Janos Follath
372697b6b7 Clean up ECP abstraction layer code
This commit fixes several style issues and fixes in the documentation
of the Elliptic Curve Point arithmetic abstraction layer.
2017-05-11 22:42:14 +01:00
Janos Follath
b069753313 ECP: Add module and function level replacement options. 2017-05-11 22:42:14 +01:00
Andres AG
72849877d0 Fix data loss in unsigned int cast in PK
This patch introduces some additional checks in the PK module for 64-bit
systems only. The problem is that the API functions in the PK
abstraction accept a size_t value for the hashlen, while the RSA module
accepts an unsigned int for the hashlen. Instead of silently casting
size_t to unsigned int, this change checks whether the hashlen overflows
an unsigned int and returns an error.
2017-05-11 21:55:17 +01:00
Manuel Pégourié-Gonnard
c1380de887 RSA PKCS1v1.5 verification: check padding length
The test case was generated by modifying our signature code so that it
produces a 7-byte long padding (which also means garbage at the end, so it is
essential in to check that the error that is detected first is indeed the
padding rather than the final length check).
2017-05-11 13:10:13 +02:00
Gilles Peskine
92e4426169 SSLv3: when refusing renegotiation, stop processing
Before the code was sending a fatal alert but then processing any
further data from the peer.

Internal reference: IOTSSL-1384
2017-05-10 17:31:13 +02:00
Gilles Peskine
c94f7352fa Ignore failures when sending fatal alerts
In many places in TLS handling, some code detects a fatal error, sends
a fatal alert message, and returns to the caller. If sending the alert
fails, then return the error that triggered the alert, rather than
overriding the return status. This effectively causes alert sending
failures to be ignored. Formerly the code was inconsistently sometimes
doing one, sometimes the other.

In general ignoring the alert is the right thing: what matters to the
caller is the original error. A typical alert failure is that the
connection is already closed.

One case which remains not handled correctly is if the alert remains
in the output buffer (WANT_WRITE). Then it won't be sent, or will be
truncated. We'd need to either delay the application error or record
the write buffering notice; to be done later.
2017-05-10 17:31:02 +02:00
Gilles Peskine
8498cb3687 Cleaned up double variable declaration 2017-05-10 15:39:40 +02:00
Gilles Peskine
064a85ca48 Code portability fix 2017-05-10 10:46:40 +02:00
Hanno Becker
b2034b7785 Fix potential stack underflow in mpi_read_file.
When provided with an empty line, mpi_read_file causes a numeric
underflow resulting in a stack underflow. This commit fixes this and
adds some documentation to mpi_read_file.
2017-05-09 10:29:06 +01:00
Hanno Becker
4bcb4914c5 Abort modular inversion when modulus is one.
The modular inversion function hangs when provided with the modulus 1. This commit refuses this modulus with a BAD_INPUT error code. It also adds a test for this case.
2017-05-08 14:47:04 +01:00
Hanno Becker
a6ed9c5429 Backup errno in net_would_block
Safe and restore the value of errno in net_would_block to be sure
it's not affected by the guarding call to fcntl. Fixes #845.
2017-05-04 13:53:26 +01:00
Gilles Peskine
e7e7650480 More length checks in RSA PKCS1v15 verify
Added one check that I'd missed, and made the style more uniform.
2017-05-04 12:48:39 +02:00
Gilles Peskine
0e17eb05f8 More length checks in RSA PKCS1v15 verify
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.
2017-05-03 18:56:10 +02:00
Gilles Peskine
1cc8e3472a Send TLS alerts in many more cases
The TLS client and server code was usually closing the connection in
case of a fatal error without sending an alert. This commit adds
alerts in many cases.

