Commit graph

3248 commits

Author SHA1 Message Date
Hanno Becker
2b2f898cbd Streamline code-path in rsa_rsassa_pkcs1_v15_encode 2017-10-03 07:59:29 +01:00
Hanno Becker
64a8c0acd6 Verify PKCS1 v1.5 signature without parsing
This commit modifies the PKCS1 v1.5 signature verification function `mbedtls_rsa_rsassa_pkcs1_v15_verify` to prepare the
expected PKCS1-v1.5-encoded hash using the function also used by the signing routine `mbedtls_rsa_rsassa_pkcs1_v15_sign`
and comparing it to the provided byte-string afterwards. This comes at the benefits of (1) avoiding any error-prone
parsing, (2) removing the dependency of the RSA module on the ASN.1 parsing module, and (3) reducing code size.
2017-10-03 07:58:00 +01:00
Hanno Becker
fdf38030de Outsource code for generating PKCS1 v1.5 encoding
This commit moves the code preparing PKCS1 v1.5 encoded hashes from `mbedtls_rsa_rsassa_pkcs1_v15_sign` to a separate
non-public function `rsa_rsassa_pkcs1_v15_encode`. This code-path will then be re-used by the signature verification function
`mbetls_rsa_rsassa_pkcs1_v15_verify` in a later commit.
2017-10-03 07:58:00 +01:00
Hanno Becker
171a8f1c95 Move constant time memcmp for signature verification
This commit replaces the ad-hoc code for constant-time double-checking the PKCS1 v1.5 RSA signature by an invocation of
`mbedtls_safer_memcmp`.
2017-10-03 07:58:00 +01:00
Hanno Becker
2dec5e8b00 Correct outdated comment 2017-10-03 07:49:52 +01:00
Hanno Becker
4e1be398f6 Remove FORCE_VERIFICATION and FORCE_BLINDING 2017-10-02 16:02:55 +01:00
Hanno Becker
de6c1644cc Add brackets around arguments of internal macro DHM_MPI_EXPORT 2017-10-02 15:03:15 +01:00
Hanno Becker
b5beaa8995 Check that 1 < D, E < N in mbedtls_rsa_validate_params 2017-10-02 13:20:20 +01:00
Hanno Becker
c6fc878eda Remove mbedtls_rsa_check_crt
This is no longer needed after the decision to not exhaustively validate private key material.
2017-10-02 13:20:15 +01:00
Hanno Becker
98838b04af Minor improvements 2017-10-02 13:17:01 +01:00
Hanno Becker
7471631dde Make input arguments to mbedtls_rsa_import_raw constant
Original intention was to be allowed to perform in-place operations like changing the byte-order before importing
parameters into an HSM. Now a copy is needed in this case, but there's no more danger of a user expecting the arguments
to be left untouched.
2017-10-02 13:17:01 +01:00
Hanno Becker
bdefff1dde Change signature of mbedtls_rsa_deduce_private
Make input arguments constant and adapt the implementation to use a temporary instead of in-place operations.
2017-10-02 09:59:48 +01:00
Hanno Becker
ba5b755f1a Change signature and semantics of mbedtls_rsa_deduce_moduli
Input arguments are marked as constant. Further, no double-checking is performed when a factorization of the modulus has
been found.
2017-10-02 09:55:49 +01:00
Hanno Becker
2f38a43d3a Enhance documentation of ssl_write_hostname_ext, adapt ChangeLog.
Add a reference to the relevant RFC, adapt ChangeLog.
2017-09-30 23:35:21 +01:00
Hanno Becker
39f5d359f5 Make mbedtls_ssl_set_hostname safe to be called multiple times
Zeroize and free previously set hostnames before overwriting
them. Also, allow clearance of hostname by providing NULL parameter.
2017-09-30 23:35:02 +01:00
Hanno Becker
b4274210a4 Improve documentation in pkparse.c
State explicitly that `pk_parse_pkcs8_undencrypted_der` and `pk_parse_key_pkcs8_encrypted_der` are not responsible for
zeroizing and freeing the provided key buffer.
2017-09-29 19:18:51 +01:00
Hanno Becker
f04111f5c5 Fix typo 2017-09-29 19:18:42 +01:00
Hanno Becker
56bae95e1d Improve style and documentation, fix typo 2017-09-29 15:43:49 +01:00
Hanno Becker
2fdffe0da0 Check exactly for the RSA context fields required in rsa_private
Previously, the code was also checking for the presence of D for RSA-CRT, which
is not needed in this case.
2017-09-29 15:28:49 +01:00
Hanno Becker
bead71752e Correct typo in rsa.c 2017-09-29 12:41:06 +01:00
Hanno Becker
ba1ba11a98 Check that length is properly set in mbedtls_rsa_check_pubkey 2017-09-29 11:54:05 +01:00
Hanno Becker
2f8f06aa25 Don't always recompute context length in mbedtls_rsa_get_len
This commit changes the implementation of `mbedtls_rsa_get_len` to return
`ctx->len` instead of always re-computing the modulus' byte-size via
`mbedtls_mpi_size`.
2017-09-29 11:54:05 +01:00
Hanno Becker
2cca6f3290 Always deduce N from P, Q in mbedtls_rsa_complete
Previously, a parameter set of (-, P, Q, -, E) was completed, but (-, P, Q, D,
E) wasn't - this is odd.
2017-09-29 11:54:05 +01:00
Hanno Becker
a6f5539413 Adapt version_features.c to new config options 2017-09-28 13:10:46 +01:00
Hanno Becker
e71ad12cd5 Minor code-improvements in dhm.c 2017-09-28 11:06:31 +01:00
Hanno Becker
2c9f027e32 Don't require P,Q if CRT is not used
Previously, verification used P,Q regardless of whether CRT was used in the
computation, but this has changed in the meantime.
2017-09-28 11:04:13 +01:00
Hanno Becker
8d1dd1b5b9 Fix bug in mbedtls_mpi_exp_mod
Calling `mbedtls_mpi_exp_mod` with a freshly initialized exponent MPI `N`,
i.e. `N.p == NULL`, would lead to a null-pointer dereference.
2017-09-28 11:02:24 +01:00
Hanno Becker
4c72b000cb Add const-qualifiers to prime constants 2017-09-27 16:06:37 +01:00
Hanno Becker
8c8b0ab877 Change default Diffie-Hellman parameters from RFC 5114 to RFC 7919
The origin of the primes in RFC 5114 is undocumented and their use therefore
constitutes a security risk.
2017-09-27 12:43:57 +01:00
Hanno Becker
b2bad800e4 Introduce Diffie-Hellman parameters from RFC 7919 2017-09-27 12:43:55 +01:00
Hanno Becker
0e6dc84f3e Deprecate Diffie-Hellman groups from RFC 5114
Also, change the way the standardized Diffie-Hellman groups are provided from
macro-based string-literals to global variables.
2017-09-27 11:48:02 +01:00
Ron Eldor
2981a0a740 Address Andres PR comments
Address Andres' comments in the PR
2017-09-24 15:41:09 +03:00
Jaeden Amero
1526330931 Allow alternate implementation of GCM
Provide the ability to use an alternative implementation of GCM in place
of the library-provided implementation.
2017-09-22 17:42:44 +01:00
Hanno Becker
d8a6f7cfbe Clarify code-paths in x509write_csr and x509write_crt 2017-09-22 16:05:43 +01:00
Hanno Becker
a20e33ad59 Use X509 CRT version macros for version checks in x509write_crt_der 2017-09-22 15:40:01 +01:00
Janos Follath
1ad1c6d4e1 Fix typo 2017-09-21 12:05:30 +01:00
Janos Follath
aa325d7b7f DHM: Fix dhm_check_range() always returning 0
Although the variable ret was initialised to an error, the
MBEDTLS_MPI_CHK macro was overwriting it. Therefore it ended up being
0 whenewer the bignum computation was successfull and stayed 0
independently of the actual check.
2017-09-21 12:04:41 +01:00
Florin
0b7b83fd91 Fixed SIGSEGV problem when writing with ssl_write_real a buffer that is over MBEDTLS_SSL_MAX_CONTENT_LEN bytes
Signed-off-by: Florin <petriuc.florin@gmail.com>
2017-09-18 16:11:42 +01:00
Hanno Becker
2b187c4d5f Correct typo 2017-09-18 16:11:42 +01:00
Ron Eldor
4a2fb4c6be Addres review comments
Resolves comments raised in the review
2017-09-18 13:43:05 +03:00
Ron Eldor
147d142948 Add log and fix stle issues
Address Andres comments of PR
2017-09-18 13:05:53 +03:00
Ron Eldor
714785dcc2 Write correct number of ciphersuites in log
Change location of log, to fit the correct number of used ciphersuites
2017-09-18 13:05:48 +03:00
Hanno Becker
9648f8b59c Add run-time check for handshake message size in ssl_write_record 2017-09-18 10:56:15 +01:00
Hanno Becker
d33f1ca34c Add run-time check for record content size in ssl_encrypt_buf 2017-09-18 10:56:14 +01:00
Andres Amaya Garcia
01692531c6 Document code silently discarding invalid records 2017-09-14 20:20:31 +01:00
Andres Amaya Garcia
2fad94b193 Dont send alert on invalid DTLS record type
Do not send fatal alerts when receiving a record with an invalid header
while running DTLS as this is not compliant behaviour.
2017-09-14 20:18:37 +01:00
Hanno Becker
d4a872ee67 Rename internal MBEDTLS_ENTROPY_HAVE_STRONG to ENTROPY_HAVE_STRONG
This commit renames the test-only flag MBEDTLS_ENTROPY_HAVE_STRONG to ENTROPY_HAVE_STRONG to make it more transparent
that it's an internal flag, and also to content the testscript tests/scripts/check-names.pl which previously complained
about the macro occurring in a comment in `entropy.c` without being defined in a library file.
2017-09-14 08:04:13 +01:00
Hanno Becker
45037ceac5 Add check for presence of relevant parameters in mbedtls_rsa_private
If CRT is used, check for the presence N, P, Q, D, E, DP, DQ and QP. If CRT is
not used, check for N, P, Q, D, E only.
2017-09-14 08:02:14 +01:00
Hanno Becker
81535d0011 Minor style and typo corrections 2017-09-14 07:51:54 +01:00
Hanno Becker
476986547b Omit version from X.509 v1 certificates
The version field in an X.509 certificate is optional and defaults to v1, so it
may be omitted in this case.
2017-09-14 07:51:54 +01:00
Hanno Becker
d7f3520360 Don't add extensions for X.509 non-v3 certificates
This commit removes extension-writing code for X.509 non-v3 certificates from
mbedtls_x509write_crt_der. Previously, even if no extensions were present an
empty sequence would have been added.
2017-09-14 07:51:54 +01:00
Hanno Becker
fc77144802 Fix extraction of signature-type from PK context instance 2017-09-14 07:51:54 +01:00
Hanno Becker
9be1926b69 Correct parsing checks in mbedtls_pk_parse_key
Two code-paths in `mbedtls_pk_parse_key` returned success on a failure in `mbedtls_pk_setup`.
2017-09-08 12:39:44 +01:00
Hanno Becker
66a0f83d58 Remove unreachable branches in pkparse.c 2017-09-08 12:39:21 +01:00
Hanno Becker
b8d1657148 Mention in-place decryption in pk_parse_key_pkcs8_encrypted_der
Also fixes a typo.
2017-09-07 15:29:01 +01:00
Hanno Becker
2aa80a706f Remove unnecessary cast 2017-09-07 15:28:45 +01:00
Hanno Becker
a988a2702a Emit deprecation warning if MBEDTLS_RSA_FORCE_BLINDING is not set 2017-09-07 13:11:33 +01:00
Ron Eldor
bc18eb3b92 Fix compilation error with Mingw32
Fix compilation error on Mingw32 when `_TRUNCATE` is defined. Use
`_TRUNCATE` only if `__MINGW32__` not defined. Fix suggested by
Thomas Glanzmann and Nick Wilson on issue #355
2017-09-06 17:51:14 +03:00
Ron Eldor
65112b15e6 Adress Hannos's comments
Remove zeroizing buffer, as it was done already in PR #369
Check that buffer is not null by `!= NULL` statement
2017-09-06 17:09:41 +03:00
Ron Eldor
9d84b4c102 update after Andres comments
Update after Andres coments:
1. zeroize the buffer in `mbedtls_pem_read_buffer()` before freeing it
2. use `mbedtls_zeroize()` instead of `memset()`
2017-09-05 17:17:31 +03:00
Ron Eldor
31162e4423 Set PEM buffer to zero before freeing it
Set PEM buffer to zero before freeing it, to avoid private keys
being leaked to memory after releasing it.
2017-09-05 15:34:35 +03:00
Ron Eldor
7268ca9500 remove redundant include
Remove redunadnat include for platform.h which was acciddently pushed,
for debugging purposes
2017-09-05 14:29:20 +03:00
Hanno Becker
9c6cb38ba8 Fix typo in pkparse.c 2017-09-05 10:08:01 +01:00
Manuel Pégourié-Gonnard
4b6e210d00 Merge branch 'mbedtls-2.6' into iotssl-1381-x509-verify-refactor-restricted
* mbedtls-2.6: (27 commits)
  Update version number to 2.6.0
  Fix language in Changelog for clarity
  Improve documentation of PKCS1 decryption functions
  Fix style and missing item in ChangeLog
  Add credit to Changelog to fix for #666
  Fix naked call to time() with platform call
  Fix ChangeLog for duplication after merge
  Rename time and index parameter to avoid name conflict.
  Correct comment
  Adapt ChangeLog
  Reliably zeroize sensitive data in AES sample application
  Reliably zeroize sensitive data in Crypt-and-Hash sample application
  Fix potential integer overflow parsing DER CRT
  Fix potential integer overflow parsing DER CRL
  Move the git scripts to correct path
  Update after @sbutcher-arm comments
  Fix slash direction for linux path
  Add note for the git_hoos README file
  Pre push hook script
  Check return code of mbedtls_mpi_fill_random
  ...
2017-08-31 10:09:43 +02:00
Hanno Becker
fab3569963 Use in-place decryption in pk_parse_pkcs8_encrypted_der
The stack buffer used to hold the decrypted key in pk_parse_pkcs8_encrypted_der
was statically sized to 2048 bytes, which is not enough for DER encoded 4096bit
RSA keys.

