Commit graph

5267 commits

Author SHA1 Message Date
Andres AG
5c79d25d94 Add PK tests to avoid hashlen overflow for RSA 2017-05-11 21:58:25 +01:00
Andres AG
72849877d0 Fix data loss in unsigned int cast in PK
This patch introduces some additional checks in the PK module for 64-bit
systems only. The problem is that the API functions in the PK
abstraction accept a size_t value for the hashlen, while the RSA module
accepts an unsigned int for the hashlen. Instead of silently casting
size_t to unsigned int, this change checks whether the hashlen overflows
an unsigned int and returns an error.
2017-05-11 21:55:17 +01:00
Manuel Pégourié-Gonnard
c1380de887 RSA PKCS1v1.5 verification: check padding length
The test case was generated by modifying our signature code so that it
produces a 7-byte long padding (which also means garbage at the end, so it is
essential in to check that the error that is detected first is indeed the
padding rather than the final length check).
2017-05-11 13:10:13 +02:00
Gilles Peskine
3df98f50a9 Changelog entry for the bug fixes 2017-05-10 17:47:40 +02:00
Gilles Peskine
92e4426169 SSLv3: when refusing renegotiation, stop processing
Before the code was sending a fatal alert but then processing any
further data from the peer.

Internal reference: IOTSSL-1384
2017-05-10 17:31:13 +02:00
Gilles Peskine
c94f7352fa Ignore failures when sending fatal alerts
In many places in TLS handling, some code detects a fatal error, sends
a fatal alert message, and returns to the caller. If sending the alert
fails, then return the error that triggered the alert, rather than
overriding the return status. This effectively causes alert sending
failures to be ignored. Formerly the code was inconsistently sometimes
doing one, sometimes the other.

In general ignoring the alert is the right thing: what matters to the
caller is the original error. A typical alert failure is that the
connection is already closed.

One case which remains not handled correctly is if the alert remains
in the output buffer (WANT_WRITE). Then it won't be sent, or will be
truncated. We'd need to either delay the application error or record
the write buffering notice; to be done later.
2017-05-10 17:31:02 +02:00
Gilles Peskine
8498cb3687 Cleaned up double variable declaration 2017-05-10 15:39:40 +02:00
Gilles Peskine
064a85ca48 Code portability fix 2017-05-10 10:46:40 +02:00
Hanno Becker
072e806a07 Adapt ChangeLog 2017-05-09 10:47:49 +01:00
Hanno Becker
b2034b7785 Fix potential stack underflow in mpi_read_file.
When provided with an empty line, mpi_read_file causes a numeric
underflow resulting in a stack underflow. This commit fixes this and
adds some documentation to mpi_read_file.
2017-05-09 10:29:06 +01:00
Hanno Becker
4bcb4914c5 Abort modular inversion when modulus is one.
The modular inversion function hangs when provided with the modulus 1. This commit refuses this modulus with a BAD_INPUT error code. It also adds a test for this case.
2017-05-08 14:47:04 +01:00
Gilles Peskine
e7e7650480 More length checks in RSA PKCS1v15 verify
Added one check that I'd missed, and made the style more uniform.
2017-05-04 12:48:39 +02:00
Gilles Peskine
0e17eb05f8 More length checks in RSA PKCS1v15 verify
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.
2017-05-03 18:56:10 +02:00
Gilles Peskine
36091fe3ef Added changelog entry 2017-05-03 16:55:03 +02:00
Gilles Peskine
1cc8e3472a Send TLS alerts in many more cases
The TLS client and server code was usually closing the connection in
case of a fatal error without sending an alert. This commit adds
alerts in many cases.

