Commit graph

7291 commits

Author SHA1 Message Date
Hanno Becker 1c9a24ce8c Disable datagram packing for various UDP proxy tests
The UDP proxy does currently not dissect datagrams into records,
an hence the coverage of the reordering, package loss and duplication
tests is much smaller if datagram packing is in use.

This commit disables datagram packing for most UDP proxy tests,
in particular all 3D (drop, duplicate, delay) tests.
2018-08-17 15:51:21 +01:00
Hanno Becker c4305238b5 Re-enable delayed CCS test
Now that datagram packing can be dynamically configured,
the test exercising the behavior of Mbed TLS when facing
an out-of-order CCS message can be re-introduced, disabling
datagram packing for the sender of the delayed CCS.
2018-08-17 15:45:45 +01:00
Hanno Becker 4d61591c0c Add cmd line option to ssl_client2 for datagram packing
This commit adds a new command line option `dgram_packing`
to the example server application programs/ssl/ssl_client2
allowing to allow/forbid the use of datagram packing.
2018-08-17 15:45:40 +01:00
Hanno Becker e7675d0d3d Add cmd line option to ssl_server2 for datagram packing
This commit adds a new command line option `dgram_packing`
to the example server application programs/ssl/ssl_server2
allowing to allow/forbid the use of datagram packing.
2018-08-17 15:45:33 +01:00
Hanno Becker 04da189225 Make datagram packing dynamically configurable
This commit adds a public function

   `mbedtls_ssl_conf_datagram_packing()`

that allows to allow / forbid the packing of multiple
records within a single datagram.
2018-08-17 15:45:25 +01:00
Hanno Becker 12405e76b5 Increase max_frag_len / MTU in fragmentation ref tests
The tests "DTLS fragmenting: none (for reference)" and
"DTLS fragmenting: none (for reference) (MTU)" used a
maximum fragment length resp. MTU value of 2048 which
was meant to be large enough so that fragmentation
of the certificate message would not be necessary.
However, it is not large enough to hold the entire flight
to which the certificate belongs, and hence there will
be fragmentation as soon as datagram packing is used.

This commit increases the maximum fragment length resp.
MTU values to 4096 bytes to ensure that even with datagram
packing in place, no fragmentation is necessary.

A similar change was made in "DTLS fragmenting: client (MTU)".
2018-08-17 15:45:19 +01:00
Hanno Becker 7e7721350b Fix unused variable warning in ssl_session_reset_int()
The `partial` argument is only used when DTLS and same port
client reconnect are enabled. This commit marks the variable
as unused if that's not the case.
2018-08-17 15:45:10 +01:00
Hanno Becker 0defedb488 Fix unused variable warning in mbedtls_ssl_get_max_record_payload
If neither the maximum fragment length extension nor DTLS
are used, the SSL context argument is unnecessary as the
maximum payload length is hardcoded as MBEDTLS_SSL_MAX_CONTENT_LEN.
2018-08-17 15:45:05 +01:00
Hanno Becker f29d4702f7 Reset in/out pointers on SSL session reset
If a previous session was interrupted during flushing, the out
pointers might point arbitrarily into the output buffer.
2018-08-17 15:44:57 +01:00
Hanno Becker 4ccbf064ed Minor improvements in ssl_session_reset_int() 2018-08-17 15:44:53 +01:00
Hanno Becker 2a43f6f539 Introduce function to reset in/out pointers 2018-08-17 15:44:43 +01:00
Hanno Becker 111fa497aa TEST-ONLY: Remove delayed CCS test
The test exercising a delayed CCS message is not
expected to work when datagram packing is used,
as the current UDP proxy is not able to recognize
records which are not at the beginning of a
datagram.
2018-08-17 15:44:37 +01:00
Hanno Becker b50a253a87 Move size check for records 2018-08-17 15:44:26 +01:00
Hanno Becker 67bc7c3a38 Don't immediately flush datagram after preparing a record
This commit finally enables datagram packing by modifying the
record preparation function ssl_write_record() to not always
calling mbedtls_ssl_flush_output().
2018-08-17 15:44:09 +01:00
Hanno Becker 2b1e354754 Increase record buffer pointer after preparing a record
The packing of multiple records within a single datagram works
by increasing the pointer `out_hdr` (pointing to the beginning
of the next outgoing record) within the datagram buffer, as
long as space is available and no flush was mandatory.