Added one test case to detect that we send the alert, where a server
complains that the client's certificate is from an unknown CA (case
tracked internally as IOTSSL-1330).
2017-05-03 16:28:34 +02:00
Gilles Peskine
f982852bf0 Balanced braces across preprocessor conditionals
This is a cosmetic improvement to ease source code navigation only.
2017-05-03 12:28:43 +02:00
Hanno Becker
a4af1c47d2 Correct sign in modular exponentiation algorithm.
The modular exponentiation function  handled the sign incorrectly. This commit fixes this and a test case which should have caught it.
2017-04-18 09:07:45 +01:00
Steven Cooreman
3a93387cea Forgot version-features update for new config flag 2017-04-04 12:02:37 +02:00
Steven Cooreman
12d9f3c84d Forgot version-features update for new config flag 2017-04-04 12:01:42 +02:00
Steven Cooreman
6334277320 Allow alternate core implementation of CMAC 2017-04-04 11:47:16 +02:00
Steven Cooreman
222e2ff421 Allow alternate core implementation of CCM 2017-04-04 11:37:15 +02:00
Andres AG
d1cc7f6f34 Fix buffer overflow in mbedtls_mpi_write_string()
Fix a buffer overflow when writting a string representation of an MPI
number to a buffer in hexadecimal. The problem occurs because hex
digits are written in pairs and this is not accounted for in the
calculation of the required buffer size when the number of digits is
odd.
2017-03-02 21:34:21 +00:00
Ron Eldor
12e0b800da Fix resource leak when using mutex and ssl_cookie
When using ssl_cookie with MBEDTLS_THREADING_C, fix a resource leak caused by
initiating a mutex in mbedtls_ssl_cookie_free instead of freeing it.
Raised and fix suggested by lan Gillingham in the mbed TLS forum
Tracked in #771
2017-03-02 12:26:11 +00:00
Janos Follath
7dadc2f259 ECP: Prevent freeing a buffer on stack
The function ecp_mod_koblitz computed the space for the result of a
multiplication optimally for that specific case, but unfortunately
the function mbedtls_mpi_mul_mpi performs a generic, suboptimal
calculation and needs one more limb for the result. Since the result's
buffer is on the stack, the best case scenario is that the program
stops.

This only happened on 64 bit platforms.

Fixes #569
2017-02-28 18:41:39 +00:00
Andres AG
5708dcb368 Fix memory leak in mbedtls_x509_crl_parse()
The memory leak call was caused by missing calls to mbedtls_pem_free()
when a MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was
encountered.
2017-02-28 14:51:31 +00:00
Janos Follath
87c980749d Fix buffer overread in mbedtls_x509_get_time()
A heap overread might happen when parsing malformed certificates.
Reported by Peng Li and Yueh-Hsun Lin.

Refactoring the parsing fixes the problem. This commit applies the
relevant part of the OpenVPN contribution applied to mbed TLS 1.3
in commit 17da9dd829.
2017-02-28 14:23:12 +00:00
Simon Butcher
fc794ff2b7 Merge branch 'iotssl-1071-ca-flags'
Fixes a regression introduced by an earlier commit that modified
x509_crt_verify_top() to ensure that valid certificates that are after past or
future valid in the chain are processed. However the change introduced a change
in behaviour that caused the verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in the
verification regardless of the cause.

The fix maintains both behaviours:

 * Ensure that valid certificates after future and past are verified
 * Ensure that the correct verification flags are set.
2017-02-27 19:06:05 +00:00
Simon Butcher
0278a38f10 Merge branch 'iotssl-1077-dos-crl'
Modifies the function mbedtls_x509_crl_parse() to ensure that a CRL in PEM
format with trailing characters after the footer does not result in the
execution of an infinite loop.
2017-02-26 01:16:02 +00:00
Simon Butcher
a29c5e9e66 Add comment to integer overflow fix in base64.c
Adds clarifying comment to the integer overflow fix in base64.c
2017-02-15 23:31:07 +02:00
Andres AG
4623d83c6f Fix integer overflow mbedtls_base64_decode()
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-15 23:31:07 +02:00
Andres Amaya Garcia
6a54336897 Fix integer overflows in buffer bound checks
Fix potential integer overflows in the following functions:
  * mbedtls_md2_update() to be bypassed and cause
  * mbedtls_cipher_update()
  * mbedtls_ctr_drbg_reseed()
This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-15 23:31:07 +02:00
Janos Follath
182013faf4 Prevent SLOTH attacks 2017-02-15 23:29:32 +02:00
Andres AG
2196c7f81c Fix renegotiation at incorrect times in DTLS
Fix an incorrect condition in ssl_check_ctr_renegotiate() that compared
64 bits of record counter instead of 48 bits as described in RFC 6347
Section 4.3.1. This would cause the function's return value to be
occasionally incorrect and the renegotiation routines to be triggered
at unexpected times.
2017-02-15 23:26:35 +02:00
Janos Follath
4c006cdb1c Update library version number to 2.4.1 2017-02-15 22:55:55 +02:00
Janos Follath
5da3a6f92f Update CMAC test vectors. 2017-02-15 22:55:30 +02:00
Andres AG
c0db511820 Fix unused variable/function compilation warnings
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
MBEDTLS_PEM_PARSE_C.
2017-02-15 22:54:42 +02:00
Simon Butcher
e4ac5428f3 Fix formatting issues in net_sockets.c 2017-02-15 09:08:26 +00:00
Simon Butcher
36540ff741 Fix compiler warning in debug.c 2017-02-15 09:08:26 +00:00
Simon B
3c6b18df3a Fix various compiler warnings with MSVC
Fixes various compiler warnings found with Microsoft Visual Studio 2015
(and earlier versions).
2017-02-15 09:08:26 +00:00
Brian J Murray
1903fb312f Clarify Comments and Fix Typos (#651)
Fixes many typos, and errors in comments.

