Commit graph

2688 commits

Author SHA1 Message Date
Andres Amaya Garcia
58f98c23d5 Run AES-192 selftest if available only
This patch modifies the function mbedtls_aes_selftest() function to
ensure that AES-192 tests are only run if the key size is supported by
the available implementation. This is useful when using MBEDTLS_AES_ALT
as some hardware crypto accelerators might not support AES-192.
2017-06-14 16:19:42 +01:00
Andres Amaya Garcia
fd48739461 Add AES feature unavailable error code 2017-06-14 16:19:12 +01:00
Manuel Pégourié-Gonnard
db108ac944 Merge remote-tracking branch 'hanno/mpi_read_file_underflow' into development
* hanno/mpi_read_file_underflow:
  Fix potential stack underflow in mpi_read_file.
2017-06-08 19:48:03 +02:00
Manuel Pégourié-Gonnard
1178ac5e77 Merge remote-tracking branch 'hanno/sliding_exponentiation' into development
* hanno/sliding_exponentiation:
  Adapt ChangeLog
  Abort modular inversion when modulus is one.
  Correct sign in modular exponentiation algorithm.
2017-06-08 19:46:30 +02:00
Hanno Becker
e6706e62d8 Add tests for missing CA chains and bad curves.
This commit adds four tests to tests/ssl-opt.sh:
(1) & (2): Check behaviour of optional/required verification when the
trusted CA chain is empty.
(3) & (4): Check behaviour of optional/required verification when the
client receives a server certificate with an unsupported curve.
2017-06-07 11:26:59 +01:00
Hanno Becker
39ae8cd207 Fix implementation of VERIFY_OPTIONAL verification mode
This commit changes the behaviour of mbedtls_ssl_parse_certificate
to make the two authentication modes MBEDTLS_SSL_VERIFY_REQUIRED and
MBEDTLS_SSL_VERIFY_OPTIONAL be in the following relationship:

    Mode == MBEDTLS_SSL_VERIFY_REQUIRED
<=> Mode == MBEDTLS_SSL_VERIFY_OPTIONAL + check verify result

Also, it changes the behaviour to perform the certificate chain
verification even if the trusted CA chain is empty. Previously, the
function failed in this case, even when using optional verification,
which was brought up in #864.
2017-06-07 11:13:19 +01:00
Manuel Pégourié-Gonnard
ddc6e52cc1 Merge remote-tracking branch 'gilles/iotssl-1223/development' into development
* gilles/iotssl-1223/development:
  Fix FALLBACK_SCSV parsing
2017-06-06 20:11:36 +02:00
Manuel Pégourié-Gonnard
383a118338 Merge remote-tracking branch 'gilles/IOTSSL-1330/development' into development
* gilles/IOTSSL-1330/development:
  Changelog entry for the bug fixes
  SSLv3: when refusing renegotiation, stop processing
  Ignore failures when sending fatal alerts
  Cleaned up double variable declaration
  Code portability fix
  Added changelog entry
  Send TLS alerts in many more cases
  Skip all non-executables in run-test-suites.pl
  SSL tests: server requires auth, client has no certificate
  Balanced braces across preprocessor conditionals
  Support setting the ports on the command line
2017-06-06 19:22:41 +02:00
Gilles Peskine
5d2511c4d4 SHA-1 deprecation: allow it in key exchange
By default, keep allowing SHA-1 in key exchange signatures. Disabling
it causes compatibility issues, especially with clients that use
TLS1.2 but don't send the signature_algorithms extension.

SHA-1 is forbidden in certificates by default, since it's vulnerable
to offline collision-based attacks.
2017-06-06 18:44:14 +02:00
Gilles Peskine
cd3c845157 Allow SHA-1 in SSL renegotiation tests
In the TLS test client, allow SHA-1 as a signature hash algorithm.
Without this, the renegotation tests failed.

