Commit graph

842 commits

Author SHA1 Message Date
Janos Follath
c6dab2b029 Fix non compliance SSLv3 in server extension handling.
The server code parses the client hello extensions even when the
protocol is SSLv3 and this behaviour is non compliant with rfc6101.
Also the server sends extensions in the server hello and omitting
them may prevent interoperability problems.
2016-05-23 14:27:02 +01:00
Simon Butcher
45732c7cac Update ChangeLog for bug #429 in ssl_fork_server 2016-04-29 00:12:53 +01:00
Simon Butcher
3fe6cd3a2d Fixes time() abstraction for custom configs
Added platform abstraction of time() to ChangeLog, version features, and fixed the build for dynamic configuration.
2016-04-26 19:51:29 +01:00
Simon Butcher
a543d11d3a Fixes mbedtls_mpi_zeroize() function name in ChangeLog 2016-04-26 12:51:37 +01:00
Simon Butcher
d7e9ad7d83 Updates ChangeLog with faster MPI zeroize fix
Added optimised mbedtls_mpi_zeroise() credit to ChangeLog.
2016-04-25 16:07:12 +01:00
Janos Follath
8a3170571e Fix bug in ssl_write_supported_elliptic_curves_ext
Passing invalid curves to mbedtls_ssl_conf_curves potentially could caused a
crash later in ssl_write_supported_elliptic_curves_ext. #373
2016-04-22 00:41:54 +01:00
Janos Follath
1ed9f99ef3 Fix null pointer dereference in the RSA module.
Introduced null pointer checks in mbedtls_rsa_rsaes_pkcs1_v15_encrypt
2016-04-19 10:16:31 +01:00
Simon Butcher
3f5c875654 Adds test for odd bit length RSA key size
Also tidy up ChangeLog following review.
2016-04-15 19:06:59 +01:00
Janos Follath
10c575be3e Fix odd bitlength RSA key generation
Fix issue that caused a hang up when generating RSA keys of odd
bitlength.
2016-04-15 18:49:13 +01:00
Simon Butcher
cd0ee5e499 Fixes following review of 'iotssl-682-selftest-ci-break' 2016-03-21 22:54:37 +00:00
Janos Follath
9194744595 Add exit value macros to platform abstraction layer. 2016-03-18 14:05:28 +00:00
Simon Butcher
4b852db299 Merge branch 'iotssl-629-der-trailing-bytes'
Fixes bug in mbedtls_x509_crt_parse that caused trailing extra data in the
buffer following DER certificates to be included in the raw representation.
2016-03-12 23:28:26 +00:00
Simon Butcher
00157ce510 Update the ChangeLog 2016-03-09 19:32:11 +00:00
Simon Butcher
f59e66ba24 Remove redundant test certificates and clarify ChangeLog 2016-03-09 19:32:10 +00:00
Janos Follath
b437b4b125 X509: Fix bug triggered by future CA among trusted
Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
2016-03-09 19:32:10 +00:00
Janos Follath
cc0e49ddde x509: trailing bytes in DER: fix bug
Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the
buffer after DER certificates to be included in the raw representation. #377
2016-02-17 14:41:36 +00:00
Janos Follath
4ae5c294a4 Add Changelog entry and improve coding style 2016-02-10 11:27:43 +00:00
Simon Butcher
9a3ee57c84 Merge branch 'fixes' into development 2016-01-13 02:08:02 +00:00
Manuel Pégourié-Gonnard
c990189e14 Revert changes done to 'make apidoc' target
This partially reverts 1989caf71c (only the changes to Makefile and
CMakeLists, the addition to scripts/config.pl is kept).

Modifying config.h in the apidoc target creates a race condition with

    make -j4 all apidoc

where some parts of the library, tests or programs could be built with the
wrong config.h, resulting in all kinds of (semi-random) errors. Recent
versions of CMake mitigate this by adding a .NOTPARALLEL target to the
generated Makefile, but people would still get errors with older CMake
versions that are still in use (eg in RHEL 5), and with plain make.

An additional issue is that, by failing to use cp -p, the apidoc target was
updating the timestamp on config.h, which seems to cause further build issues.

Let's get back to the previous, safe, situation. The improved apidoc building
will be resurrected in a script in the next commit.

fixes #390
fixes #391
2016-01-12 14:48:03 +00:00
Manuel Pégourié-Gonnard
25caaf36a6 Avoid build errors with -O0 due to assembly 2016-01-08 14:29:11 +01:00
Manuel Pégourié-Gonnard
3551901cd1 Make ar invocation more portable
armar doesn't understand the syntax without dash. OTOH, the syntax with dash
is the only one specified by POSIX, and it's accepted by GNU ar, BSD ar (as
bundled with OS X) and armar, so it looks like the most portable syntax.