This commit resolves the problem by performing the key-decryption in-place,
circumventing the introduction of another stack or heap copy of the key.

There are two situations where pk_parse_pkcs8_encrypted_der is invoked:
1. When processing a PEM-encoded encrypted key in mbedtls_pk_parse_key.
   This does not need adaption since the PEM context used to hold the decoded
   key is already constructed and owned by mbedtls_pk_parse_key.
2. When processing a DER-encoded encrypted key in mbedtls_pk_parse_key.
   In this case, mbedtls_pk_parse_key calls pk_parse_pkcs8_encrypted_der with
   the buffer provided by the user, which is declared const. The commit
   therefore adds a small code paths making a copy of the keybuffer before
   calling pk_parse_pkcs8_encrypted_der.
2017-08-25 13:57:21 +01:00
Hanno Becker
771d30edac Add missing calls to mbedtls_pem_free in mbedtls_pk_parse 2017-08-25 13:57:21 +01:00
Hanno Becker
cc209ca56d Remove signature verification from rsa_rsassa_pkcs1_v15_sign
This verification path is redundant now that verification is uniformly done in
rsa_private.
2017-08-25 11:52:29 +01:00
Hanno Becker
43f94721ab Add quick-check for presence of relevant parameters in rsa_private 2017-08-25 11:52:27 +01:00
Hanno Becker
c6075cc5ac Don't use CRT for signature verification
If CRT is not used, the helper fields CRT are not assumed to be present in the
RSA context structure, so do the verification directly in this case. If CRT is
used, verification could be done using CRT, but we're sticking to ordinary
verification for uniformity.
2017-08-25 11:45:35 +01:00
Hanno Becker
b269a8584a Change mbedtls_rsa_check_privkey to use new helper functions 2017-08-25 08:35:09 +01:00
Hanno Becker
d9431a7817 Minor comments improvement 2017-08-25 08:35:09 +01:00
Hanno Becker
d363799a9d Add mbedtls_rsa_validate_crt
This commit adds the function mbedtls_rsa_validate_crt for validating a set of CRT parameters. The function
mbedtls_rsa_check_crt is simplified accordingly.
2017-08-25 08:35:09 +01:00
Hanno Becker
d56d83a7f3 Remove double-checking code from rsa_deduce_moduli and rsa_complete 2017-08-25 08:35:08 +01:00
Hanno Becker
750e8b4596 Rename rsa_check_params->rsa_validate_params and change error codes 2017-08-25 08:34:55 +01:00
Hanno Becker
fb81c0ec2e Guard primality checks in RSA module by MBEDTLS_GENPRIME
Primality testing is guarded by the configuration flag MBEDTLS_GENPRIME and used in the new RSA helper functions. This
commit adds a corresponding preprocessor directive.
2017-08-24 06:55:11 +01:00
Hanno Becker
ab3773123c Add support for alternative RSA implementations
Alternative RSA implementations can be provided by defining MBEDTLS_RSA_ALT in
config.h, defining an mbedtls_rsa_context struct in a new file rsa_alt.h and
re-implementing the RSA interface specified in rsa.h.

Through the previous reworkings, the adherence to the interface is the only
implementation obligation - in particular, implementors are free to use a
different layout for the RSA context structure.
2017-08-23 16:24:51 +01:00
Hanno Becker
6345dd33b9 Adapt rsa_check_privkey to deal with NO_CRT option 2017-08-23 16:17:28 +01:00
Hanno Becker
bee3aaeb50 Adapt rsa_gen_key to deal with RSA_NO_CRT option 2017-08-23 16:17:28 +01:00
Hanno Becker
dc95c890ad Adapt rsa_deduce_crt to deal with RSA_NO_CRT option 2017-08-23 16:17:28 +01:00
Hanno Becker
33c30a0c7e Adapt rsa_copy and rsa_free to deal with RSA_NO_CRT option 2017-08-23 16:17:28 +01:00
Hanno Becker
23344b5fcc Adapt rsa_complete to deal with RSA_NO_CRT option 2017-08-23 16:17:28 +01:00
Hanno Becker
83aad1fa86 Adapt gen_key example program to new RSA interface 2017-08-23 16:17:27 +01:00
Hanno Becker
d71dc159a6 Adapt PK test suite to use new interface 2017-08-23 16:17:27 +01:00
Hanno Becker
15f81fa21c Adapt pkwrite.c to new RSA interface 2017-08-23 16:17:27 +01:00
Hanno Becker
d58c5b2d16 Adapt pkparse.c to new RSA interface 2017-08-23 16:17:24 +01:00
Hanno Becker
6a1e7e5f4c Adapt pk_wrap.c to new RSA interface
This commit replaces direct manipulation of RSA context structure fields by
calls to the extended RSA interface in pk_wrap.c.
2017-08-23 15:07:40 +01:00
Hanno Becker
3a701161ff Adapt RSA selftest to new RSA interface
This commit replaces direct manipulation of structure fields in the RSA selftest
by calls to the extended interface.
2017-08-23 15:07:40 +01:00
Hanno Becker
8fd5548241 Minor formatting changes 2017-08-23 14:47:25 +01:00
Hanno Becker
617c1aeb18 Implement new RSA interface functions 2017-08-23 14:47:22 +01:00
Hanno Becker
e2e8b8da1d Implement RSA helper functions 2017-08-23 14:44:33 +01:00
Simon Butcher
72ea31b026 Update version number to 2.6.0 2017-08-10 11:51:16 +01:00
Manuel Pégourié-Gonnard
24611f9383 Remove redundant variable
path_cnt was always chain_len - 1 in the loop body
2017-08-09 10:28:07 +02:00
Manuel Pégourié-Gonnard
562df401d3 Improve some comments, fix some typos+whitespace 2017-08-08 18:17:53 +02:00
Ron Eldor
433f39c437 ECDH alternative implementation support
Add alternative implementation support for ECDH at the higher layer
2017-08-08 18:43:56 +03:00
Manuel Pégourié-Gonnard
66a36b03c6 Update comments 2017-08-08 11:06:51 +02:00
Manuel Pégourié-Gonnard
505c3953c7 Make the ver_chain length explicit 2017-08-08 11:06:51 +02:00
Manuel Pégourié-Gonnard
a707e1d1ef Extract code to separate function for readablity 2017-08-08 11:06:51 +02:00
Manuel Pégourié-Gonnard
ce6e52ff42 Make verify_chain() iterative 2017-08-08 11:06:51 +02:00
Manuel Pégourié-Gonnard
f86f491f25 Rm unneeded function arguments & update comments 2017-08-08 11:06:51 +02:00
Manuel Pégourié-Gonnard
c547d1ab1f Start using an explicit stack for callback info
This is the first step towards making verify_chain() iterative. While from a
readability point of view the current recursive version is fine, one of the
goals of this refactoring is to prepare for restartable ECC integration, which
will need the explicit stack anyway.
2017-08-08 11:06:51 +02:00
Manuel Pégourié-Gonnard
a468eb1764 verify_name(): factor duplicated code to function 2017-08-08 11:06:51 +02:00
Manuel Pégourié-Gonnard
1300e99eb1 Extract name checking to separate function
Just copy-paste and unindent
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
6368612a8f Move code to separate function for readability 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
27e94797aa Simplify handling of locally trusted EE certs
Though this might require one more walk of the list in some cases,
this avoid having a check for that deep inside check_parent().
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
bdc5440232 Update comments 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
cb39610093 Finally merge the remains of top() into child() 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
63642776b1 Let verify_top() handle only the parent
It felt wrong for it to call the vrfy callback on two certs.
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
6e786747fb Move top()'s checks on child to child() 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
784aee3366 Move other special case from top() to child() 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
b9983be73a Move one special case from verify_top() to child() 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
66fac75f8b Merge duplicated checks between child() and top() 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
58dcd2d9b2 Get rid of unused variables/arguments 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
8f8c282de9 Merge near-duplicated (grand)parent finding code
Besides avoiding near-duplication, this avoids having three generations of
certificate (child, parent, grandparent) in one function, with all the
off-by-one opportunities that come with it.