A previous commit had allowed SHA-1 via the certificate profile but
that only applied before the initial negotiation which includes the
signature_algorithms extension.
2017-06-06 18:44:13 +02:00
Gilles Peskine
750c353c5c X.509 self-tests: replaced SHA-1 certificates by SHA-256 2017-06-06 18:44:13 +02:00
Gilles Peskine
5e79cb3662 Remove SHA-1 in TLS by default
Default to forbidding the use of SHA-1 in TLS where it is unsafe: for
certificate signing, and as the signature hash algorithm for the TLS
1.2 handshake signature. SHA-1 remains allowed in HMAC-SHA-1 in the
XXX_SHA ciphersuites and in the PRF for TLS <= 1.1.

For easy backward compatibility for use in controlled environments,
turn on the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 compiled-time option.
2017-06-06 18:44:13 +02:00
Manuel Pégourié-Gonnard
23b33f8663 Merge remote-tracking branch 'hanno/sig_hash_compatibility' into development
* hanno/sig_hash_compatibility:
  Improve documentation
  Split long lines
  Remember suitable hash function for any signature algorithm.
  Introduce macros and functions to characterize certain ciphersuites.
2017-06-06 18:14:57 +02:00
Gilles Peskine
d50177fdf3 Fix FALLBACK_SCSV parsing
Fixed a bug in ssl_srv.c when parsing TLS_FALLBACK_SCSV in the
ciphersuite list that caused it to miss it sometimes. Reported by Hugo
Leisink as issue #810. Fix initially by @andreasag01; this commit
isolates the bug fix and adds a non-regression test.
2017-05-16 17:53:03 +02:00
Simon Butcher
9f77017a8d Updated version number to 2.5.0 2017-05-16 10:22:37 +01:00
Andres AG
f5bf7189d3 Change return type of AES decrypt and encrypt
This patch modifies the following 2 functions in the AES module to
change the return type from void to int:
    * mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
    * mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
This change is necessary to allow users of MBEDTLS_AES_ALT,
MBEDTLS_AES_DECRYPT_ALT and MBEDTLS_AES_ENCRYPT_ALT to return an error
code when replacing the default with their own implementation, e.g.
a hardware crypto accelerator.
2017-05-16 10:22:37 +01:00
Gilles Peskine
18ac716021 RSA: wipe more stack buffers
MGF mask and PSS salt are not highly sensitive, but wipe them anyway
for good hygiene.
2017-05-16 10:22:37 +01:00
Gilles Peskine
4a7f6a0ddb RSA: wipe stack buffers
The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.

Thanks to Laurent Simon for reporting this issue.
2017-05-16 10:22:37 +01:00
Janos Follath
6e876988de Fix bug in threading sample implementation #667 2017-05-16 10:22:37 +01:00
Janos Follath
f9203b4139 Add exponent blinding to RSA with CRT
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.

This commit handles the case when the Chinese Remainder Theorem is used
to accelerate the computation.
2017-05-16 10:22:37 +01:00
Janos Follath
e81102e476 Add exponent blinding to RSA without CRT
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of fifferent measurements.

This commits handles the case when the Chinese Remainder Theorem is NOT
used to accelerate computations.
2017-05-16 10:22:37 +01:00
Janos Follath
088ce43ffe Implement optional CA list suppression in Certificate Request
According to RFC5246 the server can indicate the known Certificate
Authorities or can constrain the aurhorisation space by sending a
certificate list. This part of the message is optional and if omitted,
the client may send any certificate in the response.

The previous behaviour of mbed TLS was to always send the name of all the
CAs that are configured as root CAs. In certain cases this might cause
usability and privacy issues for example:
- If the list of the CA names is longer than the peers input buffer then
  the handshake will fail
- If the configured CAs belong to third parties, this message gives away
  information on the relations to these third parties

Therefore we introduce an option to suppress the CA list in the
Certificate Request message.

