Merge remote-tracking branch 'upstream-restricted/pr/503' into development-restricted-proposed
diff --git a/ChangeLog b/ChangeLog
index 37373a2..5032be6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,13 @@
= mbed TLS x.x.x branch released xxxx-xx-xx
+Security
+ * When writing a private EC key, use a constant size for the private
+ value, as specified in RFC 5915. Previously, the value was written
+ as an ASN.1 INTEGER, which caused the size of the key to leak
+ about 1 bit of information on average and could cause the value to be
+ 1 byte too large for the output buffer.
+
Features
* Add the Any Policy certificate policy oid, as defined in
rfc 5280 section 4.2.1.4.
@@ -32,6 +39,15 @@
MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
through the new APIs mbedtls_ssl_conf_cid() and mbedtls_ssl_set_cid().
+API Changes
+ * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes,
+ and the used tls-prf.
+ * Add public API for tls-prf function, according to requested enum.
+ * Add DER-encoded test CRTs to library/certs.c, allowing
+ the example programs ssl_server2 and ssl_client2 to be run
+ if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254.
+ * The HAVEGE state type now uses uint32_t elements instead of int.
+
Bugfix
* Fix private key DER output in the key_app_writer example. File contents
were shifted by one byte, creating an invalid ASN.1 tag. Fixed by
@@ -80,15 +96,6 @@
in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631.
* Fix partial zeroing in x509_get_other_name. Found and fixed by ekse, #2716.
-API Changes
- * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes,
- and the used tls-prf.
- * Add public API for tls-prf function, according to requested enum.
- * Add DER-encoded test CRTs to library/certs.c, allowing
- the example programs ssl_server2 and ssl_client2 to be run
- if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254.
- * The HAVEGE state type now uses uint32_t elements instead of int.
-
Changes
* Server's RSA certificate in certs.c was SHA-1 signed. In the default
mbedTLS configuration only SHA-2 signed certificates are accepted.
diff --git a/library/pkwrite.c b/library/pkwrite.c
index b87f81b..aff8246 100644
--- a/library/pkwrite.c
+++ b/library/pkwrite.c
@@ -38,7 +38,9 @@
#include "mbedtls/rsa.h"
#endif
#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/bignum.h"
#include "mbedtls/ecp.h"
+#include "mbedtls/platform_util.h"
#endif
#if defined(MBEDTLS_ECDSA_C)
#include "mbedtls/ecdsa.h"
@@ -154,6 +156,26 @@
return( (int) len );
}
+
+/*
+ * privateKey OCTET STRING -- always of length ceil(log2(n)/8)
+ */
+static int pk_write_ec_private( unsigned char **p, unsigned char *start,
+ mbedtls_ecp_keypair *ec )
+{
+ int ret;
+ size_t byte_length = ( ec->grp.pbits + 7 ) / 8;
+ unsigned char tmp[MBEDTLS_ECP_MAX_BYTES];
+
+ ret = mbedtls_mpi_write_binary( &ec->d, tmp, byte_length );
+ if( ret != 0 )
+ goto exit;
+ ret = mbedtls_asn1_write_octet_string( p, start, tmp, byte_length );
+
+exit:
+ mbedtls_platform_zeroize( tmp, byte_length );
+ return( ret );
+}
#endif /* MBEDTLS_ECP_C */
int mbedtls_pk_write_pubkey( unsigned char **p, unsigned char *start,
@@ -425,9 +447,8 @@
MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
len += par_len;
- /* privateKey: write as MPI then fix tag */
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, buf, &ec->d ) );
- *c = MBEDTLS_ASN1_OCTET_STRING;
+ /* privateKey */
+ MBEDTLS_ASN1_CHK_ADD( len, pk_write_ec_private( &c, buf, ec ) );
/* version */
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, 1 ) );
diff --git a/tests/data_files/ec_256_long_prv.pem b/tests/data_files/ec_256_long_prv.pem
new file mode 100644
index 0000000..5141e30
--- /dev/null
+++ b/tests/data_files/ec_256_long_prv.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIIcex4mqXsQamUKTVf8vXmTAJrQvGjh5mXG8p9+OR4xAoAoGCCqGSM49
+AwEHoUQDQgAEqJ2HQjPpc6fDwE/vSa6U35USXawkTo98y4U6NsAl+rOGuqMPEFXf
+P1Srm/Jrzwa/RuppRL5kgyAsGJTUmwZEzQ==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_521_short_prv.pem b/tests/data_files/ec_521_short_prv.pem
new file mode 100644
index 0000000..427b7ad
--- /dev/null
+++ b/tests/data_files/ec_521_short_prv.pem
@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIAOXdk7W+Hf5L7Hc9fKe44wmpaRNs5ERFTkv5CrlXv/Bu3y28M673q
+vBNo7a/UE/6NNQHu2pQODEYFpMg6R34b5SigBwYFK4EEACOhgYkDgYYABAFUMHXV
+KPA4vkMgq+pFgDoH96XoM517gF2GJFV6h2gLhykzIHL/otAyEpAStw7MBvbU0V21
+ixB+hjqzO7Snxaj9mwB8g87OKxm5eGfsqvJNPdJ0RZ/EKy06Ukg6KThlhQeyrtIk
+g5PTCrPnNszlffAy6/jCOe3Moi59g15H13sSzwfX6g==
+-----END EC PRIVATE KEY-----
diff --git a/tests/suites/test_suite_pkwrite.data b/tests/suites/test_suite_pkwrite.data
index c8ff177..e0101cc 100644
--- a/tests/suites/test_suite_pkwrite.data
+++ b/tests/suites/test_suite_pkwrite.data
@@ -30,10 +30,18 @@
depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
pk_write_key_check:"data_files/ec_prv.sec1.pem"
+Private key write check EC 256 bits (top bit set)
+depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+pk_write_key_check:"data_files/ec_256_long_prv.pem"
+
Private key write check EC 521 bits
depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_ECP_DP_SECP521R1_ENABLED
pk_write_key_check:"data_files/ec_521_prv.pem"
+Private key write check EC 521 bits (top byte is 0)
+depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+pk_write_key_check:"data_files/ec_521_short_prv.pem"
+
Private key write check EC Brainpool 512 bits
depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_ECP_DP_BP512R1_ENABLED
pk_write_key_check:"data_files/ec_bp512_prv.pem"