This also allows to simplify the signature of verify_child(), which will be
done in next commit.
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
f82a4d5aba Factor duplicated code into function 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
32fdc60c7b Unnest code in verify_top()
We now know that trust_ca != NULL till the end of the function
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
6038cb6909 Remove duplicate parent-searching in verify_top() 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
2f09d59456 Add badkey-skipping to find_parent()
This is the last step towards removing the now-duplicated parent-searching
code in verify_top()
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
3e329b8e8d Add badtime-skipping feature to new function
This is from the morally 5th (and soon obsolete) invocation of this function
in verify_top().

Doing this badtime-skipping when we search for a parent in the provided chain
is a change of behaviour, but it's backwards-compatible: it can only cause us
to accept valid chains that we used to reject before. Eg if the peer has a
chain with two version of an intermediate certificate with different validity
periods, the first non valid and the second valid - such cases are probably
rare or users would have complained already, but it doesn't hurt to handle it
properly as it allows for more uniform code.
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
9c6118c498 Factor one more occurrence of code into function
This may look like a behaviour change because one check has been added to the
function that was previously done in only one of the 3 call sites. However it
is not, because:
- for the 2 call sites in verify(), the test always succeeds as path_cnt is 0.
- for the call site in verify_child(), the same test was done later anyway in
  verify_top()
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
2f1c33dc33 Factor repeated code into function
There are 3 instance that were replaced, but 2 instances of variants of this
function exist and will be handled next (the extra parameter that isn't used
so far is in preparation for that):
- one in verify_child() where path_cnt constraint is handled too
- one in verify_top() where there is extra logic to skip parents that are
  expired or future, but only if there are better parents to be found
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
17f4a6a609 Take shortcut for directly trusted EE cert
This is a slight change of behaviour in that the previous condition was:
- same subject
- signature matches
while the new condition is:
- exact same certificate

However the documentation for mbedtls_x509_crt_verify() (note on trust_ca)
mentions the new condition, so code that respected the documentation will keep
working.

In addition, this is a bit faster as it doesn't check the self-signature
(which never needs to be checked for certs in the trusted list).
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
c61e5c9304 Don't search twice for a non-existing parent 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
b8acfd2ba8 Fix calls to check_parent()
When we're looking for a parent, in trusted CAs, 'top' should be 1.

This only impacted which call site for verify_top() was chosen, and the error
was then fixed inside verify_top() by iterating over CAs again, this time
correctly setting 'top' to 1.
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
35407c7764 Add comments on chain verification cases
This is the beginning of a series of commits refactoring the chain
building/verification functions in order to:
- make it simpler to understand and work with
- prepare integration of restartable ECC
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
329e78c7fa Improve handling of md errors in X.509
md() already checks for md_info == NULL. Also, in the future it might also
return other errors (eg hardware errors if acceleration is used), so it make
more sense to check its return value than to check for NULL ourselves and then
assume no other error can occur.

Also, currently, md_info == NULL can never happen except if the MD and OID modules
get out of sync, or if the user messes with members of the x509_crt structure
directly.

This commit does not change the current behaviour, which is to treat MD errors
the same way as a bad signature or no trusted root.
2017-08-08 11:06:49 +02:00
Ron Eldor
b68733bf62 ECDSA alternative support
Support for alternative implementation of ECDSA, at the higher layer
2017-08-07 18:00:22 +03:00
Andres Amaya Garcia
7c02c503ea Change PK module preprocessor check on word size
There were preprocessor directives in pk.c and pk_wrap.c that cheked
whether the bit length of size_t was greater than that of unsigned int.
However, the check relied on the MBEDTLS_HAVE_INT64 macro being defined
which is not directly related to size_t. This might result in errors in
some platforms. This change modifies the check to use the macros
SIZE_MAX and UINT_MAX instead making the code more robust.
2017-08-04 13:32:15 +01:00
Simon Butcher
a55e084bce Fix naked call to time() with platform call
In ssl_cache.c a call to time() was being made instead of it's platform
equivalent.
2017-07-28 23:46:43 +01:00
Hanno Becker
61937d4a83 Rename time and index parameter to avoid name conflict.
As noted in #557, several functions use 'index' resp. 'time'
as parameter names in their declaration and/or definition, causing name
conflicts with the functions in the C standard library of the same
name some compilers warn about.

This commit renames the arguments accordingly.
2017-07-28 22:28:08 +01:00
Andres AG
2e3ddfac5f Prevent signed integer overflow in CSR parsing
Modify the function mbedtls_x509_csr_parse_der() so that it checks the
parsed CSR version integer before it increments the value. This prevents
a potential signed integer overflow, as these have undefined behaviour
in the C standard.
2017-07-27 21:44:34 +01:00
Andres AG
80164741e1 Fix potential integer overflow parsing DER CRT
This patch prevents a potential signed integer overflow during the
certificate version verification checks.
2017-07-27 21:44:34 +01:00
Andres AG
4f753c1186 Fix potential integer overflow parsing DER CRL
This patch prevents a potential signed integer overflow during the
CRL version verification checks.
2017-07-27 21:44:34 +01:00
Gilles Peskine
683ac27b0f Checked names 2017-07-27 21:44:33 +01:00
Simon Butcher
a95d630197 Fix platform setup/teardown feature and comments
Fixed the platform setup/teardown feature, by fixing it for doxygen and adding it
as a feature  in 'version_features.c'.
2017-07-27 21:44:33 +01:00
Andres Amaya Garcia
d91f99f868 Rename macro SETUP_ALT to SETUP_TEARDOWN_ALT
Rename the macro MBEDTLS_PLATFORM_SETUP_ALT to
MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT to make the name more descriptive
as this macro enables/disables both functions.
2017-07-27 21:44:33 +01:00
Andres Amaya Garcia
3c8a39d28a Remove internal functions from setup API 2017-07-27 21:44:33 +01:00
Andres Amaya Garcia
2a6f39cb63 Add library setup and teardown APIs
Add the following two functions to allow platform setup and teardown
operations for the full library to be hooked in:

* mbedtls_platform_setup()
* mbedtls_platform_teardown()

An mbedtls_platform_context C structure is also added and two internal
functions that are called by the corresponding setup and teardown
functions above:

* mbedtls_internal_platform_setup()
* mbedtls_internal_plartform_teardown()

Finally, the macro MBEDTLS_PLATFORM_SETUP_ALT is also added to allow
mbedtls_platform_context and internal function to be overriden by the
user as needed for a platform.
2017-07-27 21:44:33 +01:00
Hanno Becker
bedc2050b6 Export mbedtls_aes_(en/de)crypt to retain for API compatibility
The commit f5bf7189d3 made the AES
functions mbedtls_aes_encrypt and mbedtls_aes_decrypt static, changing
the library's API.

This commit reverts this.
2017-07-27 21:44:33 +01:00
Hanno Becker
639ce56b6a Undo API change from SHA1 deprecation
The previous commit bd5ceee484f201b90a384636ba12de86bd330cba removed
the definition of the global constants
- mbedtls_test_ca_crt_rsa_len,
- mbedtls_test_cli_crt_rsa_len,
- mbedtls_test_ca_crt_rsa, and
- mbedtls_test_cli_crt_rsa.
This commit restores these to maintain ABI compatibility.

Further, it was noticed that without SHA256_C being enabled the
previous code failed to compile because because the SHA1 resp. SHA256
certificates were only defined when the respective SHAXXX_C options
were set, but the emission of the global variable mbedtls_test_ca_crt
was unconditionally defined through the SHA256
certificate. Previously, the RSA SHA1 certificate was unconditionally
defined and used for that.

As a remedy, this commit makes sure some RSA certificate is defined
and exported through the following rule:
1. If SHA256_C is active, define an RSA SHA256 certificate and export
   it as mbedtls_test_ca_crt. Also, define SHA1 certificates only if
   SHA1_C is set.
2. If SHA256_C is not set, always define SHA1 certificate and export
   it as mbedtls_test_ca_crt.
2017-07-27 21:44:33 +01:00
Hanno Becker
d300a5734a Undo API change
The previous commit b3e6872c9381ed4ce020d631dda1e0126c42b64f changed
to public functions from ssl_ciphersuite.h to static inline. This
commit reverts this change.
2017-07-27 21:44:33 +01:00
Ron Eldor
7269fee0b6 Check return code of mbedtls_mpi_fill_random
Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
Reported and fix suggested by guidovranken in #740
2017-07-27 21:44:33 +01:00
Ron Eldor
3e19df5c95 Resource leak fix on windows platform
Fix a resource leak on windows platform, in mbedtls_x509_crt_parse_path,
in case a failure. when an error occurs, goto cleanup, and free the
resource, instead of returning error code immediately.
2017-07-27 21:44:33 +01:00
Ron Eldor
8ab0595538 Wrong preproccessor condition fix
Fix for issue #696
Change #if defined(MBEDTLS_THREADING_PTHREAD)
to #if defined(MBEDTLS_THREADING_C)
2017-07-27 21:44:33 +01:00
Ron Eldor
5a21fd62bf fix for issue 1118: check if iv is zero in gcm.
1) found by roberto in mbedtls forum
2) if iv_len is zero, return an error
3) add tests for invalid parameters
2017-07-27 21:44:33 +01:00
Janos Follath
bfea4a7c02 Remove mutexes from ECP hardware acceleration
Protecting the ECP hardware acceleratior with mutexes is inconsistent with the
philosophy of the library. Pre-existing hardware accelerator interfaces
leave concurrency support to the underlying platform.

