Commit graph

6321 commits

Author SHA1 Message Date
Gilles Peskine
1a2640c025 Merge branch 'iotssl-1368-unsafe-bounds-check-psk-identity-merge' into development-restricted 2017-11-23 18:58:30 +01:00
Gilles Peskine
dab611a7b1 ChangeLog entry for ssl_parse_client_psk_identity fix 2017-11-23 18:53:55 +01:00
Manuel Pégourié-Gonnard
bfa8df4c7e Merge remote-tracking branch 'restricted/pr/416' into development-restricted
* restricted/pr/416:
  RSA PSS: remove redundant check; changelog
  RSA PSS: fix first byte check for keys of size 8N+1
  RSA PSS: fix minimum length check for keys of size 8N+1
  RSA: Fix another buffer overflow in PSS signature verification
  RSA: Fix buffer overflow in PSS signature verification
2017-11-23 12:10:01 +01:00
Hanno Becker
4c2ac7ef58 Deprecate MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT 2017-11-21 18:28:35 +00:00
Hanno Becker
563423fb21 Improve documentation of MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT option
Explain more clearly when this option should be used and which versions of Mbed
TLS build on the non-compliant implementation.
2017-11-21 17:20:17 +00:00
Hanno Becker
909f9a389a Improve style in tests/ssl-opt.sh
Try to avoid line breaks in server and client command line arguments to ease
reading of test cases.
2017-11-21 17:10:12 +00:00
Darryl Green
36ba8b683a Add changelog for mbedtls_ecdsa_sign fix 2017-11-21 09:55:33 +00:00
Hanno Becker
45ee7877d0 Correct truncated HMAC tests in ssl-opt.sh
Many truncated HMAC tests were missing the `trunc_hmac=1` for the server
application, thereby not testing the extension.
2017-11-20 16:51:44 +00:00
Hanno Becker
e89353a6b4 Add fallback to non-compliant truncated HMAC for compatibiltiy
In case truncated HMAC must be used but the Mbed TLS peer hasn't been updated
yet, one can use the compile-time option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT to
temporarily fall back to the old, non-compliant implementation of the truncated
HMAC extension.
2017-11-20 16:50:43 +00:00
Gilles Peskine
5eafc74154
Merge pull request #1159 from RonEld/1862
Change Arm Trademarks
2017-11-20 17:45:49 +01:00
Hanno Becker
8d19bcf37f Adapt ChangeLog 2017-11-20 16:25:50 +00:00
Hanno Becker
4c4f41030c Add truncated HMAC extension tests for DTLS 2017-11-20 16:25:50 +00:00
Hanno Becker
34d0c3f02e Add missing truncated HMAC test for TLS
The case 'Client disabled, Server enabled' was missing.
2017-11-20 16:25:50 +00:00
Hanno Becker
e214804625 Add small packet tests for DTLS
Add a DTLS small packet test for each of the following combinations:
- DTLS version: 1.0 or 1.2
- Encrypt then MAC extension enabled
- Truncated HMAC extension enabled

Large packets tests for DTLS are currently not possible due to parameter
constraints in ssl_server2.
2017-11-20 16:25:50 +00:00
Hanno Becker
278fc7aedd Extend large packet tests for TLS
Same as previous commit, but for large packet tests.
2017-11-20 16:25:50 +00:00
Hanno Becker
8501f98ec4 Extend small packet tests for TLS
This commit ensures that there is a small packet test for at least any
combination of
- SSL/TLS version: SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2
- Stream cipher (RC4) or Block cipher (AES)
- Usage of Encrypt then MAC extension [TLS only]
- Usage of truncated HMAC extension [TLS only]
2017-11-20 16:25:50 +00:00
Hanno Becker
32c550141f Add missing dependencies on trunc HMAC ext in ssl-opt.sh
Noticed that the test cases in ssl-opt.sh exercising the truncated HMAC
extension do not depend on MBEDTLS_SSL_TRUNCATED_HMAC being enabled in
config.h. This commit fixes this.
2017-11-20 16:25:50 +00:00
Hanno Becker
81c7b18351 Don't truncate MAC key when truncated HMAC is negotiated
The truncated HMAC extension as described in
https://tools.ietf.org/html/rfc6066.html#section-7 specifies that when truncated
HMAC is used, only the HMAC output should be truncated, while the HMAC key
generation stays unmodified. This commit fixes Mbed TLS's behavior of also
truncating the key, potentially leading to compatibility issues with peers
running other stacks than Mbed TLS.

Details:
The keys for the MAC are pieces of the keyblock that's generated from the
master secret in `mbedtls_ssl_derive_keys` through the PRF, their size being
specified as the size of the digest used for the MAC, regardless of whether
truncated HMAC is enabled or not.