This commit does not yet change the code's behavior of always
flushing after preparing a record, but it introduces the logic
of increasing `out_hdr` after preparing the record, and resetting
it after the flush has been completed.
2018-08-17 15:41:02 +01:00
Hanno Becker 3b235902b8 Log calls to ssl_flight_append() in debugging output 2018-08-17 15:40:55 +01:00
Hanno Becker 04484621d0 Increment record sequence number in ssl_write_record()
Previously, the record sequence number was incremented at the
end of each successful call to mbedtls_ssl_flush_output(),
which works as long as there is precisely one such call for
each outgoing record.

When packing multiple records into a single datagram, this
property is no longer true, and instead the increment of the
record sequence number must happen after the record has been
prepared, and not after it has been dispatched.

This commit moves the code for incrementing the record sequence
number from mbedtls_ssl_flush_output() to ssl_write_record().
2018-08-17 15:40:52 +01:00
Hanno Becker 198594709b Store outgoing record sequence number outside record buffer
This commit is another step towards supporting the packing of
multiple records within a single datagram.

Previously, the incremental outgoing record sequence number was
statically stored within the record buffer, at its final place
within the record header. This slightly increased efficiency
as it was not necessary to copy the sequence number when writing
outgoing records.

When allowing multiple records within a single datagram, it is
necessary to allow the position of the current record within the
datagram buffer to be flexible; in particular, there is no static
address for the record sequence number field within the record header.

This commit introduces an additional field `cur_out_ctr` within
the main SSL context structure `mbedtls_ssl_context` to keep track
of the outgoing record sequence number independent of the buffer used
for the current record / datagram. Whenever a new record is written,
this sequence number is copied to the the address `out_ctr` of the
sequence number header field within the current outgoing record.
2018-08-17 15:40:35 +01:00
Hanno Becker 5aa4e2cedd Move deduction of internal record buffer pointers to function
The SSL/TLS module maintains a number of internally used pointers
`out_hdr`, `out_len`, `out_iv`, ..., indicating where to write the
various parts of the record header.

These pointers have to be kept in sync and sometimes need update:
Most notably, the `out_msg` pointer should always point to the
beginning of the record payload, and its offset from the pointer
`out_iv` pointing to the end of the record header is determined
by the length of the explicit IV used in the current record
protection mechanism.

This commit introduces functions deducing these pointers from
the pointers `out_hdr` / `in_hdr` to the beginning of the header
of the current outgoing / incoming record.

The flexibility gained by these functions will subsequently
be used to allow shifting of `out_hdr` for the purpose of
packing multiple records into a single datagram.
2018-08-17 15:40:24 +01:00
Manuel Pégourié-Gonnard 38110dfc0e Add interop test with unreliable connection
Adds a requirement for GNUTLS_NEXT (3.5.3 or above, in practice we should
install 3.6.3) on the CI.

