Commit graph

2400 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard c37423fa76 Fix misleading sub-state name and comments
The enum constant had 'ske' in its name while this was a sub-state of the
"write client key exchange" state; corresponding issue in the comment.
2018-10-16 10:28:17 +02:00
Ron Eldor 5267b62248 Change error description
1. Change error description to a clearer one.
2. Change value in the error codes ranges description.
2018-10-15 18:44:42 +03:00
Ron Eldor a27190b774 Rename platform error code and value
Rename the PLATFORM HW error, to avoid ABI breakage with Mbed OS.
The value changed as well, as previous value was not in the range of
Mbed TLS low level error codes.
2018-10-15 16:33:43 +03:00
Manuel Pégourié-Gonnard 32df91183e Fix documentation of what functions restart when
The previous comment in ecp.h that only functions that take a "restart
context" argument can restart was wrong due to ECDH and SSL functions.
Changing that criterion to "document says if can return IN PROGRESS".

This requires updating the documentation of the SSL functions to mention this
explicitly, but it's something we really ought to do anyway, a bit
embarrassing that this wasn't done already - callers need to know what
`MBEDTLS_ERR_SSL_xxx` error codes to special-case. Note that the documentation
of the relevant functions was in a suboptimal state, so it was improved in the
process - it could use some more improvement, but only the changes that helped
cleanly insert the info about the IN_PROGRESS part were done here.

Also, while updating the ecp.h comment, I noticed several functions in the
ECDH module were wrongfully documented as restartable, which is probably a
left-over from the days before `mbedtls_ecdh_enable_restart()` was introduced.
Fixing that as well, to make the criterion used in ecp.h correct.
2018-10-15 14:41:16 +02:00
Manuel Pégourié-Gonnard f0bbd7e3fd Misc documentation fixes/improvements. 2018-10-15 13:22:41 +02:00
Janos Follath a0b67c2f3e Bignum: Deprecate mbedtls_mpi_is_prime()
When using a primality testing function the tolerable error rate depends
on the scheme in question, the required security strength and wether it
is used for key generation or parameter validation. To support all use
cases we need more flexibility than what the old API provides.
2018-10-09 16:36:53 +01:00
Janos Follath f301d23ceb Bignum: Improve primality test for FIPS primes
The FIPS 186-4 RSA key generation prescribes lower failure probability
in primality testing and this makes key generation slower. We enable the
caller to decide between compliance/security and performance.

This python script calculates the base two logarithm of the formulas in
HAC Fact 4.48 and was used to determine the breakpoints and number of
rounds:

def mrpkt_log_2(k, t):
    if t <= k/9.0:
        return 3*math.log(k,2)/2+t-math.log(t,2)/2+4-2*math.sqrt(t*k)
    elif t <= k/4.0:
        c1 = math.log(7.0*k/20,2)-5*t
        c2 = math.log(1/7.0,2)+15*math.log(k,2)/4.0-k/2.0-2*t
        c3 = math.log(12*k,2)-k/4.0-3*t
        return max(c1, c2, c3)
    else:
        return math.log(1/7.0)+15*math.log(k,2)/4.0-k/2.0-2*t
2018-10-09 16:33:27 +01:00
Hanno Becker d0e21fbd27 Improve documentation of ASN.1 string-writing functions
- mbedtls_asn1_write_tagged_string()
- mbedtls_asn1_write_printable_string()
- mbedtls_asn1_write_utf8_string()
- mbedtls_asn1_write_ia5_string()
2018-10-08 14:44:28 +01:00
Aurelien Jarno 16b1bd8932 bn_mul.h: add ARM DSP optimized MULADDC code
The Cortex M4, M7 MCUs and the Cortex A CPUs support the ARM DSP
instructions, and especially the umaal instruction which greatly
speed up MULADDC code. In addition the patch switched the ASM
constraints to registers instead of memory, giving the opportunity
for the compiler to load them the best way.

The speed improvement is variable depending on the crypto operation
and the CPU. Here are the results on a Cortex M4, a Cortex M7 and a
Cortex A8. All tests have been done with GCC 6.3 using -O2. RSA uses a
RSA-4096 key. ECDSA uses a secp256r1 curve EC key pair.