Added one test case to detect that we send the alert, where a server
complains that the client's certificate is from an unknown CA (case
tracked internally as IOTSSL-1330).
2017-05-03 16:28:34 +02:00
Gilles Peskine
071db41627 Skip all non-executables in run-test-suites.pl
The script was blacklisting extensions. Rather than keep adding to the
extensions, whitelist executables.
2017-05-03 16:26:47 +02:00
Gilles Peskine
fd8332e15f SSL tests: server requires auth, client has no certificate
Added explicit test cases where the client has no certificate but the
server requires one.
2017-05-03 16:25:07 +02:00
Gilles Peskine
f982852bf0 Balanced braces across preprocessor conditionals
This is a cosmetic improvement to ease source code navigation only.
2017-05-03 12:28:43 +02:00
Gilles Peskine
f93c7d3ab0 Support setting the ports on the command line
Added command line arguments --port and --proxy-port to choose the
ports explicitly instead of deriving them from the PID. This
facilitates debugging e.g. with Wireshark.
2017-04-26 16:41:55 +02:00
Hanno Becker
a4af1c47d2 Correct sign in modular exponentiation algorithm.
The modular exponentiation function  handled the sign incorrectly. This commit fixes this and a test case which should have caught it.
2017-04-18 09:07:45 +01:00
Simon Butcher
b65c2be5f1 Updated version number to 2.4.2 for release 2017-03-10 18:50:44 +00:00
Simon Butcher
f8c45eb61a Merge branch 'development' 2017-03-10 18:45:21 +00:00
Janos Follath
0a5154b8a1 Clarify the use of ECDSA API
In the ecdsa.c sample application we don't use hashing, we use ecdsa
directly on a buffer containing plain text. Although the text explains
that it should be the message hash it still can be confusing.

Any misunderstandings here are potentially very dangerous, because ECDSA
truncates the message hash if necessary and this can lead to trivial
signature forgeries if the API is misused and the message is passed
directly to the function without hashing.