* Clarifies many comments
* Grammar correction in config.pl help text
* Removed comment about MBEDTLS_X509_EXT_NS_CERT_TYPE.
* Comment typo fix (Dont => Don't)
* Comment typo fix (assure => ensure)
* Comment typo fix (byes => bytes)
* Added citation for quoted standard
* Comment typo fix (one complement => 1's complement)

The is some debate about whether to prefer "one's complement",  "ones'
complement", or "1's complement".  The more recent RFCs related to TLS
(RFC 6347,  RFC 4347, etc) use " 1's complement", so I followed that
convention.

* Added missing ")" in comment
* Comment alignment
* Incorrect comment after #endif
2017-02-15 09:08:26 +00:00
Andres AG
d16506624a Fix verify out flags from x509_crt_verify_top()
This change fixes a regression introduced by an earlier commit that
modified x509_crt_verify_top() to ensure that valid certificates
that are after past or future valid in the chain are processed. However
the change introduced a change in behaviour that caused the
verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in
the verification regardless of the cause.

The fix maintains both behaviours:
  * Ensure that valid certificates after future and past are verified
  * Ensure that the correct verification flags are set.

To do so, a temporary pointer to the first future or past valid
certificate is maintained while traversing the chain. If a truly valid
certificate is found then that one is used, otherwise if no valid
certificate is found and the end of the chain is reached, the program
reverts back to using the future or past valid certificate.
2017-01-20 13:52:01 +00:00
Andres AG
939954c0b0 Fix CRL parsing to avoid infinite loop
This patch modifies the function mbedtls_x509_crl_parse() to ensure
that a CRL in PEM format with trailing characters after the footer does
not result in the execution of an infinite loop.
2017-01-19 16:43:48 +00:00
Simon Butcher
105e856143 Merge branch 'gcc-compiler-warnings' 2017-01-05 18:26:40 +00:00
Janos Follath
1808dc01bd Update library version number to 2.4.1 2016-12-13 16:00:52 +00:00
Janos Follath
cd13bd2819 Update CMAC test vectors. 2016-12-13 16:00:52 +00:00
Simon Butcher
532c94dcb7 Fix formatting issues in net_sockets.c 2016-11-17 09:22:47 +00:00
Simon Butcher
097618b4c6 Fix compiler warning in debug.c 2016-11-17 09:22:46 +00:00
Simon B
3249cb780b Fix various compiler warnings with MSVC
Fixes various compiler warnings found with Microsoft Visual Studio 2015
(and earlier versions).
2016-11-10 15:37:33 +00:00
Brian J Murray
2adecba01f Clarify Comments and Fix Typos (#651)
Fixes many typos, and errors in comments.

* Clarifies many comments
* Grammar correction in config.pl help text
* Removed comment about MBEDTLS_X509_EXT_NS_CERT_TYPE.
* Comment typo fix (Dont => Don't)
* Comment typo fix (assure => ensure)
* Comment typo fix (byes => bytes)
* Added citation for quoted standard
* Comment typo fix (one complement => 1's complement)

The is some debate about whether to prefer "one's complement",  "ones'
complement", or "1's complement".  The more recent RFCs related to TLS
(RFC 6347,  RFC 4347, etc) use " 1's complement", so I followed that
convention.

* Added missing ")" in comment
* Comment alignment
* Incorrect comment after #endif
2016-11-06 12:45:15 +00:00
Andres AG
703990b839 Fix buffer overreads in mbedtls_pem_read_buffer() 2016-10-24 13:00:37 +01:00
Simon Butcher
16c54ee9c8 Update library version number to 2.4.0 2016-10-16 19:34:39 +01:00
Simon Butcher
8e00410402 Merge fix for AEAD Random IVs 2016-10-14 00:48:33 +01:00
Simon Butcher
9800a058ae Merge branch 'development' 2016-10-13 17:25:56 +01:00
Simon Butcher
99000142cb Merge fix for IE Certificate Compatibility 2016-10-13 17:21:01 +01:00
Simon Butcher
488c08c00b Merge branch fixing date validity in X.509 2016-10-13 16:13:09 +01:00
Simon Butcher
c58d7b4074 Merge fix for X.509 compatibility issues 2016-10-13 15:54:03 +01:00
Simon Butcher
511526720c Merge fix for branch SSL client overread 2016-10-13 15:39:09 +01:00
Simon Butcher
de319cb743 Merge branch 'development' 2016-10-13 15:14:04 +01:00
Russ Butler
bb83b42700 Use allocated memory for SHA self tests
Reduce the stack usage of the testing framework by dynamically
allocating the memory used for the test.
2016-10-13 15:10:14 +01:00
Janos Follath
e5dc202469 Restore P>Q in RSA key generation (#558)
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.