                 +--------+--------+--------+
                 |   M4   |   M7   |   A8   |
+----------------+--------+--------+--------+
| ECDSA signing  |  +6.3% |  +7.9% |  +4.1% |
+----------------+--------+--------+--------+
| RSA signing    | +43.7% | +68.3% | +26.3% |
+----------------+--------+--------+--------+
| RSA encryption |  +3.4% |  +9.7% |  +3.6% |
+----------------+--------+--------+--------+
| RSA decryption | +43.0% | +67.8% | +22.8% |
+----------------+--------+--------+--------+

I ran the whole testsuite on the Cortex A8 Linux environment, and it
all passes.
2018-10-04 16:09:27 +02:00
Jaeden Amero 3725bb2d6d rsa: pss: Enable use of big hashes with small keys
It should be valid to RSASSA-PSS sign a SHA-512 hash with a 1024-bit or
1032-bit RSA key, but with the salt size being always equal to the hash
size, this isn't possible: the key is too small.

To enable use of hashes that are relatively large compared to the key
size, allow reducing the salt size to no less than the hash size minus 2
bytes. We don't allow salt sizes smaller than the hash size minus 2
bytes because that too significantly changes the security guarantees the
library provides compared to the previous implementation which always
used a salt size equal to the hash size. The new calculated salt size
remains compliant with FIPS 186-4.

We also need to update the "hash too large" test, since we now reduce
the salt size when certain key sizes are used. We used to not support
1024-bit keys with SHA-512, but now we support this by reducing the salt
size to 62. Update the "hash too large" test to use a 1016-bit RSA key
with SHA-512, which still has too large of a hash because we will not
reduce the salt size further than 2 bytes shorter than the hash size.

The RSA private key used for the test was generated using "openssl
genrsa 1016" using OpenSSL 1.1.1-pre8.

