Make verify() actually restartable

This commit is contained in:
Manuel Pégourié-Gonnard 2017-08-14 18:04:19 +02:00
parent c11e4baa63
commit 8b59049407
5 changed files with 208 additions and 28 deletions

View file

@ -171,7 +171,22 @@ typedef struct
*/
typedef struct
{
mbedtls_ecdsa_restart_ctx ecdsa; /*!< ecdsa restart context */
/* for check_signature() */
mbedtls_ecdsa_restart_ctx ecdsa;
/* for find_parent_in() */
mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */
mbedtls_x509_crt *fallback_parent;
int fallback_sign_good;
/* for find_parent() */
int parent_is_trusted; /* -1 if find_parent is not in progress */
/* for verify_chain() */
mbedtls_x509_crt *child; /* non-null iff in progress */
int self_cnt;
mbedtls_x509_crt_verify_chain ver_chain;
} mbedtls_x509_crt_restart_ctx;
#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */

View file

@ -1870,7 +1870,7 @@ static int x509_crt_check_signature( const mbedtls_x509_crt *child,
if( ! mbedtls_pk_can_do( &parent->pk, child->sig_pk ) )
return( -1 );
#if defined(MBEDTLS_ECP_RESTARTABLE)
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
if( rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA )
{
return( mbedtls_pk_verify_restartable( &parent->pk,
@ -1961,8 +1961,23 @@ static int x509_crt_find_parent_in(
mbedtls_x509_crt_restart_ctx *rs_ctx )
{
int ret;
mbedtls_x509_crt *parent, *fallback_parent = NULL;
int signature_is_good = 0, fallback_sign_good = 0;
mbedtls_x509_crt *parent, *fallback_parent;
int signature_is_good, fallback_sign_good;
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
/* restore state if we have some stored */
if( rs_ctx != NULL && rs_ctx->parent != NULL )
{
parent = rs_ctx->parent;
fallback_parent = rs_ctx->fallback_parent;
fallback_sign_good = rs_ctx->fallback_sign_good;
goto check_signature;
}
#endif
fallback_parent = NULL;
fallback_sign_good = 0;
for( parent = candidates; parent != NULL; parent = parent->next )
{
@ -1978,14 +1993,24 @@ static int x509_crt_find_parent_in(
}
/* Signature */
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
check_signature:
#endif
ret = x509_crt_check_signature( child, parent, rs_ctx );
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) {
// TODO: stave state
if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
{
/* save state */
rs_ctx->parent = parent;
rs_ctx->fallback_parent = fallback_parent;
rs_ctx->fallback_sign_good = fallback_sign_good;
return( ret );
}
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
#else
(void) ret;
#endif
signature_is_good = ret == 0;
if( top && ! signature_is_good )
@ -2018,6 +2043,16 @@ static int x509_crt_find_parent_in(
*r_signature_is_good = fallback_sign_good;
}
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
if( rs_ctx != NULL )
{
/* reset state */
rs_ctx->parent = NULL;
rs_ctx->fallback_parent = NULL;
rs_ctx->fallback_sign_good = 0;
}
#endif
return( 0 );
}
@ -2042,6 +2077,12 @@ static int x509_crt_find_parent(
*parent_is_trusted = 1;
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
/* restore state if we have some stored */
if( rs_ctx != NULL && rs_ctx->parent_is_trusted != -1)
*parent_is_trusted = rs_ctx->parent_is_trusted;
#endif
while( 1 ) {
search_list = *parent_is_trusted ? trust_ca : child->next;
@ -2051,11 +2092,15 @@ static int x509_crt_find_parent(
path_cnt, self_cnt, rs_ctx );
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) {
// TODO: stave state
if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
{
/* save state */
rs_ctx->parent_is_trusted = *parent_is_trusted;
return( ret );
}
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
#else
(void) ret;
#endif
/* stop here if found or already in second iteration */
if( *parent != NULL || *parent_is_trusted == 0 )
@ -2072,6 +2117,12 @@ static int x509_crt_find_parent(
signature_is_good = 0;
}
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
/* reset state */
if( rs_ctx != NULL )
rs_ctx->parent_is_trusted = -1;
#endif
return( 0 );
}
@ -2155,12 +2206,31 @@ static int x509_crt_verify_chain(
mbedtls_x509_crt_verify_chain_item *cur;
mbedtls_x509_crt *child;
mbedtls_x509_crt *parent;
int parent_is_trusted = 0;
int child_is_trusted = 0;
int signature_is_good = 0;
int self_cnt = 0;
int parent_is_trusted;
int child_is_trusted;
int signature_is_good;
int self_cnt;
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
/* resume if we had an operation in progress */
if( rs_ctx != NULL && rs_ctx->child != NULL )
{
/* save state */
child = rs_ctx->child;
self_cnt = rs_ctx->self_cnt;
*ver_chain = rs_ctx->ver_chain;
cur = &ver_chain->items[ver_chain->len - 1];
flags = &cur->flags;
goto find_parent;
}
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
child = crt;
self_cnt = 0;
parent_is_trusted = 0;
child_is_trusted = 0;
while( 1 ) {
/* Add certificate to the verification chain */
@ -2194,17 +2264,27 @@ static int x509_crt_verify_chain(
return( 0 );
}
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
find_parent:
#endif
/* Look for a parent in trusted CAs or up the chain */
ret = x509_crt_find_parent( child, trust_ca, &parent,
&parent_is_trusted, &signature_is_good,
ver_chain->len - 1, self_cnt, rs_ctx );
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) {
// TODO: stave state
if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
{
/* save state */
rs_ctx->child = child;
rs_ctx->self_cnt = self_cnt;
rs_ctx-> ver_chain = *ver_chain;
return( ret );
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
}
#else
(void) ret;
#endif
/* No parent? We're done here */
if( parent == NULL )
@ -2425,13 +2505,6 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, profile,
&ver_chain, rs_ctx );
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) {
// TODO: stave state
return( ret );
}
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
if( ret != 0 )
goto exit;
@ -2439,6 +2512,11 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, f_vrfy, p_vrfy );
exit:
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
if( rs_ctx != NULL && ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
mbedtls_x509_crt_restart_free( rs_ctx );
#endif
/* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by
* the SSL module for authmode optional, but non-zero return from the
* callback means a fatal error so it shouldn't be ignored */
@ -2554,6 +2632,17 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx )
{
mbedtls_ecdsa_restart_init( &ctx->ecdsa );
ctx->parent = NULL;
ctx->fallback_parent = NULL;
ctx->fallback_sign_good = 0;
ctx->parent_is_trusted = -1;
ctx->child = NULL;
ctx->self_cnt = 0;
memset( ctx->ver_chain.items, 0, sizeof( ctx->ver_chain.items ) );
ctx->ver_chain.len = 0;
}
/*
@ -2565,6 +2654,8 @@ void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx )
return;
mbedtls_ecdsa_restart_free( &ctx->ecdsa );
mbedtls_x509_crt_restart_init( ctx );
}
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */

View file

@ -17,7 +17,7 @@ Two intermediate CAs are signed by them:
- test-int-ca.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA"
uses RSA-4096, signed by test-ca2
- test-int-ca2.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA"
uses an EC key with NIST P-256, signed by test-ca
uses an EC key with NIST P-384, signed by test-ca
A third intermediate CA is signed by test-int-ca2.crt:
- test-int-ca3.crt "C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3"

View file

@ -1810,22 +1810,86 @@ X509 cert verify restart: trusted EE, max_ops=0
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
x509_verify_restart:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":0:0:0:0:0
X509 cert verify restart: trusted EE, max_ops=1
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
x509_verify_restart:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":0:0:1:0:0
X509 cert verify restart: no intermediate, max_ops=0
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:0:0:0
X509 cert verify restart: no intermediate, max_ops=1
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:1:100:10000
X509 cert verify restart: no intermediate, max_ops=40000
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:40000:0:0
X509 cert verify restart: no intermediate, max_ops=500
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:500:20:80
X509 cert verify restart: no intermediate, badsign, max_ops=0
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0
X509 cert verify restart: one intermediate, max_ops=0
X509 cert verify restart: no intermediate, badsign, max_ops=1
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000
X509 cert verify restart: no intermediate, badsign, max_ops=40000
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:40000:0:0
X509 cert verify restart: no intermediate, badsign, max_ops=500
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:20:80
X509 cert verify restart: one int, max_ops=0
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:0:0:0
X509 cert verify restart: one intermediate, EE badsign, max_ops=0
X509 cert verify restart: one int, max_ops=1
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:1:100:10000
X509 cert verify restart: one int, max_ops=30000
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:30000:0:0
X509 cert verify restart: one int, max_ops=500
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:500:25:100
X509 cert verify restart: one int, EE badsign, max_ops=0
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0
X509 cert verify restart: one intermediate, int badsign, max_ops=0
X509 cert verify restart: one int, EE badsign, max_ops=1
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000
X509 cert verify restart: one int, EE badsign, max_ops=30000
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:30000:0:0
X509 cert verify restart: one int, EE badsign, max_ops=500
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100
X509 cert verify restart: one int, int badsign, max_ops=0
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0
X509 cert verify restart: one int, int badsign, max_ops=1
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000
X509 cert verify restart: one int, int badsign, max_ops=30000
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:30000:0:0
X509 cert verify restart: one int, int badsign, max_ops=500
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100

View file

@ -272,6 +272,16 @@ void x509_verify_restart( char *crt_file, char *ca_file,
mbedtls_x509_crt ca;
uint32_t flags = 0;
/*
* See comments on ecp_test_vect_restart() for op count precision.
*
* For reference, with mbed TLS 2.6 and default settings:
* - ecdsa_verify() for P-256: ~ 6700
* - ecdsa_verify() for P-384: ~ 18800
* - x509_verify() for server5 -> test-ca2: ~ 18800
* - x509_verify() for server10 -> int-ca3 -> int-ca2: ~ 25500
*/
mbedtls_x509_crt_restart_init( &rs_ctx );
mbedtls_x509_crt_init( &crt );
mbedtls_x509_crt_init( &ca );