Commit Graph

740 Commits

Author SHA1 Message Date
Andres Amaya Garcia
f5e753a942 Add missing ret code checks in PEM module
Add missing return code checks in the functions pem_des_decrypt(),
pem_3des_decrypt() and pem_aes_decrypt() so that the calling function
pem_read_buffer() is notified of errors reported by the crypto
primitives AES, DES and 3DES.
2017-05-30 17:18:06 +01:00
Simon Butcher
98864d5c0b Merge branch 'mbedtls-1.3' 2017-03-10 20:38:47 +00:00
Simon Butcher
bb4bebc26a Correct function names in the ChangeLog from backported fixed 2017-03-10 20:31:09 +00:00
Simon Butcher
a42044d98b Added missing credit to ChangeLog for #555 2017-03-08 18:43:38 +00:00
Simon Butcher
2e5318ecf6 Corrected attibution in Changelog 2017-03-08 18:43:38 +00:00
Simon Butcher
4c5154d0c0 Updated version number to 1.3.19 for release 2017-03-08 17:22:34 +00:00
Simon Butcher
d2d6316afc Removed duplicate entry in ChangeLog 2017-03-03 16:08:27 +00:00
Andres AG
2b2fc115df Fix buffer overflow in mpi_write_string()
Fix a buffer overflow when writting a string representation of an MPI
number to a buffer in hexadecimal. The problem occurs because hex
digits are written in pairs and this is not accounted for in the
calculation of the required buffer size when the number of digits is
odd.
2017-03-02 23:01:54 +00:00
Simon Butcher
dccf743365 Add fix and credit for #742 to the ChangeLog 2017-03-02 21:31:11 +00:00
Simon Butcher
866a447784 Clarify ChangeLog for #569 2017-02-28 20:27:17 +00:00
Janos Follath
f5ffc79896 ECP: Prevent freeing a buffer on stack
The function ecp_mod_koblitz computed the space for the result of a
multiplication optimally for that specific case, but unfortunately
the function mbedtls_mpi_mul_mpi performs a generic, suboptimal
calculation and needs one more limb for the result. Since the result's
buffer is on the stack, the best case scenario is that the program
stops.

This only happened on 64 bit platforms.

Fixes #569
2017-02-28 20:24:52 +00:00
Simon Butcher
bfef0ce5e4 Fix credit in ChangeLog for #722 2017-02-28 17:38:55 +00:00
Andres AG
03af0e0151 Fix memory leak in x509_crl_parse()
The memory leak call was caused by missing calls to pem_free().
2017-02-28 17:36:06 +00:00
Simon Butcher
9fb2828aee Merge branch 'mbedtls-1.3-iotssl-1071-ca-flags'
Fixes a regression introduced by an earlier commit that modified
x509_crt_verify_top() to ensure that valid certificates that are after past or
future valid in the chain are processed. However the change introduced a change
in behaviour that caused the verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in the
verification regardless of the cause.

The fix maintains both behaviours:

 * Ensure that valid certificates after future and past are verified
 * Ensure that the correct verification flags are set.
2017-02-27 21:25:03 +00:00
Simon Butcher
7346a7e55a Fix formatting in ChangeLog 2017-02-26 02:01:49 +00:00
Simon Butcher
741bd90a30 Merge branch 'mbedtls-1.3-iotssl-1077-dos-crl'
Modifies the function mbedtls_x509_crl_parse() to ensure that a CRL in PEM
format with trailing characters after the footer does not result in the
execution of an infinite loop.
2017-02-26 01:46:37 +00:00
Simon Butcher
13f9e40059 Merge branch 'mbedtls-1.3' 2017-02-25 21:47:24 +00:00
Andres AG
59abd301f5 Fix integer overflow in mbedtls_base64_decode()
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-25 21:27:17 +00:00
Andres Amaya Garcia
74ef650772 Fix integer overflows in buffer bound checks
Fix potential integer overflows in the following functions:
  * mbedtls_md2_update() to be bypassed and cause
  * mbedtls_cipher_update()
  * mbedtls_ctr_drbg_reseed()
This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-25 21:25:44 +00:00
Andres AG
480f7e7d5e Add tests for overreads in pem_read_buffer() 2017-02-25 21:25:07 +00:00
Andres AG
de6079af8e Fix buffer overreads in mbedtls_pem_read_buffer() 2017-02-25 21:25:06 +00:00
Simon Butcher
851dcc96d4 Add credit to Changelog for #562 2017-02-20 22:03:19 +00:00
Andres AG
7ded99ff64 Fix integer overflow in mbedtls_base64_decode()
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-20 22:01:55 +00:00
Andres Amaya Garcia
cfad181250 Fix integer overflows in buffer bound checks
Fix potential integer overflows in the following functions:
  * mbedtls_md2_update() to be bypassed and cause
  * mbedtls_cipher_update()
  * mbedtls_ctr_drbg_reseed()
This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-20 22:00:33 +00:00
Andres AG
29b43737ba Fix unused variable/function compilation warnings
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
POLARSSL_PEM_PARSE_C.
2017-02-20 21:57:52 +00:00
Andres AG
c71b7eb0e7 Fix data loss in unsigned int cast in PK
This patch introduces some additional checks in the PK module for 64-bit
systems only. The problem is that the API functions in the PK
abstraction accept a size_t value for the hashlen, while the RSA module
accepts an unsigned int for the hashlen. Instead of silently casting
size_t to unsigned int, this change checks whether the hashlen overflows
an unsigned int and returns an error.
2017-02-15 10:44:02 +00:00
Simon Butcher
df33a6a805 Add credit to Changelog for #562 2017-02-02 16:53:50 +00:00
Andres AG
2f3fe70f7e Fix verify out flags from x509_crt_verify_top()
This change fixes a regression introduced by an earlier commit that
modified x509_crt_verify_top() to ensure that valid certificates
that are after past or future valid in the chain are processed. However
the change introduced a change in behaviour that caused the
verification flags BADCERT_EXPIRED and BADCERT_FUTURE to always be set
whenever there is a failure in the verification regardless of the cause.