Providing this feature as a runtime option comes with a little cost in
code size and advantages in maintenance and flexibility.
2017-05-16 10:22:37 +01:00
Hanno Becker
cf7ae7e7d3 Improve documentation 2017-05-15 11:50:13 +01:00
Hanno Becker
0d0cd4b30e Split long lines 2017-05-15 11:50:13 +01:00
Hanno Becker
7e5437a972 Remember suitable hash function for any signature algorithm.
This commit changes `ssl_parse_signature_algorithms_ext` to remember
one suitable ( := supported by client and by our config ) hash
algorithm per signature algorithm.

It also modifies the ciphersuite checking function
`ssl_ciphersuite_match` to refuse a suite if there
is no suitable hash algorithm.

Finally, it adds the corresponding entry to the ChangeLog.
2017-05-15 11:50:11 +01:00
Hanno Becker
1aa267cbc3 Introduce macros and functions to characterize certain ciphersuites.
The routine `mbedtls_ssl_write_server_key_exchange` heavily depends on
what kind of cipher suite is active: some don't need a
ServerKeyExchange at all, some need (EC)DH parameters but no server
signature, some require both. Each time we want to restrict a certain
piece of code to some class of ciphersuites, it is guarded by a
lengthy concatentation of configuration checks determining whether at
least one of the relevant cipher suites is enabled in the config; on
the code level, it is guarded by the check whether one of these
cipher suites is the active one.

To ease readability of the code, this commit introduces several helper
macros and helper functions that can be used to determine whether a
certain class of ciphersuites (a) is active in the config, and
(b) contains the currently present ciphersuite.
2017-05-15 11:46:57 +01:00
Andres Amaya Garcia
af610a0baf Fix check-doxy-blocks.pl errors (cmac.c ecjpake.h) 2017-05-12 00:18:04 +01:00
Janos Follath
6c8ccd5be4 Fix cleanup label alignment 2017-05-11 22:42:14 +01:00
Janos Follath
69b2051e76 Update version features with ECP macros 2017-05-11 22:42:14 +01:00
Janos Follath
c44ab97cc9 Apply review feedback on ECP interface
Naming conventions are revised, style issues corrected and minor
optimisation added.
2017-05-11 22:42:14 +01:00
Janos Follath
b8a90fb51c Update ECP hardware abstraction interface
With this commit the Elliptic Curve Point interface is rewised. Two
compile time options has been removed to simplify the interface and
the function names got a new prefix that indicates that these functions
are for internal use and not part of the public interface.
2017-05-11 22:42:14 +01:00
Janos Follath
430d3376c9 Add thread safety to ECP hardware acceleration
The intended use of the abstraction layer for Elliptic Curve Point
arithmetic is to enable using hardware cryptographic accelerators.
These devices are a shared resource and the driver code rarely provides
thread safety.

This commit adds mutexes to the abstraction layer to protect the device
in a multi-threaded environment.
2017-05-11 22:42:14 +01:00
Janos Follath
552f6b6d17 Add global mutex for asymmetric crypto accelerator
The primary use case behind providing an abstraction layer to enable
alternative Elliptic Curve Point arithmetic implementation, is making
use of cryptographic acceleration hardware if it is present.

To provide thread safety for the hardware accelerator we need a mutex
to guard it.
2017-05-11 22:42:14 +01:00
Janos Follath
16e63ea2e2 Fix alternative ECP function names
The alternative Elliptic Curve Point arithmetic functions didn't have
an 'mbedtls_' prefix as required by check-names.sh.
2017-05-11 22:42:14 +01:00
Janos Follath
4d9c69dde8 Fix ECP alternative macro names
The compile time macros enabling the initialisation and deinitialisation
in the alternative Elliptic Curve Point arithmetic implementation had
names that did not end with '_ALT' as required by check-names.sh.
2017-05-11 22:42:14 +01:00
Janos Follath
47d28f08a6 Remove alt_internal directory 2017-05-11 22:42:14 +01:00
Janos Follath
372697b6b7 Clean up ECP abstraction layer code
This commit fixes several style issues and fixes in the documentation
of the Elliptic Curve Point arithmetic abstraction layer.
2017-05-11 22:42:14 +01:00
Janos Follath
b069753313 ECP: Add module and function level replacement options. 2017-05-11 22:42:14 +01:00
Andres AG
72849877d0 Fix data loss in unsigned int cast in PK
This patch introduces some additional checks in the PK module for 64-bit
systems only. The problem is that the API functions in the PK
abstraction accept a size_t value for the hashlen, while the RSA module
accepts an unsigned int for the hashlen. Instead of silently casting
size_t to unsigned int, this change checks whether the hashlen overflows
an unsigned int and returns an error.
2017-05-11 21:55:17 +01:00
Gilles Peskine
92e4426169 SSLv3: when refusing renegotiation, stop processing
Before the code was sending a fatal alert but then processing any
further data from the peer.