    $ openssl genrsa 1016
    Generating RSA private key, 1016 bit long modulus (2 primes)
    ..............++++++
    ....++++++
    e is 65537 (0x010001)
    -----BEGIN RSA PRIVATE KEY-----
    MIICVwIBAAKBgACu54dKTbLxUQBEQF2ynxTfDze7z2H8vMmUo9McqvhYp0zI8qQK
    yanOeqmgaA9iz52NS4JxFFM/2/hvFvyd/ly/hX2GE1UZpGEf/FnLdHOGFhmnjj7D
    FHFegEz/gtbzLp9X3fOQVjYpiDvTT0Do20EyCbFRzul9gXpdZcfaVHNLAgMBAAEC
    gYAAiWht2ksmnP01B2nF8tGV1RQghhUL90Hd4D/AWFJdX1C4O1qc07jRBd1KLDH0
    fH19WocLCImeSZooGCZn+jveTuaEH14w6I0EfnpKDcpWVAoIP6I8eSdAttrnTyTn
    Y7VgPrcobyq4WkCVCD/jLUbn97CneF7EHNspXGMTvorMeQJADjy2hF5SginhnPsk
    YR5oWawc6n01mStuLnloI8Uq/6A0AOQoMPkGl/CESZw+NYfe/BnnSeckM917cMKL
    DIKAtwJADEj55Frjj9tKUUO+N9eaEM1PH5eC7yakhIpESccs/XEsaDUIGHNjhctK
    mrbbWu+OlsVRA5z8yJFYIa7gae1mDQJABjtQ8JOQreTDGkFbZR84MbgCWClCIq89
    5R3DFZUiAw4OdS1o4ja+Shc+8DFxkWDNm6+C63g/Amy5sVuWHX2p9QI/a69Cxmns
    TxHoXm1w9Azublk7N7DgB26yqxlTfWJo+ysOFmLEk47g0ekoCwLPxkwXlYIEoad2
    JqPh418DwYExAkACcqrd9+rfxtrbCbTXHEizW7aHR+fVOr9lpXXDEZTlDJ57sRkS
    SpjXbAmylqQuKLqH8h/72RbiP36kEm5ptmw2
    -----END RSA PRIVATE KEY-----
2018-09-27 18:23:08 +01:00
Simon Butcher 3ad2efdc82 Remove Yotta support from the docs, tests and build scripts
Yotta is no longer supported by Mbed TLS, so has been removed. Specifically, the
following changes have been made:
 * references to yotta have been removed from the main readme and build
   instructions
 * the yotta module directory and build script has been removed
 * yotta has been removed from test scripts such as all.sh and check-names.sh
 * yotta has been removed from other files that that referenced it such as the
   doxyfile and the bn_mul.h header
 * yotta specific configurations and references have been removed from config.h
2018-09-26 17:55:09 +01:00
Janos Follath 7c025a9f50 Generalize dh_flag in mbedtls_mpi_gen_prime
Setting the dh_flag to 1 used to indicate that the caller requests safe
primes from mbedtls_mpi_gen_prime. We generalize the functionality to
make room for more flags in that parameter.
2018-09-21 16:30:07 +01:00
thomas-dee eba6c9bb50 changes requested by @hanno-arm
- renamed `mbedtls_asn1_write_any_string` to `mbedtls_asn1_write_tagged_string`
 - renamed `x509_at_oid_from_name` to `x509_attr_descr_from_name`
2018-09-19 09:10:37 +02:00
Ron Eldor 54a7c620bb Minor style changes
1. Rephrase error description.
2. fix alignment of error list.
2018-09-12 14:43:44 +03:00
Manuel Pégourié-Gonnard 5a481f1940 Update error.h count for SSL 2018-09-12 12:33:32 +02:00
Manuel Pégourié-Gonnard 12e4a8be2a Improve documentation wording and formatting 2018-09-12 10:58:26 +02:00
Manuel Pégourié-Gonnard 125af948c3 Merge branch 'development-restricted' into iotssl-1260-non-blocking-ecc-restricted
* development-restricted: (578 commits)
  Update library version number to 2.13.1
  Don't define _POSIX_C_SOURCE in header file
  Don't declare and define gmtime()-mutex on Windows platforms
  Correct preprocessor guards determining use of gmtime()
  Correct documentation of mbedtls_platform_gmtime_r()
  Correct typo in documentation of mbedtls_platform_gmtime_r()
  Correct POSIX version check to determine presence of gmtime_r()
  Improve documentation of mbedtls_platform_gmtime_r()
  platform_utils.{c/h} -> platform_util.{c/h}
  Don't include platform_time.h if !MBEDTLS_HAVE_TIME
  Improve wording of documentation of MBEDTLS_PLATFORM_GMTIME_R_ALT
  Fix typo in documentation of MBEDTLS_PLATFORM_GMTIME_R_ALT
  Replace 'thread safe' by 'thread-safe' in the documentation
  Improve documentation of MBEDTLS_HAVE_TIME_DATE
  ChangeLog: Add missing renamings gmtime -> gmtime_r
  Improve documentation of MBEDTLS_HAVE_TIME_DATE
  Minor documentation improvements
  Style: Add missing period in documentation in threading.h
  Rename mbedtls_platform_gmtime() to mbedtls_platform_gmtime_r()
  Guard decl and use of gmtime mutex by HAVE_TIME_DATE and !GMTIME_ALT
  ...
2018-09-11 12:39:14 +02:00
Simon Butcher 53546ea099 Update library version number to 2.13.1 2018-09-06 19:10:26 +01:00