Fixes #863
2017-07-27 21:44:32 +01:00
Andres AG
2e65a54d5a Prevent signed integer overflow in CSR parsing
Modify the function mbedtls_x509_csr_parse_der() so that it checks the
parsed CSR version integer before it increments the value. This prevents
a potential signed integer overflow, as these have undefined behaviour
in the C standard.
2017-07-27 15:08:01 +01:00
Andres AG
7ca4a03955 Fix potential integer overflow parsing DER CRT
This patch prevents a potential signed integer overflow during the
certificate version verification checks.
2017-07-27 15:08:01 +01:00
Andres AG
c0fbf784b6 Fix potential integer overflow parsing DER CRL
This patch prevents a potential signed integer overflow during the
CRL version verification checks.
2017-07-27 15:08:01 +01:00
Gilles Peskine
04d6c3da3f Checked names 2017-07-27 15:08:01 +01:00
Simon Butcher
9469919447 Fix platform setup/teardown feature and comments
Fixed the platform setup/teardown feature, by fixing it for doxygen and adding it
as a feature  in 'version_features.c'.
2017-07-27 15:08:01 +01:00
Andres Amaya Garcia
59c202618e Rename macro SETUP_ALT to SETUP_TEARDOWN_ALT
Rename the macro MBEDTLS_PLATFORM_SETUP_ALT to
MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT to make the name more descriptive
as this macro enables/disables both functions.
2017-07-27 15:08:01 +01:00
Andres Amaya Garcia
d24f5feb59 Remove internal functions from setup API 2017-07-27 15:08:01 +01:00
Andres Amaya Garcia
d9e7ada52a Add library setup and teardown APIs
Add the following two functions to allow platform setup and teardown
operations for the full library to be hooked in:

* mbedtls_platform_setup()
* mbedtls_platform_teardown()

An mbedtls_platform_context C structure is also added and two internal
functions that are called by the corresponding setup and teardown
functions above:

* mbedtls_internal_platform_setup()
* mbedtls_internal_plartform_teardown()

Finally, the macro MBEDTLS_PLATFORM_SETUP_ALT is also added to allow
mbedtls_platform_context and internal function to be overriden by the
user as needed for a platform.
2017-07-27 15:08:01 +01:00
Hanno Becker
09b30789e5 Export mbedtls_aes_(en/de)crypt to retain for API compatibility
The commit f5bf7189d3 made the AES
functions mbedtls_aes_encrypt and mbedtls_aes_decrypt static, changing
the library's API.

This commit reverts this.
2017-07-27 15:08:01 +01:00
Hanno Becker
59df56e9b6 Undo API change from SHA1 deprecation
The previous commit bd5ceee484f201b90a384636ba12de86bd330cba removed
the definition of the global constants
- mbedtls_test_ca_crt_rsa_len,
- mbedtls_test_cli_crt_rsa_len,
- mbedtls_test_ca_crt_rsa, and
- mbedtls_test_cli_crt_rsa.
This commit restores these to maintain ABI compatibility.

Further, it was noticed that without SHA256_C being enabled the
previous code failed to compile because because the SHA1 resp. SHA256
certificates were only defined when the respective SHAXXX_C options
were set, but the emission of the global variable mbedtls_test_ca_crt
was unconditionally defined through the SHA256
certificate. Previously, the RSA SHA1 certificate was unconditionally
defined and used for that.

As a remedy, this commit makes sure some RSA certificate is defined
and exported through the following rule:
1. If SHA256_C is active, define an RSA SHA256 certificate and export
   it as mbedtls_test_ca_crt. Also, define SHA1 certificates only if
   SHA1_C is set.
2. If SHA256_C is not set, always define SHA1 certificate and export
   it as mbedtls_test_ca_crt.
2017-07-27 15:08:01 +01:00
Hanno Becker
ff1b846b67 Undo API change
The previous commit b3e6872c9381ed4ce020d631dda1e0126c42b64f changed
to public functions from ssl_ciphersuite.h to static inline. This
commit reverts this change.
2017-07-27 15:08:01 +01:00
Ron Eldor
ca6ff5884d Check return code of mbedtls_mpi_fill_random
Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
Reported and fix suggested by guidovranken in #740
2017-07-27 15:08:01 +01:00
Ron Eldor
36d904218b Resource leak fix on windows platform
Fix a resource leak on windows platform, in mbedtls_x509_crt_parse_path,
in case a failure. when an error occurs, goto cleanup, and free the
resource, instead of returning error code immediately.
2017-07-27 15:08:01 +01:00
Ron Eldor
6314068d42 Wrong preproccessor condition fix
Fix for issue #696
Change #if defined(MBEDTLS_THREADING_PTHREAD)
to #if defined(MBEDTLS_THREADING_C)
2017-07-27 15:08:01 +01:00
Ron Eldor
e2efaeaafc fix for issue 1118: check if iv is zero in gcm.
1) found by roberto in mbedtls forum
2) if iv_len is zero, return an error
3) add tests for invalid parameters
2017-07-27 15:08:01 +01:00
Janos Follath
78b1473ff3 Remove mutexes from ECP hardware acceleration
Protecting the ECP hardware acceleratior with mutexes is inconsistent with the
philosophy of the library. Pre-existing hardware accelerator interfaces
leave concurrency support to the underlying platform.

Fixes #863
2017-07-27 15:08:01 +01:00
Andres AG
642ea1f399 Prevent signed integer overflow in CSR parsing
Modify the function mbedtls_x509_csr_parse_der() so that it checks the
parsed CSR version integer before it increments the value. This prevents
a potential signed integer overflow, as these have undefined behaviour
in the C standard.
2017-07-26 17:19:59 +01:00
Andres AG
487b7a9efc Fix potential integer overflow parsing DER CRT
This patch prevents a potential signed integer overflow during the
certificate version verification checks.
2017-07-26 17:13:03 +01:00
Andres AG
853c46c8d3 Fix potential integer overflow parsing DER CRL
This patch prevents a potential signed integer overflow during the
CRL version verification checks.
2017-07-26 12:07:26 +01:00
Hanno Becker
47deec488f Move flag indicating presence of strong entropy to test code 2017-07-24 15:31:30 +01:00
Hanno Becker
c6deafc0d4 Omit RSA key generation test if no strong entropy is present
The RSA key generation test needs strong entropy to succeed. This commit captures the presence of a strong entropy
source in a preprocessor flag and only runs the key generation test if that flag is set.
2017-07-24 09:09:01 +01:00
Gilles Peskine
710f54182f Checked names 2017-07-22 11:53:56 +02:00
Simon Butcher
c0da47dd1e Fix platform setup/teardown feature and comments
Fixed the platform setup/teardown feature, by fixing it for doxygen and adding it
as a feature  in 'version_features.c'.
2017-07-21 23:48:55 +01:00
Andres Amaya Garcia
2d0aa8be97 Fix MD selftest to use correct type and expose ret 2017-07-21 14:57:26 +01:00
Andres Amaya Garcia
aa464ef23a Fix indentation and add goto cleanup; stmt 2017-07-21 14:27:41 +01:00
Andres Amaya Garcia
9da69514ec Rename macro SETUP_ALT to SETUP_TEARDOWN_ALT
Rename the macro MBEDTLS_PLATFORM_SETUP_ALT to
MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT to make the name more descriptive
as this macro enables/disables both functions.
2017-07-21 02:12:49 +02:00
Andres Amaya Garcia
82d7314c43 Remove internal functions from setup API 2017-07-21 02:12:49 +02:00
Andres Amaya Garcia
122d899296 Add library setup and teardown APIs
Add the following two functions to allow platform setup and teardown
operations for the full library to be hooked in:

* mbedtls_platform_setup()
* mbedtls_platform_teardown()

An mbedtls_platform_context C structure is also added and two internal
functions that are called by the corresponding setup and teardown
functions above:

* mbedtls_internal_platform_setup()
* mbedtls_internal_plartform_teardown()

Finally, the macro MBEDTLS_PLATFORM_SETUP_ALT is also added to allow
mbedtls_platform_context and internal function to be overriden by the
user as needed for a platform.
2017-07-21 02:11:35 +02:00
Andres Amaya Garcia
b2b063ff35 Add comment in entropy.c 2017-07-20 16:45:24 +01:00
Andres Amaya Garcia
3395250f5f Fix use of uninitialised ret ssl_tls.c 2017-07-20 16:29:16 +01:00
Andres Amaya Garcia
42e5e1084e Add goto cleanup; for consistency md.c 2017-07-20 16:27:03 +01:00
Andres Amaya Garcia
46f5a3e9b4 Check return codes from MD in ssl code 2017-07-20 16:17:51 +01:00
Andres Amaya Garcia
c5c7d76bf5 Add goto exit; stmt in rsa.c for consistency 2017-07-20 14:42:16 +01:00
Andres Amaya Garcia
0963e6cfac Fix possible memory leak in <MD>_ext() 2017-07-20 14:41:10 +01:00
Andres Amaya Garcia
94682d1d7d Fix use of unitialized ret in rsa.c 2017-07-20 14:26:37 +01:00
Andres Amaya Garcia
6a3f30514a Ensure MD self_test ret codes are not hidden
Also fix a potential memory leak and an incorrect goto statement in
sha1.c self_test
2017-07-20 14:18:54 +01:00
Hanno Becker
489b985fae Export mbedtls_aes_(en/de)crypt to retain for API compatibility
The commit f5bf7189d3 made the AES
functions mbedtls_aes_encrypt and mbedtls_aes_decrypt static, changing
the library's API.

This commit reverts this.
2017-07-20 12:36:53 +02:00
Hanno Becker
0a38f1ac28 Undo API change from SHA1 deprecation
The previous commit bd5ceee484f201b90a384636ba12de86bd330cba removed
the definition of the global constants
- mbedtls_test_ca_crt_rsa_len,
- mbedtls_test_cli_crt_rsa_len,
- mbedtls_test_ca_crt_rsa, and
- mbedtls_test_cli_crt_rsa.
This commit restores these to maintain ABI compatibility.

Further, it was noticed that without SHA256_C being enabled the
previous code failed to compile because because the SHA1 resp. SHA256
certificates were only defined when the respective SHAXXX_C options
were set, but the emission of the global variable mbedtls_test_ca_crt
was unconditionally defined through the SHA256
certificate. Previously, the RSA SHA1 certificate was unconditionally
defined and used for that.

As a remedy, this commit makes sure some RSA certificate is defined
and exported through the following rule:
1. If SHA256_C is active, define an RSA SHA256 certificate and export
   it as mbedtls_test_ca_crt. Also, define SHA1 certificates only if
   SHA1_C is set.
2. If SHA256_C is not set, always define SHA1 certificate and export
   it as mbedtls_test_ca_crt.
2017-07-20 12:36:53 +02:00
Hanno Becker
544039ac59 Undo API change
The previous commit b3e6872c9381ed4ce020d631dda1e0126c42b64f changed
to public functions from ssl_ciphersuite.h to static inline. This
commit reverts this change.
2017-07-20 12:36:53 +02:00
Ron Eldor
7875b24287 Check return code of mbedtls_mpi_fill_random
Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
Reported and fix suggested by guidovranken in #740
2017-07-20 01:23:32 +02:00
Ron Eldor
eba5dabc61 Resource leak fix on windows platform
Fix a resource leak on windows platform, in mbedtls_x509_crt_parse_path,
in case a failure. when an error occurs, goto cleanup, and free the
resource, instead of returning error code immediately.
2017-07-20 01:02:40 +02:00
Ron Eldor
85bdcf8c16 Wrong preproccessor condition fix
Fix for issue #696
Change #if defined(MBEDTLS_THREADING_PTHREAD)
to #if defined(MBEDTLS_THREADING_C)
2017-07-20 00:44:57 +02:00
Ron Eldor
e1b92fee55 fix for issue 1118: check if iv is zero in gcm.
1) found by roberto in mbedtls forum
2) if iv_len is zero, return an error
3) add tests for invalid parameters
2017-07-20 00:11:24 +02:00
Janos Follath
a9e775efe4 Remove mutexes from ECP hardware acceleration
Protecting the ECP hardware acceleratior with mutexes is inconsistent with the
philosophy of the library. Pre-existing hardware accelerator interfaces
leave concurrency support to the underlying platform.

