mbedtls_rsa_private() could return the sum of two RSA error codes
instead of a valid error code in some rare circumstances:
* If rsa_prepare_blinding() returned MBEDTLS_ERR_RSA_RNG_FAILED
(indicating a misbehaving or misconfigured RNG).
* If the comparison with the public value failed (typically indicating
a glitch attack).
Make sure not to add two high-level error codes.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix a stack buffer overflow with mbedtls_net_recv_timeout() when given a
file descriptor that is beyond FD_SETSIZE. The bug was due to not checking
that the file descriptor is within the range of an fd_set object.
Fix#4169
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Although the library documentation does not guarantee that calling
mbedtls_entropy_free() twice works, it's a plausible assumption and it's
natural to write code that frees an object twice. While this is uncommon for
an entropy context, which is usually a global variable, it came up in our
own unit tests (random_twice tests in test_suite_random in the
development branch).
Announce this in the same changelog entry as for RSA because it's the same
bug in the two modules.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
|A| - |B| where |B| is larger than |A| and has more limbs (so the
function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE).
Fix#4042
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Extra whitespace and a missing newline at end of file was causing an error with
`check_files.py`.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Add missing tag check for algorithm parameters when comparing the
signature in the description part of the cert against the actual
signature whilst loading a certificate. This was found by a
certificate (created by fuzzing) that openssl would not verify, but
mbedtls would.
Regression test added (one of the client certs modified accordingly)
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Remove the zeroization of a pointer variable in the AES block
functions. The code was valid but spurious and misleading since it
looked like a mistaken attempt to zeroize the pointed-to buffer.
Reported by Antonio de la Piedra, CEA Leti, France.
Note that we do not zeroize the buffer here because these are the
round keys, and they need to stay until all the blocks are processed.
They will be zeroized in mbedtls_aes_free().
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
From now on, external contributions are no longer acknowledged in the
changelog file. They of course remain acknowledged in the Git history.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Starting with commit 49e94e3, the do/while loop in
`rsa_prepare_blinding()` was changed to a `do...while(0)`, which
prevents retry from being effective and leaves dead code.
Restore the while condition to retry, and lift the calls to finish the
computation out of the while loop by by observing that they are
performed only when `mbedtls_mpi_inv_mod()` returns zero.
Signed-off-by: Peter Kolbus <peter.kolbus@garmin.com>
Zeroising of local buffers and variables which are used for calculations in
mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process()
functions to erase sensitive data from memory.
Checked all function for possible missing zeroisation in MD.
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
Zeroising of local buffers and variables which are used for calculations in
mbedtls_pkcs5_pbkdf2_hmac() and mbedtls_internal_sha*_process() functions
to erase sensitive data from memory.
Checked all function for possible missing zeroisation in PKCS and SHA.
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
Description referred to mbedtls_ssl_sent_t callback,
but the callback is named mbedtls_ssl_send_t.
Signed-off-by: Christopher Moynihan <christophm@gmail.com>
RFC5280 does not state that the `revocationDate` should be checked.
In addition, when no time source is available (i.e., when MBEDTLS_HAVE_TIME_DATE is not defined), `mbedtls_x509_time_is_past` always returns 0. This results in the CRL not being checked at all.
https://tools.ietf.org/html/rfc5280
Signed-off-by: Raoul Strackx <raoul.strackx@fortanix.com>
* mbedtls-2.7: (28 commits)
A different approach of signed-to-unsigned comparison
Update the copy of tests/data_files/server2-sha256.crt in certs.c
Fix bug in redirection of unit test outputs
Backport e2k support to mbedtls-2.7
Don't forget to free G, P, Q, ctr_drbg, and entropy
Regenerate server2-sha256.crt with a PrintableString issuer
Regenerate test client certificates with a PrintableString issuer
cert_write: support all hash algorithms
compat.sh: stop using allow_sha1
compat.sh: quit using SHA-1 certificates
compat.sh: enable CBC-SHA-2 suites for GnuTLS
Fix license header in pre-commit hook
Update copyright notices to use Linux Foundation guidance
Fix building on NetBSD 9.0
Remove obsolete buildbot reference in compat.sh
Fix misuse of printf in shell script
Fix added proxy command when IPv6 is used
Simplify test syntax
Fix logic error in setting client port
ssl-opt.sh: include test name in log files
...