This commit restores this behaviour.
2016-10-13 13:54:48 +01:00
Andres AG
314d8a8400 Fix documentation for mbedtls_gcm_finish()
Fix implementation and documentation missmatch for the function
arguments to mbedtls_gcm_finish(). Also, removed redundant if condition
that always evaluates to true.
2016-10-13 13:54:47 +01:00
Andres AG
410d3dd3c7 Fix 1 byte overread in mbedtls_asn1_get_int() 2016-10-13 13:54:14 +01:00
Janos Follath
d7b9049806 Fix memory leaks in CMAC tests 2016-10-13 13:53:56 +01:00
Janos Follath
2b3b740574 Remove unnecessary flag from CMAC context 2016-10-13 13:53:33 +01:00
Simon Butcher
c61351df72 Fix issues in CMAC in repeated updates
Successive calls to mbedtls_cipher_cmac_update() which weren't block aligned
were failing, which is fixed by this commit.
2016-10-13 13:53:12 +01:00
Simon Butcher
ad882673dc Fix bracketing in cmac.c
The bracketing in some expressions where an assignment was being made in an if statement in cmac.c had been accidentally broken and was causing compiler warnings with armcc.
2016-10-13 13:52:00 +01:00
Andres AG
8254b6c9f3 Clean up of formatting, and potential integer overflow fix 2016-10-13 13:51:13 +01:00
Simon Butcher
2127932fb8 Fixes following review
Fixes issue of not zeroing entire block on reset and conditional compilation.
2016-10-13 13:51:12 +01:00
Simon Butcher
f394e09431 Clean up and minor fixes following review
Minor fixes following review including:
    * formatting changes including indentation and code style
    * corrections
    * removal of debug code
    * clarification of code through variable renaming
    * memory leak
    * compiler warnings
2016-10-13 13:51:12 +01:00
Simon Butcher
5805fbedcb Fix CMAC interface for doxygen
Parameters didn't match the function definition.
2016-10-13 13:51:12 +01:00
Simon Butcher
8a1a68cb2b Regenerate error.c file to remove CMAC 2016-10-13 13:51:12 +01:00
Simon Butcher
0c79073a8b Refactor and change CMAC interface
Change the CMAC interface to match the mbedtls_md_hmac_xxxx() interface. This
changes the overall design of the CMAC interface to make it more consistent with
the existing HMAC interface, and will allow incremental updates of input data
rather than requiring all data to be presented at once, which is what the
current interface requires.
2016-10-13 13:51:11 +01:00
Brian Murray
7b07e0e4b4 Fix build failure for thread config 2016-10-13 13:51:11 +01:00
Brian Murray
5168618294 Minor fixes to comments 2016-10-13 13:51:11 +01:00
Brian Murray
3d64431a33 Minor CMAC fixes for merge 2016-10-13 13:51:11 +01:00
Brian Murray
0b21cdf7bc cleaned up indentation and braket issues in mbedtls_cmac_verify 2016-10-13 13:51:11 +01:00
Brian Murray
bbed660aa1 Changed test function to inline to pass tests/scripts/check-names.sh 2016-10-13 13:51:10 +01:00
Brian Murray
fe9ff01c49 Fixed some build warnings 2016-10-13 13:51:10 +01:00
Brian Murray
4e067035b7 Do not zeroize null pointer 2016-10-13 13:51:10 +01:00
Brian Murray
cdd1f6d96c Removed unneed memsets and fixed spacing 2016-10-13 13:51:10 +01:00
Brian Murray
6eae89bb6f No CMAC minimum tag length is specified by NIST SP800-38B A
Minor Typo Changes
2016-10-13 13:51:10 +01:00
Brian Murray
e260feacbe cmac.c whitespace cleanup 2016-10-13 13:51:10 +01:00
Brian Murray
db5c70e080 better handling of failed calloc 2016-10-13 13:51:10 +01:00
Brian Murray
86ff986884 selftest supports cmac if only MBEDTLS_DES_C is defined
Other minor typo fixes
2016-10-13 13:51:10 +01:00
Brian Murray
3d3c9b8be7 More cleanup of CMAC self tests 2016-10-13 13:51:09 +01:00
Brian Murray
afdb60f84f Only compile AES CMAC PRF support if MBEDTLS_AES_C is defined and other cleanups 2016-10-13 13:51:09 +01:00
Brian Murray
d666eb5c11 More cleanup of CMAC selftests 2016-10-13 13:51:09 +01:00
Brian Murray
3c0412a443 Fixed CMAC tag length 2016-10-13 13:51:09 +01:00
Brian Murray
7c6476c330 CMAC support for cipher with 64bit blocks (DES/3DES) 2016-10-13 13:51:09 +01:00
Brian Murray
5a8c004f79 Added cmac.o to libary/Makefile 2016-10-13 13:51:09 +01:00
Manuel Pégourié-Gonnard
2b0e21f130 cmac: more cosmetic changes 2016-10-13 13:51:09 +01:00
Manuel Pégourié-Gonnard
a878d3b6e3 cmac: avoid useless wrapping of function
probably a leftover from an earlier stage
2016-10-13 13:51:09 +01:00
Manuel Pégourié-Gonnard
5f8639fea2 cmac: reduce visibility of macros
The #undef is usefull for people who want to to amalgamated releases
2016-10-13 13:51:09 +01:00
Manuel Pégourié-Gonnard
59ae4bad18 cmac: some more padding-related tune-ups
- use one less temporary buffer
- pedantic: in_len + 15 was a potential overflow
- use a more explicit name instead of 'flag'
- Mn was a bit misleading
2016-10-13 13:51:08 +01:00
Manuel Pégourié-Gonnard
da8724fbc6 cmac: clean up padding function and comments 2016-10-13 13:51:08 +01:00
Manuel Pégourié-Gonnard
89b8d83723 cmac: make subkey gen more constant-time
The previous version had secret-dependent memory accesses. While it was
probably not an issue in practice cause the two bytes of the array are
probably on the same cache line anyway, as a matter of principle this should
be avoided.
2016-10-13 13:51:08 +01:00
Manuel Pégourié-Gonnard
28ea791521 cmac: zeroize sensitive intermediate values 2016-10-13 13:51:08 +01:00
Manuel Pégourié-Gonnard
756bcf7631 cmac: factor multiply by u to its own function
We're doing exactly the same operation for K1 and K2.
2016-10-13 13:51:08 +01:00
Manuel Pégourié-Gonnard
a4dfa0550f cmac: fix whitespace/codingstyle issues 2016-10-13 13:51:08 +01:00
Manuel Pégourié-Gonnard
9c83eebe67 cmac: improve argument order and naming
- always use the pattern "buffer, length"
- avoid using unqualified "length" as a name when there are more than one
2016-10-13 13:51:08 +01:00
Robert Cragie
9bf1e5dd3b Line endings wrong 2016-10-13 13:51:08 +01:00
Robert Cragie
9518e88fa0 Use autogenerated version_features.c 2016-10-13 13:51:07 +01:00
Robert Cragie
2fa11cd197 Added CMAC as proper low-level module and changed error returns 2016-10-13 13:51:07 +01:00
Robert Cragie
c45554448c Added MBEDTLS_CMAC_C 2016-10-13 13:51:07 +01:00
Robert Cragie
45feb6ef20 Add support for AES-128-CMAC and AES-CMAC-PRF-128 2016-10-13 13:51:07 +01:00
Janos Follath
0be2b01a6b Add safety check to sample mutex implementation
Due to inconsistent freeing strategy in pkparse.c the sample mutex
implementation in threading.c could lead to undefined behaviour by
destroying the same mutex several times.