Fixes #863
2017-07-19 02:07:59 +01:00
Andres Amaya Garcia
92d46f0246 Zeroize buf if mbedtls_base64_decode() fails 2017-07-07 10:46:51 +01:00
Manuel Pégourié-Gonnard
9107b5fdd3 Improve comments 2017-07-06 12:16:25 +02:00
Manuel Pégourié-Gonnard
31458a1878 Only return VERIFY_FAILED from a single point
Everything else is a fatal error. Also improve documentation about that for
the vrfy callback.
2017-07-06 11:58:41 +02:00
Manuel Pégourié-Gonnard
d15795acd5 Improve behaviour on fatal errors
If we didn't walk the whole chain, then there may be any kind of errors in the
part of the chain we didn't check, so setting all flags looks like the safe
thing to do.
2017-07-06 11:58:41 +02:00
Andres Amaya Garcia
6512193eff Zeroize tmp buffer in entropy_update() 2017-07-05 15:45:47 +01:00
Andres Amaya Garcia
bbafd34ebb Set len var to 0 when buf is freed in ssl_tls.c 2017-07-05 14:25:21 +01:00
Andres Amaya Garcia
af0b31d76f Correctly set buf size in entropy_update_nv_seed() 2017-07-05 14:23:54 +01:00
Andres Amaya Garcia
1a607a1b9a Change ssl_tls to use new MD API and check ret code 2017-06-29 17:09:42 +01:00
Andres Amaya Garcia
95869c4934 Do not start md accumulator in mbedtls_entropy_init
This change moves the calls to mbedtls_sha256_starts() and
mbedtls_sha512_starts() out of the mbedtls_entropy_init() function as
these now have return codes which need to be checked.
2017-06-29 16:31:44 +01:00
Andres Amaya Garcia
a7559cb7ba Fix entropy module to work with hw accelerator
This patch modifies the entropy.c module to ensure that the sha256 and
sha512 contexts are correctly initialised and freed instead of skipping
these calls or simply zeroizing with memset() or mbedtls_zeroize().
This is important as the sha contexts might otherwise leak memory or
other resources, and even more so in the context of hardware
accelerators where the configuration of the device might be done in the
init and free calls.
2017-06-29 16:27:15 +01:00
Andres Amaya Garcia
207cea57f9 Change entropy to use new MD API and check ret code 2017-06-29 15:57:46 +01:00
Andres Amaya Garcia
8d08c4489e Change pem to use new MD API and check ret code 2017-06-29 11:16:38 +01:00
Andres Amaya Garcia
0dd4fa0f45 Fix functions in MD layer to check return codes 2017-06-28 14:16:07 +01:00
Andres Amaya Garcia
5f872df26a Change func ptrs to have ret val in MD layer
This patch modifies the internal md context structure in md_wrap.c to
add return values to the function pointers. This enables us to use the
new API in the corresponding MD modules so that failures can be
found at any point in an MD computation.
2017-06-28 14:12:44 +01:00
Andres Amaya Garcia
d21d625e1f Change ssl_srv to new MD API and check return code 2017-06-28 13:09:05 +01:00
Andres Amaya Garcia
f0e521e9f1 Change ssl_cli to new MD API and check return code 2017-06-28 13:05:06 +01:00
Andres Amaya Garcia
698089e07e Change RSA to use new MD API and check return code 2017-06-28 13:01:15 +01:00
Andres Amaya Garcia
8d8204fc6f Change x509write_crt to use new MD API ret code 2017-06-28 12:52:16 +01:00
Andres Amaya Garcia
cccfe08530 Rename md process functions with _internal_ 2017-06-28 12:52:16 +01:00
Andres Amaya Garcia
614c689e05 Add int return values to SHA-512 function calls
The following function calls are being deprecated to introduce int
return values.
    * mbedtls_sha512()
    * mbedtls_sha512_starts()
    * mbedtls_sha512_update()
    * mbedtls_sha512_finish()
    * mbedtls_sha512_process()
The return codes can be used to return error values. This is important
when using hardware accelerators.
2017-06-28 12:52:16 +01:00
Andres Amaya Garcia
72a7f53064 Add int return values to SHA-256 function calls
The following function calls are being deprecated to introduce int
return values.
    * mbedtls_sha256()
    * mbedtls_sha256_starts()
    * mbedtls_sha256_update()
    * mbedtls_sha256_finish()
    * mbedtls_sha256_process()
The return codes can be used to return error values. This is important
when using hardware accelerators.
2017-06-28 12:52:16 +01:00
Andres Amaya Garcia
b1a8bf9725 Add int return values to RIPEMD-160 function calls
The following function calls are being deprecated to introduce int
return values.
    * mbedtls_ripemd160()
    * mbedtls_ripemd160_starts()
    * mbedtls_ripemd160_update()
    * mbedtls_ripemd160_finish()
    * mbedtls_ripemd160_process()
The return codes can be used to return error values. This is important
when using hardware accelerators.
2017-06-28 12:52:16 +01:00
Andres Amaya Garcia
2cfd7a982c Add int return values to MD5 function calls
The following function calls are being deprecated to introduce int
return values.
    * mbedtls_md5()
    * mbedtls_md5_starts()
    * mbedtls_md5_update()
    * mbedtls_md5_finish()
    * mbedtls_md5_process()
The return codes can be used to return error values. This is important
when using hardware accelerators.
2017-06-28 12:52:16 +01:00
Andres Amaya Garcia
bee0635b15 Add int return values to MD4 function calls
The following function calls are being deprecated to introduce int
return values.
    * mbedtls_md4()
    * mbedtls_md4_starts()
    * mbedtls_md4_update()
    * mbedtls_md4_finish()
    * mbedtls_md4_process()
The return codes can be used to return error values. This is important
when using hardware accelerators.
2017-06-28 12:52:16 +01:00
Andres Amaya Garcia
1d85213602 Add int return values to MD2 function calls
The following function calls are being deprecated to introduce int
return values.
    * mbedtls_md2()
    * mbedtls_md2_starts()
    * mbedtls_md2_update()
    * mbedtls_md2_finish()
    * mbedtls_md2_process()
The return codes can be used to return error values. This is important
when using hardware accelerators.
2017-06-28 12:52:15 +01:00
Andres Amaya Garcia
034ea7e754 Add int return values to SHA1 function calls
The following function calls are being deprecated to introduce int
return values.
    * mbedtls_sha1()
    * mbedtls_sha1_starts()
    * mbedtls_sha1_update()
    * mbedtls_sha1_finish()
    * mbedtls_sha1_process()
The return codes can be used to return error values. This is important
when using hardware accelerators.
2017-06-28 12:52:15 +01:00
Andres Amaya Garcia
4e2c07c6e1 Zeroize tmp buf in ctr_drbg_write_seed_file() 2017-06-27 16:57:26 +01:00
Andres Amaya Garcia
53c77cccc9 Initialise pointers to avoid IAR compiler warnings 2017-06-27 16:15:06 +01:00
Hanno Becker
83c9f495ff Prevent bounds check bypass through overflow in PSK identity parsing
The check `if( *p + n > end )` in `ssl_parse_client_psk_identity` is
unsafe because `*p + n` might overflow, thus bypassing the check. As
`n` is a user-specified value up to 65K, this is relevant if the
library happens to be located in the last 65K of virtual memory.

This commit replaces the check by a safe version.
2017-06-26 14:09:55 +01:00
Andres Amaya Garcia
03d70504ca Zeroize heap buf on failure in pem.c 2017-06-26 11:44:54 +01:00
Andres Amaya Garcia
a00498819f Zeroize old psk buf when changing value in ssl_tls 2017-06-26 11:35:17 +01:00
Andres Amaya Garcia
7351e12410 Zeroize tmp buf in mbedtls_mpi_fill_random() 2017-06-26 11:20:02 +01:00
Andres Amaya Garcia
79a2e7ef06 Zeroize return buf on failure in platform.c 2017-06-26 11:10:22 +01:00
Andres Amaya Garcia
13f41e1c20 Zeroize tmp bufs in ctr_drbg.c functions 2017-06-26 11:04:35 +01:00
Andres Amaya Garcia
1f2666f9ec Zeroize return buf on failure in pkparse.c 2017-06-26 10:36:20 +01:00
Andres Amaya Garcia
3fee7593a9 Zeroize tmp bufs in hmac_drbg.c functions 2017-06-26 10:22:24 +01:00
Andres Amaya Garcia
1adcd95a25 Zeroize tmp bufs in entropy.c functions 2017-06-26 09:58:59 +01:00
Andres Amaya Garcia
eb132b655c Zeroize tmp buf in mbedtls_md_file() md.c 2017-06-23 16:30:31 +01:00
Andres Amaya Garcia
bdbca7b383 Zeroize tmp buf on fail in load_file() dhm.c 2017-06-23 16:23:21 +01:00
Simon Butcher
f2a597fa3d Update the version number to 2.5.1 2017-06-20 23:08:10 +01:00
Hanno Becker
ad049a973c Replace #if(n)def by #if (!)defined 2017-06-19 16:31:54 +01:00
Andres Amaya Garcia
d3e7e7d83f Add comment for skipped AES-192 test condition 2017-06-15 16:17:46 +01:00
Andres Amaya Garcia
2a078da134 Run AES-GCM-192 selftest if available only
This patch modifies the function mbedtls_gcm_self_test() function to
ensure that AES-GCM-192 tests are only run if the key size is supported
by the available implementation. This is useful when using
MBEDTLS_AES_ALT as some hardware crypto accelerators might not support
AES-192.
2017-06-15 11:45:23 +01:00
Andres Amaya Garcia
58f98c23d5 Run AES-192 selftest if available only
This patch modifies the function mbedtls_aes_selftest() function to
ensure that AES-192 tests are only run if the key size is supported by
the available implementation. This is useful when using MBEDTLS_AES_ALT
as some hardware crypto accelerators might not support AES-192.
2017-06-14 16:19:42 +01:00
Andres Amaya Garcia
fd48739461 Add AES feature unavailable error code 2017-06-14 16:19:12 +01:00
Hanno Becker
177d3cf7bb Rename and document new configuration option for packing AES tables
This commit renames the new AES table packing option introduced in the
previous MBEDTLS_AES_PACK_TABLES and documents its use and memory vs.
speed tradeoff. It also enhances the documentation of the other
AES-related option MBEDTLS_AES_ROM_TABLES.
2017-06-09 16:57:44 +01:00
Manuel Pégourié-Gonnard
4a42f3c405 Merge remote-tracking branch 'restricted/iotssl-1398' into development-restricted
* restricted/iotssl-1398:
  Add ChangeLog entry
  Ensure application data records are not kept when fully processed
  Add hard assertion to mbedtls_ssl_read_record_layer
  Fix mbedtls_ssl_read
  Simplify retaining of messages for future processing
2017-06-09 15:02:40 +02:00
Hanno Becker
06811ced27 Put configuration options for RSA blinding and verification to work. 2017-06-09 13:29:53 +01:00
Hanno Becker
5bc8729b9e Correct memory leak in RSA self test
The RSA self test didn't free the RSA context on failure.
2017-06-09 13:29:53 +01:00
Hanno Becker
bdf3905fff Ensure application data records are not kept when fully processed
This commit fixes the following case: If a client is both expecting a
SERVER_HELLO and has an application data record that's partially
processed in flight (that's the situation the client gets into after
receiving a ServerHelloRequest followed by ApplicationData), a
subsequent call to mbedtls_ssl_read will set keep_current_message = 1
when seeing the unexpected application data, but not reset it to 0
after the application data has been processed. This commit fixes this.