             /----- MD size ------\ /------- MD size ----\
Keyblock    +----------------------+----------------------+------------------+---
now         |     MAC enc key      |      MAC dec key     |     Enc key      |  ...
(correct)   +----------------------+----------------------+------------------+---

In the previous code, when truncated HMAC was enabled, the HMAC keys
were truncated to 10 bytes:

             /-10 bytes-\  /-10 bytes-\
Keyblock    +-------------+-------------+------------------+---
previously  | MAC enc key | MAC dec key |     Enc key      |  ...
(wrong)     +-------------+-------------+------------------+---

The reason for this was that a single variable `transform->maclen` was used for
both the keysize and the size of the final MAC, and its value was reduced from
the MD size to 10 bytes in case truncated HMAC was negotiated.

This commit fixes this by introducing a temporary variable `mac_key_len` which
permanently holds the MD size irrespective of the presence of truncated HMAC,
and using this temporary to obtain the MAC key chunks from the keyblock.
2017-11-20 16:25:50 +00:00
Hanno Becker
7dc832bb53 Adapt ChangeLog 2017-11-20 08:52:25 +00:00
Hanno Becker
992b6872f3 Fix heap corruption in ssl_decrypt_buf
Previously, MAC validation for an incoming record proceeded as follows:

1) Make a copy of the MAC contained in the record;
2) Compute the expected MAC in place, overwriting the presented one;
3) Compare both.

This resulted in a record buffer overflow if truncated MAC was used, as in this
case the record buffer only reserved 10 bytes for the MAC, but the MAC
computation routine in 2) always wrote a full digest.

For specially crafted records, this could be used to perform a controlled write of
up to 6 bytes past the boundary of the heap buffer holding the record, thereby
corrupting the heap structures and potentially leading to a crash or remote code
execution.

This commit fixes this by making the following change:
1) Compute the expected MAC in a temporary buffer that has the size of the
   underlying message digest.
2) Compare to this to the MAC contained in the record, potentially
   restricting to the first 10 bytes if truncated HMAC is used.

A similar fix is applied to the encryption routine `ssl_encrypt_buf`.
2017-11-20 08:52:25 +00:00
Darryl Green
f5bcbede92 Add tests for invalid private parameters in mbedtls_ecdsa_sign() 2017-11-17 17:09:31 +00:00
Darryl Green
c64a48bec7 Add checks for private parameter in mbedtls_ecdsa_sign() 2017-11-17 17:09:17 +00:00
Andres Amaya Garcia
5a6da63138 Fix indentation for mbedtls_x509_crt_check_key_usage() 2017-11-14 21:47:08 +00:00
Andres Amaya Garcia
c81fcb9d36 Fix typos in documentation for mbedtls_x509_crt_check_extended_key_usage() 2017-11-14 21:43:14 +00:00
Manuel Pégourié-Gonnard
888fedea06 Merge branch 'development' into development-restricted
* development: (30 commits)
  update README file (#1144)
  Fix typo in asn1.h
  Improve leap year test names in x509parse.data
  Correctly handle leap year in x509_date_is_valid()
  Renegotiation: Add tests for SigAlg ext parsing
  Parse Signature Algorithm ext when renegotiating
  Minor style fix
  config.pl get: be better behaved
  config.pl get: don't rewrite config.h; detect write errors
  Fixed "config.pl get" for options with no value
  Fix typo and bracketing in macro args
  Ensure failed test_suite output is sent to stdout
  Remove use of GNU sed features from ssl-opt.sh
  Fix typos in ssl-opt.sh comments
  Add ssl-opt.sh test to check gmt_unix_time is good
  Extend ssl-opt.h so that run_test takes function
  Always print gmt_unix_time in TLS client
  Restored note about using minimum functionality in makefiles
  Note in README that GNU make is required
  Fix changelog for ssl_server2.c usage fix
  ...
2017-11-14 08:24:22 +01:00
Andres Amaya Garcia
7786abc16b Define ASN1 bitmask macros in more direct way 2017-11-07 20:21:56 +00:00
Andres Amaya Garcia
72705c906c Add regression test for parsing subjectAltNames 2017-11-07 20:16:19 +00:00
Andres Amaya Garcia
ceae42659b Add ChangeLog entry 2017-11-07 19:35:13 +00:00
Andres Amaya Garcia
849bc65bbf Fix x509_get_subject_alt_name to drop invalid tag
Fix the x509_get_subject_alt_name() function to not accept invalid
tags. The problem was that the ASN.1 class for tags consists of two
bits. Simply doing bit-wise and of the CONTEXT_SPECIFIC macro with the
input tag has the potential of accepting tag values 0x10 (private)
which would indicate that the certificate has an incorrect format.
2017-11-07 19:34:35 +00:00
Andres Amaya Garcia
7512bf7d63 Add macros to ASN.1 module to parse ASN.1 tags
The macros simply extract the component bits of an ASN.1 tag value
2017-11-07 19:34:35 +00:00
Chris Xue
9a51c032ee Fix copy paste error in the error message of mbedtls_ecp_gen_key in gen_key.c 2017-11-05 19:10:51 +00:00
Ron Eldor
2ac96620f3 change URL
Change URL from developer.mbed.org to os.mbed.com
2017-11-01 14:19:50 +02:00
Ron Eldor
9d22619a13 Change Arm Trademarks to the issue template
Change the Trademarks to the issue template document
2017-10-30 18:39:47 +02:00
Ron Eldor
c7acb913ce Change Arm Trademarks
Change the Arm Trademarks according to updated Trademarks
2017-10-30 17:24:50 +02:00
Ron Eldor
22360825ae Address PR review comments
set `cache->chain` to NULL,
instead of setting the whole structure to zero.
2017-10-29 17:53:52 +02:00
Hanno Becker
2412061a5a Correct typo and improve documentation 2017-10-26 11:53:35 +01:00
Hanno Becker
7bba968afc Adapt ChangeLog 2017-10-26 11:53:26 +01:00
Manuel Pégourié-Gonnard
3f81691d29 Revert to old behaviour of profile_check_key()
Was never documented to check for key alg compatibility, so should not start
doing so. Just stop relying on the pk_alg argument instead.
2017-10-26 10:24:16 +02:00
Manuel Pégourié-Gonnard
254eec8bb4 Document choice of script exit code 2017-10-26 09:47:36 +02:00
Hanno Becker
3319555b7c Improve documentation of mbedtls_rsa_import[_raw] 2017-10-25 17:04:10 +01:00
Manuel Pégourié-Gonnard
19773ff835 Avoid comparing size between RSA and EC keys 2017-10-24 10:51:26 +02:00
Hanno Becker
27b34d5bad Wrong identifier used to check Encrypt-then-MAC flag
This commit fixes a comparison of ssl_session->encrypt_then_mac against the
ETM-unrelated constant MBEDTLS_SSL_EXTENDED_MS_DISABLED. Instead,
MBEDTLS_SSL_ETM_DISABLED should be used.