Simon Butcher 5d40f67138 Merge remote-tracking branch 'public/pr/1927' into development-restricted 2018-09-06 16:24:48 +01:00
Hanno Becker d2ef25478e Don't define _POSIX_C_SOURCE in header file 2018-09-06 14:53:25 +01:00
Hanno Becker f5106d54eb Don't declare and define gmtime()-mutex on Windows platforms 2018-09-06 12:09:56 +01:00
Hanno Becker 323d8019bf Correct preprocessor guards determining use of gmtime()
The previous code erroneously used gmtime_r() to implement
mbedtls_platform_gmtime() in case of a non-windows, non-unix system.
2018-09-06 11:30:57 +01:00
Hanno Becker 03b2bd4a06 Correct documentation of mbedtls_platform_gmtime_r()
Previous documentation stated that gmtime_r() was from the standard library,
but it's POSIX.
2018-09-06 09:08:55 +01:00
Hanno Becker a50fed9910 Correct typo in documentation of mbedtls_platform_gmtime_r() 2018-09-06 09:08:39 +01:00
Hanno Becker 6f70581c4a Correct POSIX version check to determine presence of gmtime_r()
Recent versions of POSIX move gmtime_r to the base.
2018-09-06 09:06:33 +01:00
Hanno Becker c52ef407ba Improve documentation of mbedtls_platform_gmtime_r() 2018-09-05 16:36:31 +01:00
Hanno Becker 7dd82b4f51 platform_utils.{c/h} -> platform_util.{c/h} 2018-09-05 16:26:04 +01:00
Hanno Becker 5a7fe14590 Don't include platform_time.h if !MBEDTLS_HAVE_TIME
platform_time.h includes time.h, which is not assumed to be present
on a system where MBEDTLS_HAVE_TIME is not defined.
2018-09-05 16:24:44 +01:00
Hanno Becker 9fbbf1c1f0 Improve wording of documentation of MBEDTLS_PLATFORM_GMTIME_R_ALT 2018-09-05 16:23:02 +01:00
Hanno Becker c9468885a8 Fix typo in documentation of MBEDTLS_PLATFORM_GMTIME_R_ALT 2018-09-05 16:22:10 +01:00
Hanno Becker 921b76d056 Replace 'thread safe' by 'thread-safe' in the documentation 2018-09-05 16:21:36 +01:00
Hanno Becker 9a51d01984 Improve documentation of MBEDTLS_HAVE_TIME_DATE 2018-09-05 16:20:09 +01:00
Hanno Becker 4e67cca1d9 Improve documentation of MBEDTLS_HAVE_TIME_DATE 2018-09-05 16:18:38 +01:00
Hanno Becker 48a816ff26 Minor documentation improvements 2018-09-05 15:22:22 +01:00
Hanno Becker 651d586ccf Style: Add missing period in documentation in threading.h 2018-09-05 15:17:43 +01:00
Hanno Becker 6a739789f3 Rename mbedtls_platform_gmtime() to mbedtls_platform_gmtime_r()
For consistency, also rename MBEDTLS_PLATFORM_GMTIME_ALT to
MBEDTLS_PLATFORM_GMTIME_R_ALT.
2018-09-05 15:06:19 +01:00
Hanno Becker be2e4bddd5 Guard decl and use of gmtime mutex by HAVE_TIME_DATE and !GMTIME_ALT 2018-09-05 14:44:31 +01:00
Hanno Becker 5f95c798a3 Remove another mentioning of IAR from config.h 2018-09-05 14:36:36 +01:00
Hanno Becker 272675f4c6 Correct documentation of mbedtls_platform_gmtime() 2018-09-05 14:03:02 +01:00
Hanno Becker cfeb70c6b9 gmtime: Remove special treatment for IAR
Previous commits attempted to use `gmtime_s()` for IAR systems; however,
this attempt depends on the use of C11 extensions which lead to incompatibility
with other pieces of the library, such as the use of `memset()` which is
being deprecated in favor of `memset_s()` in C11.
2018-09-05 13:52:46 +01:00
Andres Amaya Garcia 94b540ac63 Avoid redefining _POSIX_C_SOURCE 2018-09-05 12:27:32 +01:00
Andres Amaya Garcia 45e30201a4 Document that IAR gmtime_s() is auto selected 2018-09-05 12:05:59 +01:00
Andres Amaya Garcia 433f911e59 Check for IAR in gmtime macros 2018-09-05 12:01:57 +01:00
Andres Amaya Garcia e58088edb9 Clarify docs for MBEDTLS_HAVE_TIME_DATE 2018-09-05 11:55:49 +01:00
Andres Amaya Garcia 193fe893a6 Add missing _POSIX_C_SOURCE define in threading.h 2018-09-05 11:47:33 +01:00
Andres Amaya Garcia ca04a01bb8 Document shorthand gmtime macros 2018-09-05 11:43:57 +01:00
Andres Amaya Garcia c2f948b6c6 Fix grammar in docs for MBEDTLS_HAVE_TIME_DATE 2018-09-05 11:21:44 +01:00
Nir Sonnenschein 43e4ff0377 Make definitions easier to understand
1. removed if !defined to make things clearer
2. changed comments respectively
2018-09-03 14:59:12 +03:00
Nir Sonnenschein 521e8a9d2d Fix to comment to correct module description