It also documents and suggests how the problem might be solved in a
more structural way on the long run.
2017-06-09 10:42:03 +01:00
Manuel Pégourié-Gonnard
b86b143030 Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-restricted' into development-restricted
* restricted/iotssl-1138-rsa-padding-check-restricted:
  RSA PKCS1v1.5 verification: check padding length
2017-06-08 20:31:06 +02:00
Manuel Pégourié-Gonnard
a0bf6ecfc3 Merge remote-tracking branch 'restricted/IOTSSL-1366/development-restricted' into development-restricted
* restricted/IOTSSL-1366/development-restricted:
  More length checks in RSA PKCS1v15 verify
  More length checks in RSA PKCS1v15 verify
2017-06-08 20:24:29 +02:00
Manuel Pégourié-Gonnard
db108ac944 Merge remote-tracking branch 'hanno/mpi_read_file_underflow' into development
* hanno/mpi_read_file_underflow:
  Fix potential stack underflow in mpi_read_file.
2017-06-08 19:48:03 +02:00
Manuel Pégourié-Gonnard
1178ac5e77 Merge remote-tracking branch 'hanno/sliding_exponentiation' into development
* hanno/sliding_exponentiation:
  Adapt ChangeLog
  Abort modular inversion when modulus is one.
  Correct sign in modular exponentiation algorithm.
2017-06-08 19:46:30 +02:00
Hanno Becker
bb9dd0c044 Add hard assertion to mbedtls_ssl_read_record_layer
This commit adds a hard assertion to mbedtls_ssl_read_record_layer
triggering if both ssl->in_hslen and ssl->in_offt are not 0. This
should never happen, and if it does, there's no sensible way of
telling whether the previous message was a handshake or an application
data message.
2017-06-08 11:55:34 +01:00
Hanno Becker
4a810fba69 Fix mbedtls_ssl_read
Don't fetch a new record in mbedtls_ssl_read_record_layer as long as an application data record is being processed.
2017-06-08 10:12:16 +01:00
Hanno Becker
af0665d8b0 Simplify retaining of messages for future processing
There are situations in which it is not clear what message to expect
next. For example, the message following the ServerHello might be
either a Certificate, a ServerKeyExchange or a CertificateRequest. We
deal with this situation in the following way: Initially, the message
processing function for one of the allowed message types is called,
which fetches and decodes a new message. If that message is not the
expected one, the function returns successfully (instead of throwing
an error as usual for unexpected messages), and the handshake
continues to the processing function for the next possible message. To
not have this function fetch a new message, a flag in the SSL context
structure is used to indicate that the last message was retained for
further processing, and if that's set, the following processing
function will not fetch a new record.

This commit simplifies the usage of this message-retaining parameter
by doing the check within the record-fetching routine instead of the
specific message-processing routines. The code gets cleaner this way
and allows retaining messages to be used in other situations as well
without much effort. This will be used in the next commits.
2017-06-08 10:12:16 +01:00
Jussi Kivilinna
2fd1bb8f02 Add option to use smaller AES tables (table sizes reduced by 6144 bytes)
This patch adds MBEDTLS_AES_SMALL_TABLES option to reduce number of AES
look-up tables and thus save 6 KiB of memory. Enabling this option
cause performance hit MBEDTLS_AES_SMALL_TABLES of ~7% on ARM and ~15%
on x86-64.

Benchmark on Cortex-A7 (armhf):

Before:
  AES-CBC-128              :      14394 Kb/s,          0 cycles/byte
  AES-CBC-192              :      12442 Kb/s,          0 cycles/byte
  AES-CBC-256              :      10958 Kb/s,          0 cycles/byte

After:
  AES-CBC-128              :      13342 Kb/s,          0 cycles/byte
  AES-CBC-192              :      11469 Kb/s,          0 cycles/byte
  AES-CBC-256              :      10058 Kb/s,          0 cycles/byte

Benchmark on Intel Core i5-4570 (x86_64, 3.2 Ghz, no turbo):

Before:
  AES-CBC-128              :     215759 Kb/s,         14 cycles/byte
  AES-CBC-192              :     190884 Kb/s,         16 cycles/byte
  AES-CBC-256              :     171536 Kb/s,         18 cycles/byte

After:
  AES-CBC-128              :     185108 Kb/s,         16 cycles/byte
  AES-CBC-192              :     162839 Kb/s,         19 cycles/byte
  AES-CBC-256              :     144700 Kb/s,         21 cycles/byte
2017-06-07 15:29:31 +01:00
Hanno Becker
e6706e62d8 Add tests for missing CA chains and bad curves.
This commit adds four tests to tests/ssl-opt.sh:
(1) & (2): Check behaviour of optional/required verification when the
trusted CA chain is empty.
(3) & (4): Check behaviour of optional/required verification when the
client receives a server certificate with an unsupported curve.
2017-06-07 11:26:59 +01:00
Hanno Becker
39ae8cd207 Fix implementation of VERIFY_OPTIONAL verification mode
This commit changes the behaviour of mbedtls_ssl_parse_certificate
to make the two authentication modes MBEDTLS_SSL_VERIFY_REQUIRED and
MBEDTLS_SSL_VERIFY_OPTIONAL be in the following relationship:

    Mode == MBEDTLS_SSL_VERIFY_REQUIRED
<=> Mode == MBEDTLS_SSL_VERIFY_OPTIONAL + check verify result

Also, it changes the behaviour to perform the certificate chain
verification even if the trusted CA chain is empty. Previously, the
function failed in this case, even when using optional verification,
which was brought up in #864.
2017-06-07 11:13:19 +01:00
Manuel Pégourié-Gonnard
ddc6e52cc1 Merge remote-tracking branch 'gilles/iotssl-1223/development' into development
* gilles/iotssl-1223/development:
  Fix FALLBACK_SCSV parsing
2017-06-06 20:11:36 +02:00
Manuel Pégourié-Gonnard
383a118338 Merge remote-tracking branch 'gilles/IOTSSL-1330/development' into development
* gilles/IOTSSL-1330/development:
  Changelog entry for the bug fixes
  SSLv3: when refusing renegotiation, stop processing
  Ignore failures when sending fatal alerts
  Cleaned up double variable declaration
  Code portability fix
  Added changelog entry
  Send TLS alerts in many more cases
  Skip all non-executables in run-test-suites.pl
  SSL tests: server requires auth, client has no certificate
  Balanced braces across preprocessor conditionals
  Support setting the ports on the command line
2017-06-06 19:22:41 +02:00
Gilles Peskine
5d2511c4d4 SHA-1 deprecation: allow it in key exchange
By default, keep allowing SHA-1 in key exchange signatures. Disabling
it causes compatibility issues, especially with clients that use
TLS1.2 but don't send the signature_algorithms extension.

SHA-1 is forbidden in certificates by default, since it's vulnerable
to offline collision-based attacks.
2017-06-06 18:44:14 +02:00
Gilles Peskine
cd3c845157 Allow SHA-1 in SSL renegotiation tests
In the TLS test client, allow SHA-1 as a signature hash algorithm.
Without this, the renegotation tests failed.

A previous commit had allowed SHA-1 via the certificate profile but
that only applied before the initial negotiation which includes the
signature_algorithms extension.
2017-06-06 18:44:13 +02:00
Gilles Peskine
750c353c5c X.509 self-tests: replaced SHA-1 certificates by SHA-256 2017-06-06 18:44:13 +02:00
Gilles Peskine
5e79cb3662 Remove SHA-1 in TLS by default
Default to forbidding the use of SHA-1 in TLS where it is unsafe: for
certificate signing, and as the signature hash algorithm for the TLS
1.2 handshake signature. SHA-1 remains allowed in HMAC-SHA-1 in the
XXX_SHA ciphersuites and in the PRF for TLS <= 1.1.

For easy backward compatibility for use in controlled environments,
turn on the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 compiled-time option.
2017-06-06 18:44:13 +02:00
Manuel Pégourié-Gonnard
23b33f8663 Merge remote-tracking branch 'hanno/sig_hash_compatibility' into development
* hanno/sig_hash_compatibility:
  Improve documentation
  Split long lines
  Remember suitable hash function for any signature algorithm.
  Introduce macros and functions to characterize certain ciphersuites.
2017-06-06 18:14:57 +02:00
Andres AG
51a7ae1353 Add missing ret code checks in PEM module
Add missing return code checks in the functions pem_des_decrypt(),
pem_3des_decrypt() and pem_aes_decrypt() so that the calling function
mbedtls_pem_read_buffer() is notified of errors reported by the crypto
primitives AES, DES and 3DES.
2017-05-30 16:40:36 +01:00
Gilles Peskine
d50177fdf3 Fix FALLBACK_SCSV parsing
Fixed a bug in ssl_srv.c when parsing TLS_FALLBACK_SCSV in the
ciphersuite list that caused it to miss it sometimes. Reported by Hugo
Leisink as issue #810. Fix initially by @andreasag01; this commit
isolates the bug fix and adds a non-regression test.
2017-05-16 17:53:03 +02:00
Simon Butcher
9f77017a8d Updated version number to 2.5.0 2017-05-16 10:22:37 +01:00
Andres AG
f5bf7189d3 Change return type of AES decrypt and encrypt
This patch modifies the following 2 functions in the AES module to
change the return type from void to int:
    * mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
    * mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
This change is necessary to allow users of MBEDTLS_AES_ALT,
MBEDTLS_AES_DECRYPT_ALT and MBEDTLS_AES_ENCRYPT_ALT to return an error
code when replacing the default with their own implementation, e.g.
a hardware crypto accelerator.
2017-05-16 10:22:37 +01:00
Gilles Peskine
18ac716021 RSA: wipe more stack buffers
MGF mask and PSS salt are not highly sensitive, but wipe them anyway
for good hygiene.
2017-05-16 10:22:37 +01:00
Gilles Peskine
4a7f6a0ddb RSA: wipe stack buffers
The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.