This fix prevents mutexes from being destroyed several times in the
sample threading implementation.
2016-10-13 13:51:07 +01:00
Andres AG
3616f6f261 Rename net.{c,h} to net_sockets.{c,h}
The library/net.c and its corresponding include/mbedtls/net.h file are
renamed to library/net_sockets.c and include/mbedtls/net_sockets.h
respectively. This is to avoid naming collisions in projects which also
have files with the common name 'net'.
2016-10-13 13:48:48 +01:00
Simon Butcher
1c8b33ad19 Merge branch 'development' 2016-10-13 13:40:41 +01:00
Janos Follath
ef44178474 Restore P>Q in RSA key generation (#558)
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.

This commit restores this behaviour.
2016-10-13 00:25:07 +01:00
Andres AG
821da84ff9 Fix documentation for mbedtls_gcm_finish()
Fix implementation and documentation missmatch for the function
arguments to mbedtls_gcm_finish(). Also, removed redundant if condition
that always evaluates to true.
2016-10-12 19:49:41 +01:00
Andres AG
776a6fcd1a Fix 1 byte overread in mbedtls_asn1_get_int() 2016-10-12 16:43:37 +01:00
Janos Follath
99d09d2747 Fix memory leaks in CMAC tests 2016-10-12 15:32:54 +01:00
Janos Follath
d444358247 Fix memory leaks in CMAC tests 2016-10-12 14:31:01 +01:00
Andres AG
60dbc93831 Add missing bounds check in X509 DER write funcs
This patch adds checks in both mbedtls_x509write_crt_der and
mbedtls_x509write_csr_der before the signature is written to buf
using memcpy().
2016-10-11 14:07:48 +01:00
Janos Follath
e3d882ad4a Remove unnecessary flag from CMAC context 2016-10-11 13:38:36 +01:00
Simon Butcher
6b0774ab1a Fix issues in CMAC in repeated updates
Successive calls to mbedtls_cipher_cmac_update() which weren't block aligned
were failing, which is fixed by this commit.
2016-10-11 12:25:04 +01:00
Simon Butcher
df6c3e8e48 Merge branch 'iotssl-825-double-free-quickfix'
Conflicts:
	ChangeLog
2016-10-11 00:07:14 +01:00
Janos Follath
23bdca0d63 Fix an x509 compatibility issue
Certificates with unsupported algorithms in the certificate chain
prevented verification even if a certificate before the unsupported
ones was already trusted.

We change the behaviour to ignoring every certificate with unknown
(unsupported) signature algorithm oid when parsing the certificate
chain received from the peer.
2016-10-07 16:12:50 +01:00
Simon Butcher
420be4ea04 Fix bracketing in cmac.c
The bracketing in some expressions where an assignment was being made in an if statement in cmac.c had been accidentally broken and was causing compiler warnings with armcc.
2016-10-07 12:55:43 +01:00
Andres AG
a592dcc1c6 Clean up of formatting, and potential integer overflow fix 2016-10-06 15:23:39 +01:00
Simon Butcher
d241f1cf17 Fixes following review
Fixes issue of not zeroing entire block on reset and conditional compilation.
2016-10-06 12:53:33 +01:00
Simon Butcher
69283e51d5 Clean up and minor fixes following review
Minor fixes following review including:
    * formatting changes including indentation and code style
    * corrections
    * removal of debug code
    * clarification of code through variable renaming
    * memory leak
    * compiler warnings
2016-10-06 12:49:58 +01:00
Simon Butcher
94ffde7b0a Fix CMAC interface for doxygen
Parameters didn't match the function definition.
2016-10-05 15:33:53 +01:00
Simon Butcher
7ca3109614 Regenerate error.c file to remove CMAC 2016-10-05 14:39:15 +01:00
Simon Butcher
327398ad3a Refactor and change CMAC interface
Change the CMAC interface to match the mbedtls_md_hmac_xxxx() interface. This
changes the overall design of the CMAC interface to make it more consistent with
the existing HMAC interface, and will allow incremental updates of input data
rather than requiring all data to be presented at once, which is what the
current interface requires.
2016-10-05 14:19:18 +01:00
Brian Murray
8b4111c516 Fix build failure for thread config 2016-10-05 14:19:17 +01:00
Brian Murray
72b69e3808 Minor fixes to comments 2016-10-05 14:19:17 +01:00