The typo is has no functional effect since both constants have the same value 0.
2017-10-20 14:24:51 +01:00
Gilles Peskine
91048a3aac RSA PSS: remove redundant check; changelog
Remove a check introduced in the previous buffer overflow fix with keys of
size 8N+1 which the subsequent fix for buffer start calculations made
redundant.

Added a changelog entry for the buffer start calculation fix.
2017-10-19 17:46:14 +02:00
Gilles Peskine
b00b0da452 RSA PSS: fix first byte check for keys of size 8N+1
For a key of size 8N+1, check that the first byte after applying the
public key operation is 0 (it could have been 1 instead). The code was
incorrectly doing a no-op check instead, which led to invalid
signatures being accepted. Not a security flaw, since you would need the
private key to craft such an invalid signature, but a bug nonetheless.
2017-10-19 15:23:49 +02:00
Hanno Becker
509fef7de3 Add ChangeLog message for EC private exponent information leak 2017-10-19 10:10:18 +01:00
Hanno Becker
a21e2a015b Adapt ChangeLog 2017-10-19 09:15:17 +01:00
Gilles Peskine
139108af94 RSA PSS: fix minimum length check for keys of size 8N+1
The check introduced by the previous security fix was off by one. It
fixed the buffer overflow but was not compliant with the definition of
PSS which technically led to accepting some invalid signatures (but
not signatures made without the private key).
2017-10-18 19:03:42 +02:00
Hanno Becker
9cfabe3597 Use a conservative excess of the maximum fragment length in tests
This leads to graceful test failure instead of crash when run on the previous
code.
2017-10-18 14:42:01 +01:00
Manuel Pégourié-Gonnard
08c36635cb Avoid possible miscast of PK key
I don't think this can cause a crash as the member accessed is in the
beginning of the context, so wouldn't be outside of valid memory if the actual
context was RSA.

Also, the mismatch will be caught later when checking signature, so the cert
chain will be rejected anyway.
2017-10-18 14:57:11 +02:00
Manuel Pégourié-Gonnard
900fba616f Fix check_wildcard() calling convention
We shouldn't return a surprising value in case there is no wildcard and then
rely on the caller to ensure that this doesn't happen
2017-10-18 14:40:13 +02:00