This commit adds a hash computation step to the ecdsa.c sample
application and clarification to the doxygen documentation of the
ECDSA functions involved.
2017-03-10 11:31:41 +00:00
Simon Butcher
81cf88f6d7 Added missing credit to ChangeLog for #555 2017-03-07 19:35:49 +00:00
Simon Butcher
8b987500f2 Corrected attibution in Changelog 2017-03-07 12:37:14 +00:00
Andres AG
d1cc7f6f34 Fix buffer overflow in mbedtls_mpi_write_string()
Fix a buffer overflow when writting a string representation of an MPI
number to a buffer in hexadecimal. The problem occurs because hex
digits are written in pairs and this is not accounted for in the
calculation of the required buffer size when the number of digits is
odd.
2017-03-02 21:34:21 +00:00
Andres AG
99acfc4521 Fix failing pkparse test case
The first three test cases from test_suites_pkparse.data failed because
the key file they read requires DES to be read. However, MBEDTLS_DES_C
was missing from the dependency list.
2017-03-02 16:01:08 +00:00
Andres AG
b5ba28cbea Fix failing pkparse test case
The first three test cases from test_suites_pkparse.data failed because
the key file they read requires DES to be read. However, MBEDTLS_DES_C
was missing from the dependency list.
2017-03-02 15:26:09 +00:00
Ron Eldor
12e0b800da Fix resource leak when using mutex and ssl_cookie
When using ssl_cookie with MBEDTLS_THREADING_C, fix a resource leak caused by
initiating a mutex in mbedtls_ssl_cookie_free instead of freeing it.
Raised and fix suggested by lan Gillingham in the mbed TLS forum
Tracked in #771
2017-03-02 12:26:11 +00:00
Simon Butcher
28d9fe031d Fix mistake in ChangeLog from file merge 2017-03-02 12:05:54 +00:00
Ron Eldor
04965edaa8 Fix resource leak when using mutex and ssl_cookie
When using ssl_cookie with MBEDTLS_THREADING_C, fix a resource leak caused by
initiating a mutex in mbedtls_ssl_cookie_free instead of freeing it.
Raised and fix suggested by lan Gillingham in the mbed TLS forum
Tracked in #771
2017-03-02 11:58:15 +00:00
Simon Butcher
956c58ffa9 Add fix and credit for #742 to the ChangeLog 2017-03-02 09:20:53 +00:00
Simon Butcher
065cede476 Add fix and credit for #742 to the ChangeLog 2017-03-02 09:18:09 +00:00
Andres AG
429aaee671 Remove use of inttypes.h in MSVC from ssl_server2
The sample application programs/ssl/ssl_server2.c was previously
modifies to use inttypes.h to parse a string to a 64-bit integer.
However, MSVC does not support C99, so compilation fails. This
patch modifies the sample app to use the MSVC specific parsing
functions instead of inttypes.h.
2017-03-02 00:09:55 +00:00
Simon Butcher
24ce844530 Update of the Visual Studio files
Contains additional project file, ecdh_curve25519.vcxproj, as well as fix
for intermediate files causing the warning MSB8028 with Visual Studio 2015.
2017-03-02 00:09:55 +00:00
Simon Butcher
cde009101b Fix Visual Studio template files
Adds interim directories to the Visual Studio project files to avoid warning
MSB8028 in Visual Studio 2015, where shared directories of intermediate files
between project files generate the warning.
2017-03-02 00:09:55 +00:00
Andres AG
0b736db0f3 Remove use of inttypes.h in MSVC from ssl_server2
The sample application programs/ssl/ssl_server2.c was previously
modifies to use inttypes.h to parse a string to a 64-bit integer.
However, MSVC does not support C99, so compilation fails. This
patch modifies the sample app to use the MSVC specific parsing
functions instead of inttypes.h.
2017-03-01 23:24:35 +00:00
Simon Butcher
6406e81832 Update of the Visual Studio files
Contains additional project file, ecdh_curve25519.vcxproj, as well as fix
for intermediate files causing the warning MSB8028 with Visual Studio 2015.
2017-03-01 22:32:44 +00:00
Simon Butcher
08902ed671 Fix Visual Studio template files
Adds interim directories to the Visual Studio project files to avoid warning
MSB8028 in Visual Studio 2015, where shared directories of intermediate files
between project files generate the warning.
2017-03-01 22:32:28 +00:00
Ron Eldor
f3870f72b6 fix for issue 1101: missing rsa context initialization
added mbedtls_rsa_init in rsa_decrypt sample application
2017-03-01 08:09:57 +00:00
Ron Eldor
dbe8316e23 fix for issue 1101: missing rsa context initialization
added mbedtls_rsa_init in rsa_decrypt sample application
2017-03-01 07:56:40 +00:00
Paul Bakker
719aa8bb37 Fix default hostname for verification used in ssl_client1 2017-02-28 23:19:06 +00:00
Paul Bakker
2382816a84 Fix default hostname for verification used in ssl_client1 2017-02-28 22:23:41 +00:00
Simon Butcher
71e9d58dc2 Clarify ChangeLog for #569 2017-02-28 18:47:27 +00:00
Janos Follath
7dadc2f259 ECP: Prevent freeing a buffer on stack
The function ecp_mod_koblitz computed the space for the result of a
multiplication optimally for that specific case, but unfortunately
the function mbedtls_mpi_mul_mpi performs a generic, suboptimal
calculation and needs one more limb for the result. Since the result's
buffer is on the stack, the best case scenario is that the program
stops.

This only happened on 64 bit platforms.

Fixes #569
2017-02-28 18:41:39 +00:00
Janos Follath
28fff14113 Add invalid key tests for curve SECP224K1
This curve has special arithmetic on 64 bit platforms and an untested
path lead to trying to free a buffer on the stack.

For the sake of completeness, a test case for a point with non-affine
coordinates has been added as well.
2017-02-28 18:41:39 +00:00
Simon Butcher
d02dc14c94 Fix credit in ChangeLog for #722 2017-02-28 16:36:22 +00:00
Andres AG
5708dcb368 Fix memory leak in mbedtls_x509_crl_parse()
The memory leak call was caused by missing calls to mbedtls_pem_free()
when a MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was
encountered.
2017-02-28 14:51:31 +00:00
Janos Follath
87c980749d Fix buffer overread in mbedtls_x509_get_time()
A heap overread might happen when parsing malformed certificates.
Reported by Peng Li and Yueh-Hsun Lin.

Refactoring the parsing fixes the problem. This commit applies the
relevant part of the OpenVPN contribution applied to mbed TLS 1.3
in commit 17da9dd82931abdf054a01c466bce45e7d12b742.
2017-02-28 14:23:12 +00:00
Janos Follath
ea7054a00c Add unit tests for X509 certificate date parsing 2017-02-28 14:23:12 +00:00