The fix maintains both behaviours:
  * Ensure that valid certificates after future and past are verified
  * Ensure that the correct verification flags are set.

To do so, a temporary pointer to the first future or past valid
certificate is maintained while traversing the chain. If a truly valid
certificate is found then that one is used, otherwise if no valid
certificate is found and the end of the chain is reached, the program
reverts back to using the future or past valid certificate.
2017-01-20 17:12:36 +00:00
Andres AG
e567101f6b Fix CRL parsing to avoid infinite loop
This patch modifies the function mbedtls_x509_crl_parse() to ensure
that a CRL in PEM format with trailing characters after the footer does
not result in the execution of an infinite loop.
2017-01-19 16:57:16 +00:00
Andres AG
f0a401f080 Fix unused variable/function compilation warnings
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
POLARSSL_PEM_PARSE_C.
2016-12-07 16:11:17 +00:00
Andres AG
fada2e9f3e Add tests for overreads in pem_read_buffer() 2016-11-21 11:34:55 +00:00
Andres AG
d3cbc15951 Fix buffer overreads in mbedtls_pem_read_buffer() 2016-11-21 11:25:17 +00:00
Simon Butcher
c1d54bb7b2 Update library version to 1.3.18 2016-10-17 23:40:14 +01:00
Simon Butcher
2261f198ee Merge branch 'mbedtls-1.3' 2016-10-17 16:09:06 +01:00
Simon Butcher
fd8d7991a0 Tidied up style and phrasing of ChangeLog 2016-10-16 00:48:37 +01:00
Simon Butcher
60371454bd Merge branch for fix for #502 - Unchecked calls 2016-10-14 01:10:02 +01:00
Andres AG
0da3e44fea Add check for validity of date in x509_get_time() 2016-10-13 17:00:01 +01:00
Simon Butcher
c176038d73 Update and clean up Changelog for #622 2016-10-13 15:34:27 +01:00
Andres AG
67ae0b9839 Fix sig->tag update in mbedtls_x509_get_sig() 2016-10-13 15:33:07 +01:00
Janos Follath
30b273c78e Remove MBEDTLS_SSL_AEAD_RANDOM_IV feature
In a USENIX WOOT '16 paper the authors warn about a security risk
of random Initialisation Vectors (IV) repeating values.

The MBEDTLS_SSL_AEAD_RANDOM_IV feature is affected by this risk and
it isn't compliant with RFC5116. Furthermore, strictly speaking it
is a different cipher suite from the TLS (RFC5246) point of view.

Removing the MBEDTLS_SSL_AEAD_RANDOM_IV feature to resolve the above
problems.

Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp
Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks
on GCM in TLS", USENIX WOOT '16
2016-10-13 14:34:35 +01:00
Janos Follath
ae01c3cc62 X509: Fix bug triggered by future CA among trusted
Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
2016-10-13 14:26:57 +01:00
Simon Butcher
c9b564e64c Update Changelog for fix #559 2016-10-13 14:24:03 +01:00
Simon Butcher
394d65d1bb Update for ChangeLog for fixes for cert_app 2016-10-13 14:23:57 +01:00
Simon Butcher
c112d21076 Update to ChangeLog for bug #428 2016-10-13 14:23:46 +01:00
Simon Butcher
cb60bfb52d Update ChangeLog for fix to crypt_and_hash #441 2016-10-13 14:23:15 +01:00
Janos Follath
24f4d7f95e X509: Fix bug triggered by future CA among trusted
Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
2016-10-13 14:21:24 +01:00
Andres AG
a16d684df3 Add test for bounds in X509 DER write funcs 2016-10-13 14:20:22 +01:00
Andres AG
0c12bd69f5 Add missing bounds check in X509 DER write funcs
This patch adds checks in both mbedtls_x509write_crt_der and
mbedtls_x509write_csr_der before the signature is written to buf
using memcpy().
2016-10-13 14:20:14 +01:00
Janos Follath
441d6f9833 Remove MBEDTLS_SSL_AEAD_RANDOM_IV feature
In a USENIX WOOT '16 paper the authors warn about a security risk
of random Initialisation Vectors (IV) repeating values.

The MBEDTLS_SSL_AEAD_RANDOM_IV feature is affected by this risk and
it isn't compliant with RFC5116. Furthermore, strictly speaking it
is a different cipher suite from the TLS (RFC5246) point of view.

Removing the MBEDTLS_SSL_AEAD_RANDOM_IV feature to resolve the above
problems.

Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp
Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks
on GCM in TLS", USENIX WOOT '16
2016-10-13 14:14:16 +01:00
Simon Butcher
1227d7cdf1 Added credit to Changelog for fix #558 2016-10-13 12:54:33 +01:00