Brian Murray
53e23b684f Minor CMAC fixes for merge 2016-10-05 14:19:17 +01:00
Brian Murray
9ce2e091de cleaned up indentation and braket issues in mbedtls_cmac_verify 2016-10-05 14:19:17 +01:00
Brian Murray
ae1cb12d82 Changed test function to inline to pass tests/scripts/check-names.sh 2016-10-05 14:19:17 +01:00
Brian Murray
0cf14c10d4 Fixed some build warnings 2016-10-05 14:19:17 +01:00
Brian Murray
6a3c0d2d67 Do not zeroize null pointer 2016-10-05 14:19:17 +01:00
Brian Murray
4b64ab6664 Removed unneed memsets and fixed spacing 2016-10-05 14:19:16 +01:00
Brian Murray
87e4040bb9 No CMAC minimum tag length is specified by NIST SP800-38B A
Minor Typo Changes
2016-10-05 14:19:16 +01:00
Brian Murray
617634e656 cmac.c whitespace cleanup 2016-10-05 14:19:16 +01:00
Brian Murray
2cfa5072ed better handling of failed calloc 2016-10-05 14:19:16 +01:00
Brian Murray
57863ad7ed selftest supports cmac if only MBEDTLS_DES_C is defined
Other minor typo fixes
2016-10-05 14:19:16 +01:00
Brian Murray
9044b0295c More cleanup of CMAC self tests 2016-10-05 14:19:16 +01:00
Brian Murray
b439d4556d Only compile AES CMAC PRF support if MBEDTLS_AES_C is defined and other cleanups 2016-10-05 14:19:16 +01:00
Brian Murray
0f6af73599 More cleanup of CMAC selftests 2016-10-05 14:19:15 +01:00
Brian Murray
00dc5f0fc8 Fixed CMAC tag length 2016-10-05 14:19:15 +01:00
Brian Murray
b0c3c43dec CMAC support for cipher with 64bit blocks (DES/3DES) 2016-10-05 14:19:15 +01:00
Brian Murray
8262ac3b54 Added cmac.o to libary/Makefile 2016-10-05 14:19:15 +01:00
Manuel Pégourié-Gonnard
7b555f2928 cmac: more cosmetic changes 2016-10-05 14:19:15 +01:00
Manuel Pégourié-Gonnard
ab9c5fd9b3 cmac: avoid useless wrapping of function
probably a leftover from an earlier stage
2016-10-05 14:19:15 +01:00
Manuel Pégourié-Gonnard
d18c70708e cmac: reduce visibility of macros
The #undef is usefull for people who want to to amalgamated releases
2016-10-05 14:19:15 +01:00
Manuel Pégourié-Gonnard
2c06306364 cmac: some more padding-related tune-ups
- use one less temporary buffer
- pedantic: in_len + 15 was a potential overflow
- use a more explicit name instead of 'flag'
- Mn was a bit misleading
2016-10-05 14:19:14 +01:00
Manuel Pégourié-Gonnard
d2c3d3eddb cmac: clean up padding function and comments 2016-10-05 14:19:14 +01:00
Manuel Pégourié-Gonnard
475f06f609 cmac: make subkey gen more constant-time
The previous version had secret-dependent memory accesses. While it was
probably not an issue in practice cause the two bytes of the array are
probably on the same cache line anyway, as a matter of principle this should
be avoided.
2016-10-05 14:19:14 +01:00
Manuel Pégourié-Gonnard
d6cf75474b cmac: zeroize sensitive intermediate values 2016-10-05 14:19:14 +01:00
Manuel Pégourié-Gonnard
a610b4c04b cmac: factor multiply by u to its own function
We're doing exactly the same operation for K1 and K2.
2016-10-05 14:19:14 +01:00
Manuel Pégourié-Gonnard
3da5402a89 cmac: fix whitespace/codingstyle issues 2016-10-05 14:19:14 +01:00
Manuel Pégourié-Gonnard
690083c21d cmac: improve argument order and naming
- always use the pattern "buffer, length"
- avoid using unqualified "length" as a name when there are more than one
2016-10-05 14:19:14 +01:00
Robert Cragie
3d23b1d5ed Line endings wrong 2016-10-05 14:19:14 +01:00
Robert Cragie
48f2ff9dbe Use autogenerated version_features.c 2016-10-05 14:19:13 +01:00
Robert Cragie
84a4c67741 Added CMAC as proper low-level module and changed error returns 2016-10-05 14:19:13 +01:00
Robert Cragie
8324818e0a Added MBEDTLS_CMAC_C 2016-10-05 14:19:13 +01:00
Robert Cragie
dc5c7b98ac Add support for AES-128-CMAC and AES-CMAC-PRF-128 2016-10-05 14:19:13 +01:00
Janos Follath
5437a75b15 Add safety check to sample mutex implementation
Due to inconsistent freeing strategy in pkparse.c the sample mutex
implementation in threading.c could lead to undefined behaviour by
destroying the same mutex several times.