the CTR-DRBG module will now support AES-128 as well as AES-256
2018-09-03 14:10:52 +03:00
Simon Butcher 4d075cd7d0 Update library version number to 2.13.0 2018-08-31 15:59:10 +01:00
Simon Butcher 552754a6ee Merge remote-tracking branch 'public/pr/1988' into development 2018-08-30 00:57:28 +01:00
Simon Butcher 68dbc94720 Merge remote-tracking branch 'public/pr/1951' into development 2018-08-30 00:56:56 +01:00
Simon Butcher 07de4c0035 Merge remote-tracking branch 'public/pr/1920' into development 2018-08-30 00:56:08 +01:00
Ron Eldor b0ad581526 Remove the invalid input for platform module
Remove the invalid input for the platform module,
as it's not currently used in the Mbed OS platform setup \
termination code.
2018-08-29 19:06:14 +03:00
Ron Eldor 0ff4e0b824 Add platform error codes
Add error codes for the platform module, to be used by
the setup \ terminate API.
2018-08-29 18:53:20 +03:00
Nir Sonnenschein b7ebbcaa2c compile time warning of 128bit ctr_drbg keys and standardized warnings
a compile time print was added warning in case of 128bit ctr_drbg keys.
This was don't to avoid an actual warning in these cases
(making build with warnings as errors possible).
Additional warnings on the Changelog/headers were set to use the same phrasing
phrasing was approved by Gilles and Janos.
2018-08-29 10:20:12 +03:00
Nir Sonnenschein ce266e4ca2 use single define for 128bit key for ctr_drbg and update test dependencies
the change is designed to make configuring 128bit keys for ctr_drbg more similar to other configuration options. Tests have been updated accordingly.
also clarified test naming.
2018-08-29 10:11:46 +03:00
Hanno Becker 97a1c134b2 Correct typo in documentation of MBEDTLS_SSL_DTLS_MAX_BUFFERING 2018-08-28 14:42:15 +01:00
Hanno Becker eefe084f72 Style: Spell out PMTU in ssl.h 2018-08-28 10:29:17 +01:00
Hanno Becker bc2498a9ff Style: Add numerous comments indicating condition guarded by #endif 2018-08-28 10:13:29 +01:00
Hanno Becker 280075104e DTLS Reordering: Improve doc of MBEDTLS_SSL_DTLS_MAX_BUFFERING 2018-08-28 09:46:44 +01:00
Hanno Becker 159a37f75d config.h: Don't use arithmetical exp for SSL_DTLS_MAX_BUFFERING
The functions requires_config_value_at_least and requires_config_value_at_most
only work with numerical constants.
2018-08-24 15:07:29 +01:00
Hanno Becker 0e96585bdd Merge branch 'datagram_packing' into message_reordering 2018-08-24 12:16:41 +01:00
Hanno Becker eb57008d7d Fix typo in documentation of mbedtls_ssl_set_datagram_packing() 2018-08-24 11:28:35 +01:00
Hanno Becker 1841b0a11c Rename ssl_conf_datagram_packing() to ssl_set_datagram_packing()
The naming convention is that functions of the form mbedtls_ssl_conf_xxx()
apply to the SSL configuration.
2018-08-24 11:13:57 +01:00
Hanno Becker 98081a09e6 Don't use uint8_t for bitfields
Fixing a build failure using armcc.
2018-08-22 13:32:50 +01:00
Hanno Becker 3546201dbc Merge branch 'datagram_packing' into message_reordering 2018-08-22 10:25:40 +01:00
Hanno Becker a67dee256d Merge branch 'iotssl-2402-basic-pmtu-adaptation' into datagram_packing 2018-08-22 10:06:38 +01:00
Manuel Pégourié-Gonnard f47a4afea3 Fix a typo in comments 2018-08-22 10:50:30 +02:00
Manuel Pégourié-Gonnard b8eec192f6 Implement PMTU auto-reduction in handshake 2018-08-22 10:50:30 +02:00
Hanno Becker 170e2d89da Merge branch 'iotssl-165-dtls-hs-fragmentation-new' into datagram_packing 2018-08-22 09:44:54 +01:00
Manuel Pégourié-Gonnard 68ae351dbe Fix some whitespace in documentation 2018-08-22 10:32:20 +02:00
Andres Amaya Garcia c99b12b158 Fix documentation for MBEDTLS_HAVE_DATE_TIME 2018-08-21 19:32:44 +01:00
Hanno Becker 903ee3d363 Merge branch 'datagram_packing' into message_reordering 2018-08-21 17:24:17 +01:00
Hanno Becker e0b150f96b Allow limiting the total amount of heap allocations for buffering
This commit introduces a compile time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING
to mbedtls/config.h which allows the user to control the cumulative size of
all heap buffer allocated for the purpose of reassembling and buffering
handshake messages.