fixes #386
2016-01-07 13:55:05 +01:00
Manuel Pégourié-Gonnard
afbb3101ce Update ChangeLog for latest PR merged
fixes #309
2016-01-07 13:26:11 +01:00
Manuel Pégourié-Gonnard
f92c86e44d Update reference to attack in ChangeLog
We couldn't do that before the attack was public
2016-01-07 13:18:01 +01:00
Simon Butcher
bfafadb45d Change version number to 2.2.1
Changed version for library files and yotta module
2016-01-04 22:26:36 +00:00
Manuel Pégourié-Gonnard
7f88b8ec86 Tune description of a change/bugfix in ChangeLog 2016-01-04 17:36:44 +01:00
Simon Butcher
1285ab5dc2 Fix for memory leak in RSA-SSA signing
Fix in mbedtls_rsa_rsassa_pkcs1_v15_sign() in rsa.c
2016-01-01 21:42:47 +00:00
Simon Butcher
c4a6ce6a4c Merge branch 'origin/iotssl-541-pathlen-bugfix' 2015-12-30 07:52:54 +00:00
Simon Butcher
c42350125e Clarification in ChangeLog 2015-12-23 18:36:16 +00:00
Simon Butcher
4c2bfdbff6 Merge 'iotssl-558-md5-tls-sigs-restricted' 2015-12-23 18:33:54 +00:00
Simon Butcher
9c2626c641 Merge 'iotssl-566-double-free-restricted' 2015-12-23 16:42:03 +00:00
Simon Butcher
00923c1897 Fix typo in Changelog 2015-12-22 19:04:24 +00:00
Simon Butcher
fabce5e137 Merge branch 'misc' into development
Fixes github #358, #362 and IOTSSL-536
2015-12-22 18:56:56 +00:00
Simon Butcher
207990dcf5 Added description of change to the Changelog
Also clarified some comments following review.
2015-12-16 01:51:30 +00:00
Manuel Pégourié-Gonnard
1e07562da4 Fix wrong length limit in GCM
See for example page 8 of
http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf

The previous constant probably came from a typo as it was 2^26 - 2^5 instead
of 2^36 - 2^5. Clearly the intention was to allow for a constant bigger than
2^32 as the ull suffix and cast to uint64_t show.

fixes #362
2015-12-10 14:54:21 +01:00
Manuel Pégourié-Gonnard
97b5209bc0 Fix potential double free in cert writing code
In case an entry with the given OID already exists in the list passed to
mbedtls_asn1_store_named_data() and there is not enough memory to allocate
room for the new value, the existing entry will be freed but the preceding
entry in the list will sill hold a pointer to it. (And the following entries
in the list are no longer reachable.) This results in memory leak or a double
free.

The issue is we want to leave the list in a consistent state on allocation
failure. (We could add a warning that the list is left in inconsistent state
when the function returns NULL, but behaviour changes that require more care
from the user are undesirable, especially in a stable branch.)

The chosen solution is a bit inefficient in that there is a time where both
blocks are allocated, but at least it's safe and this should trump efficiency
here: this code is only used for generating certificates, which is unlikely to
be done on very constrained devices, or to be in the critical loop of
anything. Also, the sizes involved should be fairly small anyway.

fixes #367
2015-12-10 11:23:55 +01:00
Manuel Pégourié-Gonnard
c5892ca50c Add credits to ChangeLog 2015-12-08 16:14:58 +01:00
Manuel Pégourié-Gonnard
47229c7cbb Disable MD5 in handshake signatures by default 2015-12-04 15:02:56 +01:00
Manuel Pégourié-Gonnard
f4569b14c4 Fix bug checking pathlen on first intermediate
Remove check on the pathLenConstraint value when looking for a parent to the
EE cert, as the constraint is on the number of intermediate certs below the
parent, and that number is always 0 at that point, so the constraint is always
satisfied.

The check was actually off-by-one, which caused valid chains to be rejected
under the following conditions:
- the parent certificate is not a trusted root, and
- it has pathLenConstraint == 0 (max_pathlen == 1 in our representation)

fixes #280
2015-11-19 11:10:38 +01:00
Simon Butcher
8254ed2a9f Change version number to 2.2.0
Changed for library and yotta module
2015-11-04 19:55:40 +00:00
Simon Butcher
59a8fa7e2e Corrected typo in ChangeLog 2015-11-03 23:09:28 +00:00
Manuel Pégourié-Gonnard
bd3639852c Merge branch 'iotssl-519-asn1write-overflows-restricted' into development-restricted
* iotssl-519-asn1write-overflows-restricted:
  Fix other int casts in bounds checking
  Fix other occurrences of same bounds check issue
  Fix potential buffer overflow in asn1write
2015-11-02 11:07:30 +09:00
Manuel Pégourié-Gonnard
537e2a9b58 Merge branch 'iotssl-518-winpathlen-restricted' into development-restricted
* iotssl-518-winpathlen-restricted:
  Fix potential heap corruption on Windows
2015-11-02 11:04:59 +09:00
Manuel Pégourié-Gonnard
f8b2442e2f Merge branch 'iotssl-517-double-free-restricted' into development-restricted
* iotssl-517-double-free-restricted:
  Fix potential double-free in ssl_conf_psk()
2015-11-02 11:03:32 +09:00
Manuel Pégourié-Gonnard
c99dffad36 Add ChangeLog entry for ASN.1 DER boolean fix 2015-11-02 06:00:02 +09:00
Manuel Pégourié-Gonnard
ba1d897987 Merge branch 'bugfixes' into development
* bugfixes:
  Fix typo in an OID name
  Disable reportedly broken assembly of Sparc(64)
2015-11-02 05:50:41 +09:00
Manuel Pégourié-Gonnard
568f1e7cb3 Merge branch 'iotssl-515-max-pathlen' into development
* iotssl-515-max-pathlen:
  Add Changelog entries for this branch
  Fix a style issue
  Fix whitespace at EOL issues
  Use symbolic constants in test data
  Fixed pathlen contraint enforcement.
  Additional corner cases for testing pathlen constrains. Just in case.
  Added test case for pathlen constrains in intermediate certificates
2015-11-02 05:49:08 +09:00
Manuel Pégourié-Gonnard
2b624e9b39 Add Changelog entries for this branch 2015-10-30 09:45:34 +01:00
Simon Butcher
204606238c Merge branch 'development' into misc 2015-10-27 16:57:34 +00:00
Simon Butcher
62aab15085 Merge branch 'development' into iotssl-513-alerts 2015-10-27 16:05:34 +00:00
Simon Butcher
5f7c34b8b0 Merge branch iotssl-521-keylen-check 2015-10-27 15:14:55 +00:00