Internal reference: IOTSSL-1384
2017-05-10 17:31:13 +02:00
Gilles Peskine
c94f7352fa Ignore failures when sending fatal alerts
In many places in TLS handling, some code detects a fatal error, sends
a fatal alert message, and returns to the caller. If sending the alert
fails, then return the error that triggered the alert, rather than
overriding the return status. This effectively causes alert sending
failures to be ignored. Formerly the code was inconsistently sometimes
doing one, sometimes the other.

In general ignoring the alert is the right thing: what matters to the
caller is the original error. A typical alert failure is that the
connection is already closed.

One case which remains not handled correctly is if the alert remains
in the output buffer (WANT_WRITE). Then it won't be sent, or will be
truncated. We'd need to either delay the application error or record
the write buffering notice; to be done later.
2017-05-10 17:31:02 +02:00
Gilles Peskine
8498cb3687 Cleaned up double variable declaration 2017-05-10 15:39:40 +02:00
Gilles Peskine
064a85ca48 Code portability fix 2017-05-10 10:46:40 +02:00
Hanno Becker
b2034b7785 Fix potential stack underflow in mpi_read_file.
When provided with an empty line, mpi_read_file causes a numeric
underflow resulting in a stack underflow. This commit fixes this and
adds some documentation to mpi_read_file.
2017-05-09 10:29:06 +01:00
Hanno Becker
4bcb4914c5 Abort modular inversion when modulus is one.
The modular inversion function hangs when provided with the modulus 1. This commit refuses this modulus with a BAD_INPUT error code. It also adds a test for this case.
2017-05-08 14:47:04 +01:00
Gilles Peskine
1cc8e3472a Send TLS alerts in many more cases
The TLS client and server code was usually closing the connection in
case of a fatal error without sending an alert. This commit adds
alerts in many cases.

Added one test case to detect that we send the alert, where a server
complains that the client's certificate is from an unknown CA (case
tracked internally as IOTSSL-1330).
2017-05-03 16:28:34 +02:00
Gilles Peskine
f982852bf0 Balanced braces across preprocessor conditionals
This is a cosmetic improvement to ease source code navigation only.
2017-05-03 12:28:43 +02:00
Hanno Becker
a4af1c47d2 Correct sign in modular exponentiation algorithm.
The modular exponentiation function  handled the sign incorrectly. This commit fixes this and a test case which should have caught it.
2017-04-18 09:07:45 +01:00
Andres AG
d1cc7f6f34 Fix buffer overflow in mbedtls_mpi_write_string()
Fix a buffer overflow when writting a string representation of an MPI
number to a buffer in hexadecimal. The problem occurs because hex
digits are written in pairs and this is not accounted for in the
calculation of the required buffer size when the number of digits is
odd.
2017-03-02 21:34:21 +00:00
Ron Eldor
12e0b800da Fix resource leak when using mutex and ssl_cookie
When using ssl_cookie with MBEDTLS_THREADING_C, fix a resource leak caused by
initiating a mutex in mbedtls_ssl_cookie_free instead of freeing it.
Raised and fix suggested by lan Gillingham in the mbed TLS forum
Tracked in #771
2017-03-02 12:26:11 +00:00