Thanks to Laurent Simon for reporting this issue.
2017-05-16 10:22:37 +01:00
Janos Follath
6e876988de Fix bug in threading sample implementation #667 2017-05-16 10:22:37 +01:00
Janos Follath
f9203b4139 Add exponent blinding to RSA with CRT
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.

This commit handles the case when the Chinese Remainder Theorem is used
to accelerate the computation.
2017-05-16 10:22:37 +01:00
Janos Follath
e81102e476 Add exponent blinding to RSA without CRT
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of fifferent measurements.

This commits handles the case when the Chinese Remainder Theorem is NOT
used to accelerate computations.
2017-05-16 10:22:37 +01:00
Janos Follath
088ce43ffe Implement optional CA list suppression in Certificate Request
According to RFC5246 the server can indicate the known Certificate
Authorities or can constrain the aurhorisation space by sending a
certificate list. This part of the message is optional and if omitted,
the client may send any certificate in the response.

The previous behaviour of mbed TLS was to always send the name of all the
CAs that are configured as root CAs. In certain cases this might cause
usability and privacy issues for example:
- If the list of the CA names is longer than the peers input buffer then
  the handshake will fail
- If the configured CAs belong to third parties, this message gives away
  information on the relations to these third parties

Therefore we introduce an option to suppress the CA list in the
Certificate Request message.

Providing this feature as a runtime option comes with a little cost in
code size and advantages in maintenance and flexibility.
2017-05-16 10:22:37 +01:00
Hanno Becker
cf7ae7e7d3 Improve documentation 2017-05-15 11:50:13 +01:00
Hanno Becker
0d0cd4b30e Split long lines 2017-05-15 11:50:13 +01:00
Hanno Becker
7e5437a972 Remember suitable hash function for any signature algorithm.
This commit changes `ssl_parse_signature_algorithms_ext` to remember
one suitable ( := supported by client and by our config ) hash
algorithm per signature algorithm.

It also modifies the ciphersuite checking function
`ssl_ciphersuite_match` to refuse a suite if there
is no suitable hash algorithm.

Finally, it adds the corresponding entry to the ChangeLog.
2017-05-15 11:50:11 +01:00
Hanno Becker
1aa267cbc3 Introduce macros and functions to characterize certain ciphersuites.
The routine `mbedtls_ssl_write_server_key_exchange` heavily depends on
what kind of cipher suite is active: some don't need a
ServerKeyExchange at all, some need (EC)DH parameters but no server
signature, some require both. Each time we want to restrict a certain
piece of code to some class of ciphersuites, it is guarded by a
lengthy concatentation of configuration checks determining whether at
least one of the relevant cipher suites is enabled in the config; on
the code level, it is guarded by the check whether one of these
cipher suites is the active one.

To ease readability of the code, this commit introduces several helper
macros and helper functions that can be used to determine whether a
certain class of ciphersuites (a) is active in the config, and
(b) contains the currently present ciphersuite.
2017-05-15 11:46:57 +01:00
Andres Amaya Garcia
af610a0baf Fix check-doxy-blocks.pl errors (cmac.c ecjpake.h) 2017-05-12 00:18:04 +01:00
Janos Follath
6c8ccd5be4 Fix cleanup label alignment 2017-05-11 22:42:14 +01:00
Janos Follath
69b2051e76 Update version features with ECP macros 2017-05-11 22:42:14 +01:00
Janos Follath
c44ab97cc9 Apply review feedback on ECP interface
Naming conventions are revised, style issues corrected and minor
optimisation added.
2017-05-11 22:42:14 +01:00
Janos Follath
b8a90fb51c Update ECP hardware abstraction interface
With this commit the Elliptic Curve Point interface is rewised. Two
compile time options has been removed to simplify the interface and
the function names got a new prefix that indicates that these functions
are for internal use and not part of the public interface.
2017-05-11 22:42:14 +01:00
Janos Follath
430d3376c9 Add thread safety to ECP hardware acceleration
The intended use of the abstraction layer for Elliptic Curve Point
arithmetic is to enable using hardware cryptographic accelerators.
These devices are a shared resource and the driver code rarely provides
thread safety.

This commit adds mutexes to the abstraction layer to protect the device
in a multi-threaded environment.
2017-05-11 22:42:14 +01:00
Janos Follath
552f6b6d17 Add global mutex for asymmetric crypto accelerator
The primary use case behind providing an abstraction layer to enable
alternative Elliptic Curve Point arithmetic implementation, is making
use of cryptographic acceleration hardware if it is present.

To provide thread safety for the hardware accelerator we need a mutex
to guard it.
2017-05-11 22:42:14 +01:00
Janos Follath
16e63ea2e2 Fix alternative ECP function names
The alternative Elliptic Curve Point arithmetic functions didn't have
an 'mbedtls_' prefix as required by check-names.sh.
2017-05-11 22:42:14 +01:00
Janos Follath
4d9c69dde8 Fix ECP alternative macro names
The compile time macros enabling the initialisation and deinitialisation
in the alternative Elliptic Curve Point arithmetic implementation had
names that did not end with '_ALT' as required by check-names.sh.
2017-05-11 22:42:14 +01:00
Janos Follath
47d28f08a6 Remove alt_internal directory 2017-05-11 22:42:14 +01:00
Janos Follath
372697b6b7 Clean up ECP abstraction layer code
This commit fixes several style issues and fixes in the documentation
of the Elliptic Curve Point arithmetic abstraction layer.
2017-05-11 22:42:14 +01:00
Janos Follath
b069753313 ECP: Add module and function level replacement options. 2017-05-11 22:42:14 +01:00
Andres AG
72849877d0 Fix data loss in unsigned int cast in PK
This patch introduces some additional checks in the PK module for 64-bit
systems only. The problem is that the API functions in the PK
abstraction accept a size_t value for the hashlen, while the RSA module
accepts an unsigned int for the hashlen. Instead of silently casting
size_t to unsigned int, this change checks whether the hashlen overflows
an unsigned int and returns an error.
2017-05-11 21:55:17 +01:00
Manuel Pégourié-Gonnard
c1380de887 RSA PKCS1v1.5 verification: check padding length
The test case was generated by modifying our signature code so that it
produces a 7-byte long padding (which also means garbage at the end, so it is
essential in to check that the error that is detected first is indeed the
padding rather than the final length check).
2017-05-11 13:10:13 +02:00
Gilles Peskine
92e4426169 SSLv3: when refusing renegotiation, stop processing
Before the code was sending a fatal alert but then processing any
further data from the peer.

Internal reference: IOTSSL-1384
2017-05-10 17:31:13 +02:00
Gilles Peskine
c94f7352fa Ignore failures when sending fatal alerts
In many places in TLS handling, some code detects a fatal error, sends
a fatal alert message, and returns to the caller. If sending the alert
fails, then return the error that triggered the alert, rather than
overriding the return status. This effectively causes alert sending
failures to be ignored. Formerly the code was inconsistently sometimes
doing one, sometimes the other.

In general ignoring the alert is the right thing: what matters to the
caller is the original error. A typical alert failure is that the
connection is already closed.

One case which remains not handled correctly is if the alert remains
in the output buffer (WANT_WRITE). Then it won't be sent, or will be
truncated. We'd need to either delay the application error or record
the write buffering notice; to be done later.
2017-05-10 17:31:02 +02:00
Gilles Peskine
8498cb3687 Cleaned up double variable declaration 2017-05-10 15:39:40 +02:00
Gilles Peskine
064a85ca48 Code portability fix 2017-05-10 10:46:40 +02:00
Hanno Becker
b2034b7785 Fix potential stack underflow in mpi_read_file.
When provided with an empty line, mpi_read_file causes a numeric
underflow resulting in a stack underflow. This commit fixes this and
adds some documentation to mpi_read_file.
2017-05-09 10:29:06 +01:00
Hanno Becker
4bcb4914c5 Abort modular inversion when modulus is one.
The modular inversion function hangs when provided with the modulus 1. This commit refuses this modulus with a BAD_INPUT error code. It also adds a test for this case.
2017-05-08 14:47:04 +01:00
Hanno Becker
a6ed9c5429 Backup errno in net_would_block
Safe and restore the value of errno in net_would_block to be sure
it's not affected by the guarding call to fcntl. Fixes #845.
2017-05-04 13:53:26 +01:00
Gilles Peskine
e7e7650480 More length checks in RSA PKCS1v15 verify
Added one check that I'd missed, and made the style more uniform.
2017-05-04 12:48:39 +02:00
Gilles Peskine
0e17eb05f8 More length checks in RSA PKCS1v15 verify
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.
2017-05-03 18:56:10 +02:00
Gilles Peskine
1cc8e3472a Send TLS alerts in many more cases
The TLS client and server code was usually closing the connection in
case of a fatal error without sending an alert. This commit adds
alerts in many cases.

Added one test case to detect that we send the alert, where a server
complains that the client's certificate is from an unknown CA (case
tracked internally as IOTSSL-1330).
2017-05-03 16:28:34 +02:00
Gilles Peskine
f982852bf0 Balanced braces across preprocessor conditionals
This is a cosmetic improvement to ease source code navigation only.
2017-05-03 12:28:43 +02:00
Hanno Becker
a4af1c47d2 Correct sign in modular exponentiation algorithm.
The modular exponentiation function  handled the sign incorrectly. This commit fixes this and a test case which should have caught it.
2017-04-18 09:07:45 +01:00
Steven Cooreman
3a93387cea Forgot version-features update for new config flag 2017-04-04 12:02:37 +02:00
Steven Cooreman
12d9f3c84d Forgot version-features update for new config flag 2017-04-04 12:01:42 +02:00
Steven Cooreman
6334277320 Allow alternate core implementation of CMAC 2017-04-04 11:47:16 +02:00
Steven Cooreman
222e2ff421 Allow alternate core implementation of CCM 2017-04-04 11:37:15 +02:00
Andres AG
d1cc7f6f34 Fix buffer overflow in mbedtls_mpi_write_string()
Fix a buffer overflow when writting a string representation of an MPI
number to a buffer in hexadecimal. The problem occurs because hex
digits are written in pairs and this is not accounted for in the
calculation of the required buffer size when the number of digits is
odd.
2017-03-02 21:34:21 +00:00
Ron Eldor
12e0b800da Fix resource leak when using mutex and ssl_cookie
When using ssl_cookie with MBEDTLS_THREADING_C, fix a resource leak caused by
initiating a mutex in mbedtls_ssl_cookie_free instead of freeing it.
Raised and fix suggested by lan Gillingham in the mbed TLS forum
Tracked in #771
2017-03-02 12:26:11 +00:00
Janos Follath
7dadc2f259 ECP: Prevent freeing a buffer on stack
The function ecp_mod_koblitz computed the space for the result of a
multiplication optimally for that specific case, but unfortunately
the function mbedtls_mpi_mul_mpi performs a generic, suboptimal
calculation and needs one more limb for the result. Since the result's
buffer is on the stack, the best case scenario is that the program
stops.