This fix prevents mutexes from being destroyed several times in the
sample threading implementation.
2016-09-30 09:29:55 +01:00
Andres AG
4b76aecaf3 Add check for validity of date in x509_get_time() 2016-09-28 14:32:54 +01:00
Andres AG
5a87c9375d Fix overread when verifying SERVER_HELLO in DTLS 2016-09-28 14:26:57 +01:00
Andres AG
788aa4a812 Rename net.{c,h} to net_sockets.{c,h}
The library/net.c and its corresponding include/mbedtls/net.h file are
renamed to library/net_sockets.c and include/mbedtls/net_sockets.h
respectively. This is to avoid naming collisions in projects which also
have files with the common name 'net'.
2016-09-26 23:23:52 +01:00
Andres AG
4bdbe09f90 Fix sig->tag update in mbedtls_x509_get_sig() 2016-09-19 17:09:45 +01:00
Andres AG
f9113194af Allow the entry_name size to be set in config.h
Allow the size of the entry_name character array in x509_crt.c to be
configurable through a macro in config.h. entry_name holds a
path/filename string. The macro introduced in
MBEDTLS_X509_MAX_FILE_PATH_LEN.
2016-09-16 11:42:35 +01:00
Simon Butcher
669c635ec0 Fix unused variable warnings for null entropy config 2016-09-15 18:57:34 +01:00
Andres Amaya Garcia
a928e67278 Documentation and entropy self test changes (#610)
Ensure that the entropy self test always fails whenever
MBEDTLS_TEST_NULL_ENTROPY is defined. This is because the option is
meant to be for testing and development purposes rather than production
quality software. Also, this patch enhances the documentation for
mbedtls_entropy_source_self_test() and mbedtls_entropy_self_test().
2016-09-13 13:30:02 +01:00
Paul Bakker
29f221f183 Fix guards in SSL for ECDH key exchanges 2016-09-05 01:48:31 +03:00
palaviv
a9f90f00aa Removing in compile time unused entries from oid_ecp_grp list 2016-09-04 15:14:38 +01:00
palaviv
06f1828fa2 Removing in compile time unused entries from oid_sig_alg list 2016-09-04 15:14:38 +01:00
palaviv
4636fc6b0d oid_x520_attr_type list is defined only when MBEDTLS_X509_USE_C or MBEDTLS_X509_CREATE_C 2016-09-04 15:14:38 +01:00
palaviv
5730320225 Removing in compile time unused entries from oid_md_alg list 2016-09-04 15:14:38 +01:00
Andres AG
e7723ec284 Make entropy bias self test poll multiple times
Instead of polling the hardware entropy source a single time and
comparing the output with itself, the source is polled at least twice
and make sure that the separate outputs are different.
2016-08-30 16:50:48 +01:00
Andres AG
b34e42e69e Add a new self test to entropy module
The self test is a quick way to check at startup whether the entropy
sources are functioning correctly. The self test only polls 8 bytes
from the default entropy source and performs the following checks:

- The bytes are not all 0x00 or 0xFF.
- The hardware does not return an error when polled.
- The entropy does not provide data in a patter. Only check pattern
  at byte, word and long word sizes.
2016-08-30 16:50:48 +01:00
Paul Bakker
4400ecc9fb Fix output of PKCS#5 and RIPEMD-160 self tests 2016-08-25 16:36:35 +01:00
Paul Bakker
217efbcb4b Allow compilation without MBEDTLS_SELF_TEST enabled 2016-08-25 15:42:28 +01:00
Paul Bakker
c7d6bd4b5f Add mbedtls_asn1_write_len() support for 3 and 4 byte lengths
As a consequence also adds coverage for reading 3 and 4 byte lengths
(which were not covered before)
2016-08-25 15:42:27 +01:00
Paul Bakker
7eb1243fb4 Add check for lengths over 65535 in mbedtls_asn1_write_len() 2016-08-25 15:42:27 +01:00
Simon Butcher
23e9778684 Adds missing conditions for platform time
In platform.c, made the time functions dependent on the configuration
MBEDTLS_HAVE_TIME to fix a build break where the functions could be
built but the mbedtls_time_t was not defined.
2016-07-13 14:47:07 +01:00
Simon Butcher
b5b6af2663 Puts platform time abstraction into its own header
Separates platform time abstraction into it's own header from the
general platform abstraction as both depend on different build options.
(MBEDTLS_PLATFORM_C vs MBEDTLS_HAVE_TIME)
2016-07-13 14:46:18 +01:00
Simon Butcher
905cef6c2c Changed library version number to 2.3.0 2016-06-27 19:36:45 +01:00
Simon Butcher
ab069c6b46 Merge branch 'development' into development-restricted 2016-06-23 21:42:26 +01:00
Brian J Murray
e7be5bdb96 Fixed unchecked calls to mbedtls_md_setup in rsa.c (#502)
* Fixed unchecked calls to mbedtls_md_setup in rsa.c:

* style fixes
2016-06-23 20:57:03 +01:00
Jussi Kivilinna
4b541bec0f Fix unused variable in AES selftest when CBC and CFB disabled (#393)
This commit fixes following warning:

> CC:  aes.c
> aes.c: In function 'mbedtls_aes_self_test':
> aes.c:1225:19: error: unused variable 'iv' [-Werror=unused-variable]
>      unsigned char iv[16];
>                    ^
> cc1: all warnings being treated as errors
2016-06-22 16:48:16 +01:00
Janos Follath
1b8571cd25 Merge branch 'development' into development-restricted 2016-06-21 13:51:17 +01:00
Simon Butcher
1ceab6e43a Adds a check and warning for the null entropy option
If the option MBEDTLS_TEST_NULL_ENTROPY is enabled, the cmake generated
makefile will generate an error unless a UNSAFE_BUILD switch is also enabled.

Equally, a similar warning will always be generated if the Makefile is built,
and another warning is generated on every compilation of entropy.c.

This is to ensure the user is aware of what they're doing when they enable the
null entropy option.
2016-06-21 10:14:00 +01:00
Janos Follath
15ab7ed0f3 Merge branch 'development' into development-restricted
Conflicts:
	programs/pkey/rsa_decrypt.c
	programs/pkey/rsa_encrypt.c
	programs/test/selftest.c
2016-06-14 09:20:46 +01:00