It is put to use by introducing a new field `total_bytes_buffered` to
the buffering substructure of `mbedtls_ssl_handshake_params` that keeps
track of the total size of heap allocated buffers for the purpose of
reassembly and buffering at any time. It is increased whenever a handshake
message is buffered or prepared for reassembly, and decreased when a
buffered or fully reassembled message is copied into the input buffer
and passed to the handshake logic layer.

This commit does not yet include future epoch record buffering into
account; this will be done in a subsequent commit.

Also, it is now conceivable that the reassembly of the next expected
handshake message fails because too much buffering space has already
been used up for future messages. This case currently leads to an
error, but instead, the stack should get rid of buffered messages
to be able to buffer the next one. This will need to be implemented
in one of the next commits.
2018-08-21 16:11:04 +01:00
Nir Sonnenschein 954f9879e9 change warning about 128bit keys to print
change was made because an actual warning may break CI or
customers that compile using warnings as errors.
2018-08-21 17:53:49 +03:00
Nir Sonnenschein eb73f7ab6f fix trailing white spaces 2018-08-21 17:53:43 +03:00
Nir Sonnenschein 604e60d915 add default value for CTR DRBG key size 2018-08-21 17:19:12 +03:00
Nir Sonnenschein a4588d4927 enable the use of variable size keys in ctr_drbg (was hard-coded 256bit before) 2018-08-21 17:19:04 +03:00
Manuel Pégourié-Gonnard 661103595e Try to further clarify documentation 2018-08-21 11:55:40 +02:00
Manuel Pégourié-Gonnard f2f1d40d6d Improve wording in ChangeLog and documentation 2018-08-21 09:53:22 +02:00
Hanno Becker 6aeaa05a95 Merge branch 'iotssl-165-dtls-hs-fragmentation-new' into datagram_packing 2018-08-20 12:53:37 +01:00
Manuel Pégourié-Gonnard 050dd6ad35 Improve documentation of ssl_set_mtu(). 2018-08-20 11:16:40 +02:00
Manuel Pégourié-Gonnard 065a2a3472 Fix some typos and links in comments and doc 2018-08-20 11:09:26 +02:00
Hanno Becker 3a0aad1c9d Rename update_digest to update_hs_digest 2018-08-20 09:44:02 +01:00
Manuel Pégourié-Gonnard 6e7aaca146 Move MTU setting to SSL context, not config
This setting belongs to the individual connection, not to a configuration
shared by many connections. (If a default value is desired, that can be handled
by the application code that calls mbedtls_ssl_set_mtu().)

There are at least two ways in which this matters:
- per-connection settings can be adjusted if MTU estimates become available
  during the lifetime of the connection
- it is at least conceivable that a server might recognize restricted clients
  based on range of IPs and immediately set a lower MTU for them. This is much
easier to do with a per-connection setting than by maintaining multiple
near-duplicated ssl_config objects that differ only by the MTU setting.
2018-08-20 10:37:23 +02:00
Hanno Becker d488b9e490 Increase maximum number of buffered handshake messages 2018-08-17 16:52:08 +01:00
Hanno Becker 5f066e7aac Implement future record buffering
This commit implements the buffering of a record from the next epoch.

- The buffering substructure of mbedtls_ssl_handshake_params
  gets another field to hold a raw record (incl. header) from
  a future epoch.
- If ssl_parse_record_header() sees a record from the next epoch,
  it signals that it might be suitable for buffering by returning
  MBEDTLS_ERR_SSL_EARLY_MESSAGE.
- If ssl_get_next_record() finds this error code, it passes control
  to ssl_buffer_future_record() which may or may not decide to buffer
  the record; it does so if
  - a handshake is in progress,
  - the record is a handshake record
  - no record has already been buffered.
  If these conditions are met, the record is backed up in the
  aforementioned buffering substructure.
- If the current datagram is fully processed, ssl_load_buffered_record()
  is called to check if a record has been buffered, and if yes,
  if by now the its epoch is the current one; if yes, it copies
  the record into the (empty! otherwise, ssl_load_buffered_record()
  wouldn't have been called) input buffer.
2018-08-17 16:52:08 +01:00
Hanno Becker 6d97ef5a03 Use uniform treatment for future messages and proper HS fragments
This commit returns the error code MBEDTLS_ERR_SSL_EARLY_MESSAGE
for proper handshake fragments, forwarding their treatment to
the buffering function ssl_buffer_message(); currently, though,
this function does not yet buffer or reassembly HS messages, so:

! This commit temporarily disables support for handshake reassembly !
2018-08-17 16:52:08 +01:00
Hanno Becker 0271f967d6 Introduce buffering structure for handshake messages
This commit introduces, but does not yet put to use, a sub-structure
of mbedtls_ssl_handshake_params::buffering that will be used for the
buffering and/or reassembly of handshake messages with handshake
sequence numbers that are greater or equal to the next expected
sequence number.
2018-08-17 16:52:08 +01:00
Hanno Becker d7f8ae2508 Introduce sub-structure of ssl_handshake_params for buffering
This commit introduces a sub-structure `buffering` within
mbedtls_ssl_handshake_params that shall contain all data
related to the reassembly and/or buffering of handshake
messages.