This only happened on 64 bit platforms.

Fixes #569
2017-02-28 18:41:39 +00:00
Andres AG
5708dcb368 Fix memory leak in mbedtls_x509_crl_parse()
The memory leak call was caused by missing calls to mbedtls_pem_free()
when a MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was
encountered.
2017-02-28 14:51:31 +00:00
Janos Follath
87c980749d Fix buffer overread in mbedtls_x509_get_time()
A heap overread might happen when parsing malformed certificates.
Reported by Peng Li and Yueh-Hsun Lin.

Refactoring the parsing fixes the problem. This commit applies the
relevant part of the OpenVPN contribution applied to mbed TLS 1.3
in commit 17da9dd82931abdf054a01c466bce45e7d12b742.
2017-02-28 14:23:12 +00:00
Simon Butcher
fc794ff2b7 Merge branch 'iotssl-1071-ca-flags'
Fixes a regression introduced by an earlier commit that modified
x509_crt_verify_top() to ensure that valid certificates that are after past or
future valid in the chain are processed. However the change introduced a change
in behaviour that caused the verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in the
verification regardless of the cause.

The fix maintains both behaviours:

 * Ensure that valid certificates after future and past are verified
 * Ensure that the correct verification flags are set.
2017-02-27 19:06:05 +00:00
Simon Butcher
0278a38f10 Merge branch 'iotssl-1077-dos-crl'
Modifies the function mbedtls_x509_crl_parse() to ensure that a CRL in PEM
format with trailing characters after the footer does not result in the
execution of an infinite loop.
2017-02-26 01:16:02 +00:00
Simon Butcher
a29c5e9e66 Add comment to integer overflow fix in base64.c
Adds clarifying comment to the integer overflow fix in base64.c
2017-02-15 23:31:07 +02:00
Andres AG
4623d83c6f Fix integer overflow mbedtls_base64_decode()
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-15 23:31:07 +02:00
Andres Amaya Garcia
6a54336897 Fix integer overflows in buffer bound checks
Fix potential integer overflows in the following functions:
  * mbedtls_md2_update() to be bypassed and cause
  * mbedtls_cipher_update()
  * mbedtls_ctr_drbg_reseed()
This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-15 23:31:07 +02:00
Janos Follath
182013faf4 Prevent SLOTH attacks 2017-02-15 23:29:32 +02:00
Andres AG
2196c7f81c Fix renegotiation at incorrect times in DTLS
Fix an incorrect condition in ssl_check_ctr_renegotiate() that compared
64 bits of record counter instead of 48 bits as described in RFC 6347
Section 4.3.1. This would cause the function's return value to be
occasionally incorrect and the renegotiation routines to be triggered
at unexpected times.
2017-02-15 23:26:35 +02:00
Janos Follath
4c006cdb1c Update library version number to 2.4.1 2017-02-15 22:55:55 +02:00
Janos Follath
5da3a6f92f Update CMAC test vectors. 2017-02-15 22:55:30 +02:00
Andres AG
c0db511820 Fix unused variable/function compilation warnings
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
MBEDTLS_PEM_PARSE_C.
2017-02-15 22:54:42 +02:00
Simon Butcher
e4ac5428f3 Fix formatting issues in net_sockets.c 2017-02-15 09:08:26 +00:00
Simon Butcher
36540ff741 Fix compiler warning in debug.c 2017-02-15 09:08:26 +00:00
Simon B
3c6b18df3a Fix various compiler warnings with MSVC
Fixes various compiler warnings found with Microsoft Visual Studio 2015
(and earlier versions).
2017-02-15 09:08:26 +00:00
Brian J Murray
1903fb312f Clarify Comments and Fix Typos (#651)
Fixes many typos, and errors in comments.

* Clarifies many comments
* Grammar correction in config.pl help text
* Removed comment about MBEDTLS_X509_EXT_NS_CERT_TYPE.
* Comment typo fix (Dont => Don't)
* Comment typo fix (assure => ensure)
* Comment typo fix (byes => bytes)
* Added citation for quoted standard
* Comment typo fix (one complement => 1's complement)

The is some debate about whether to prefer "one's complement",  "ones'
complement", or "1's complement".  The more recent RFCs related to TLS
(RFC 6347,  RFC 4347, etc) use " 1's complement", so I followed that
convention.

* Added missing ")" in comment
* Comment alignment
* Incorrect comment after #endif
2017-02-15 09:08:26 +00:00
Brian Murray
2fab5c9605 Work around for GCC bug 2017-02-04 17:44:45 -08:00
Simon Butcher
1d4db5b7b5 Merge 'iotssl-1099-incorrect-renego-dtls'
Fix an incorrect condition in ssl_check_ctr_renegotiate() that compared
64 bits of record counter instead of 48 bits as described in RFC 6347
Section 4.3.1. This would cause the function's return value to be
occasionally incorrect and the renegotiation routines to be triggered
at unexpected times.
2017-02-02 23:47:08 +00:00
Simon Butcher
d934b5371a Merge 'iotssl-952-tfirmware-warnings'
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
MBEDTLS_PEM_PARSE_C.
2017-02-02 16:08:29 +00:00
Andres AG
d16506624a Fix verify out flags from x509_crt_verify_top()
This change fixes a regression introduced by an earlier commit that
modified x509_crt_verify_top() to ensure that valid certificates
that are after past or future valid in the chain are processed. However
the change introduced a change in behaviour that caused the
verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in
the verification regardless of the cause.

The fix maintains both behaviours:
  * Ensure that valid certificates after future and past are verified
  * Ensure that the correct verification flags are set.

To do so, a temporary pointer to the first future or past valid
certificate is maintained while traversing the chain. If a truly valid
certificate is found then that one is used, otherwise if no valid
certificate is found and the end of the chain is reached, the program
reverts back to using the future or past valid certificate.
2017-01-20 13:52:01 +00:00
Andres AG
939954c0b0 Fix CRL parsing to avoid infinite loop
This patch modifies the function mbedtls_x509_crl_parse() to ensure
that a CRL in PEM format with trailing characters after the footer does
not result in the execution of an infinite loop.
2017-01-19 16:43:48 +00:00
Andres AG
18c5c59b5b Fix renegotiation at incorrect times in DTLS
Fix an incorrect condition in ssl_check_ctr_renegotiate() that compared
64 bits of record counter instead of 48 bits as described in RFC 6347
Section 4.3.1. This would cause the function's return value to be
occasionally incorrect and the renegotiation routines to be triggered
at unexpected times.
2017-01-19 16:30:15 +00:00
Simon Butcher
105e856143 Merge branch 'gcc-compiler-warnings' 2017-01-05 18:26:40 +00:00
Janos Follath
1808dc01bd Update library version number to 2.4.1 2016-12-13 16:00:52 +00:00
Janos Follath
cd13bd2819 Update CMAC test vectors. 2016-12-13 16:00:52 +00:00
Andres AG
0368cb7f1c Fix unused variable/function compilation warnings
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
MBEDTLS_PEM_PARSE_C.
2016-12-07 16:15:32 +00:00
Simon Butcher
532c94dcb7 Fix formatting issues in net_sockets.c 2016-11-17 09:22:47 +00:00
Simon Butcher
097618b4c6 Fix compiler warning in debug.c 2016-11-17 09:22:46 +00:00
Simon B
3249cb780b Fix various compiler warnings with MSVC
Fixes various compiler warnings found with Microsoft Visual Studio 2015
(and earlier versions).
2016-11-10 15:37:33 +00:00
Brian J Murray
2adecba01f Clarify Comments and Fix Typos (#651)
Fixes many typos, and errors in comments.

* Clarifies many comments
* Grammar correction in config.pl help text
* Removed comment about MBEDTLS_X509_EXT_NS_CERT_TYPE.
* Comment typo fix (Dont => Don't)
* Comment typo fix (assure => ensure)
* Comment typo fix (byes => bytes)
* Added citation for quoted standard
* Comment typo fix (one complement => 1's complement)

The is some debate about whether to prefer "one's complement",  "ones'
complement", or "1's complement".  The more recent RFCs related to TLS
(RFC 6347,  RFC 4347, etc) use " 1's complement", so I followed that
convention.

* Added missing ")" in comment
* Comment alignment
* Incorrect comment after #endif
2016-11-06 12:45:15 +00:00
Joris Aerts
e75b88db49 Fix missing void argument declarations #678 2016-11-04 23:05:56 +01:00
Andres AG
703990b839 Fix buffer overreads in mbedtls_pem_read_buffer() 2016-10-24 13:00:37 +01:00
Simon Butcher
16c54ee9c8 Update library version number to 2.4.0 2016-10-16 19:34:39 +01:00
Simon Butcher
8e00410402 Merge fix for AEAD Random IVs 2016-10-14 00:48:33 +01:00
Simon Butcher
9800a058ae Merge branch 'development' 2016-10-13 17:25:56 +01:00
Simon Butcher
99000142cb Merge fix for IE Certificate Compatibility 2016-10-13 17:21:01 +01:00
Simon Butcher
488c08c00b Merge branch fixing date validity in X.509 2016-10-13 16:13:09 +01:00
Simon Butcher
c58d7b4074 Merge fix for X.509 compatibility issues 2016-10-13 15:54:03 +01:00
Simon Butcher
511526720c Merge fix for branch SSL client overread 2016-10-13 15:39:09 +01:00
Simon Butcher
de319cb743 Merge branch 'development' 2016-10-13 15:14:04 +01:00
Russ Butler
bb83b42700 Use allocated memory for SHA self tests
Reduce the stack usage of the testing framework by dynamically
allocating the memory used for the test.
2016-10-13 15:10:14 +01:00
Janos Follath
e5dc202469 Restore P>Q in RSA key generation (#558)
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.

This commit restores this behaviour.
2016-10-13 13:54:48 +01:00
Andres AG
314d8a8400 Fix documentation for mbedtls_gcm_finish()
Fix implementation and documentation missmatch for the function
arguments to mbedtls_gcm_finish(). Also, removed redundant if condition
that always evaluates to true.
2016-10-13 13:54:47 +01:00
Andres AG
410d3dd3c7 Fix 1 byte overread in mbedtls_asn1_get_int() 2016-10-13 13:54:14 +01:00
Janos Follath
d7b9049806 Fix memory leaks in CMAC tests 2016-10-13 13:53:56 +01:00
Janos Follath
2b3b740574 Remove unnecessary flag from CMAC context 2016-10-13 13:53:33 +01:00
Simon Butcher
c61351df72 Fix issues in CMAC in repeated updates
Successive calls to mbedtls_cipher_cmac_update() which weren't block aligned
were failing, which is fixed by this commit.
2016-10-13 13:53:12 +01:00