Currently, only buffering of CCS messages is implemented,
so the only member of this struct is the previously introduced
`seen_ccs` field.
2018-08-17 16:52:08 +01:00
Hanno Becker 2ed6bcc793 Implement support for remembering CCS messages
This commit implements support for remembering out-of-order
CCS messages. Specifically, a flag is set whenever a CCS message
is read which remains until the end of a flight, and when a
CCS message is expected and a CCS message has been seen in the
current flight, a synthesized CCS record is created.
2018-08-17 16:52:08 +01:00
Hanno Becker 40f50848fa Add frame for loading and storing buffered messages
This commit introduces the frame for saving and loading
buffered messages within message reading function
mbedtls_ssl_read_record().
2018-08-17 16:52:08 +01:00
Hanno Becker 4162b11eb4 Make mbedtls_ssl_read_record_layer() static
This function was previously global because it was
used directly within ssl_parse_certificate_verify()
in library/ssl_srv.c. The previous commit removed
this dependency, replacing the call by a call to
the global parent function mbedtls_ssl_read_record().
This renders mbedtls_ssl_read_record_layer() internal
and therefore allows to make it static, and accordingly
rename it as ssl_read_record_layer().
2018-08-17 16:52:08 +01:00
Hanno Becker 327c93b182 Add parameter to ssl_read_record() controlling checksum update
Previously, mbedtls_ssl_read_record() always updated the handshake
checksum in case a handshake record was received. While desirable
most of the time, for the CertificateVerify message the checksum
update must only happen after the message has been fully processed,
because the validation requires the handshake digest up to but
excluding the CertificateVerify itself. As a remedy, the bulk
of mbedtls_ssl_read_record() was previously duplicated within
ssl_parse_certificate_verify(), hardening maintenance in case
mbedtls_ssl_read_record() is subject to changes.

This commit adds a boolean parameter to mbedtls_ssl_read_record()
indicating whether the checksum should be updated in case of a
handshake message or not. This allows using it also for
ssl_parse_certificate_verify(), manually updating the checksum
after the message has been processed.
2018-08-17 16:52:08 +01:00
Hanno Becker 04da189225 Make datagram packing dynamically configurable
This commit adds a public function

   `mbedtls_ssl_conf_datagram_packing()`

that allows to allow / forbid the packing of multiple
records within a single datagram.
2018-08-17 15:45:25 +01:00
Hanno Becker 67bc7c3a38 Don't immediately flush datagram after preparing a record
This commit finally enables datagram packing by modifying the
record preparation function ssl_write_record() to not always
calling mbedtls_ssl_flush_output().
2018-08-17 15:44:09 +01:00
Hanno Becker 198594709b Store outgoing record sequence number outside record buffer
This commit is another step towards supporting the packing of
multiple records within a single datagram.

Previously, the incremental outgoing record sequence number was
statically stored within the record buffer, at its final place
within the record header. This slightly increased efficiency
as it was not necessary to copy the sequence number when writing
outgoing records.

When allowing multiple records within a single datagram, it is
necessary to allow the position of the current record within the
datagram buffer to be flexible; in particular, there is no static
address for the record sequence number field within the record header.

This commit introduces an additional field `cur_out_ctr` within
the main SSL context structure `mbedtls_ssl_context` to keep track
of the outgoing record sequence number independent of the buffer used
for the current record / datagram. Whenever a new record is written,
this sequence number is copied to the the address `out_ctr` of the
sequence number header field within the current outgoing record.
2018-08-17 15:40:35 +01:00
Andres Amaya Garcia 1abb368b87 Make gmtime() configurable at compile-time 2018-08-16 21:42:09 +01:00
Manuel Pégourié-Gonnard 7e89c17788 Fix two typos in comments 2018-08-16 10:01:47 +02:00