See internal ref IOTSSL-2401 for analysis of the bugs and their impact on the
tests.
2018-08-17 12:44:54 +02:00
Manuel Pégourié-Gonnard 0794d49566 Skip some tests with valgrind (spurious resend) 2018-08-17 10:54:24 +02:00
Manuel Pégourié-Gonnard 1218bc0f74 Add simple interop tests (reliable connection) 2018-08-17 10:51:26 +02:00
Manuel Pégourié-Gonnard 3879fdfece Merge remote-tracking branch 'public/pr/1955' into iotssl-165-dtls-hs-fragmentation-new
* public/pr/1955:
  Adapt ChangeLog
  Fix overly strict bounds check in ssl_parse_certificate_request()
2018-08-17 10:49:47 +02:00
Hanno Becker ad0fe92fb6 Adapt ChangeLog 2018-08-16 15:52:22 +01:00
Hanno Becker ad17fe9c37 Fix overly strict bounds check in ssl_parse_certificate_request() 2018-08-16 15:51:34 +01:00
Manuel Pégourié-Gonnard 2d56f0d346 Add test with unreliable connection 2018-08-16 11:09:03 +02:00
Manuel Pégourié-Gonnard 19c62f90e4 Add test for session resumption 2018-08-16 10:50:39 +02:00
Manuel Pégourié-Gonnard 7e89c17788 Fix two typos in comments 2018-08-16 10:01:47 +02:00
Manuel Pégourié-Gonnard 72c2707d9c Add tests for MTU with renegotiation
This exercises our computation of record expansion.
2018-08-16 10:01:47 +02:00
Manuel Pégourié-Gonnard b747c6cf9b Add basic first tests for MTU setting
For now, just check that it causes us to fragment. More tests are coming in
follow-up commits to ensure we respect the exact value set, including when
renegotiating.
2018-08-16 10:01:47 +02:00
Manuel Pégourié-Gonnard 637e234d9f Merge remote-tracking branch 'public/pr/1915' into iotssl-165-dtls-hs-fragmentation-new
* public/pr/1915:
  Adapt ChangeLog
  Fix mbedtls_ssl_get_record_expansion() for ChaChaPoly and CBC
2018-08-16 10:01:21 +02:00
Manuel Pégourié-Gonnard 9468ff1966 Implement support for MTU setting 2018-08-16 10:01:10 +02:00
Manuel Pégourié-Gonnard 0b1d9b2c75 Declare ssl_conf_mtu() 2018-08-16 10:01:10 +02:00
Manuel Pégourié-Gonnard 01ec4af023 Add ChangeLog entry 2018-08-16 10:01:10 +02:00
Manuel Pégourié-Gonnard 2cb17e201b Make handshake fragmentation follow max_frag_len
Note: no interop tests in ssl-opt.sh for now, as some of them make us run into
bugs in (the CI's default versions of) OpenSSL and GnuTLS, so interop tests
will be added later once the situation is clarified. <- TODO
2018-08-16 10:01:10 +02:00
Manuel Pégourié-Gonnard 28f4beab1c Start implementing fragmentation 2018-08-16 10:01:10 +02:00
Manuel Pégourié-Gonnard 87a346f64e Always save flight first, (re)send later
This will allow fragmentation to always happen in the same place, always from
a buffer distinct from ssl->out_msg, and with the same way of resuming after
returning WANT_WRITE
2018-08-16 10:01:10 +02:00
Manuel Pégourié-Gonnard 9c3a8caa92 Clarify code a bit in write_handshake_msg()
- take advantage of the fact that we're only called for first send
- put all sanity checks at the top
- rename and constify shortcut variables
- improve comments
2018-08-16 10:00:35 +02:00
Manuel Pégourié-Gonnard 31c1586893 Start separating handshake from record writing 2018-08-16 10:00:27 +02:00
Hanno Becker 9dc3be7601 Improve wording in ChangeLog 2018-08-14 15:22:05 +01:00
Hanno Becker 361f254eab Adapt ChangeLog 2018-08-13 16:36:58 +01:00
Hanno Becker 7864090ec1 Reset session_in/out pointers in ssl_session_reset_int()
Fixes #1941.
2018-08-13 16:35:15 +01:00
Jaeden Amero d8f41698d2 Merge remote-tracking branch 'upstream-public/pr/1598' into development
Add a Changelog entry
2018-08-10 11:23:15 +01:00
Jaeden Amero 03bd4847b3 Merge remote-tracking branch 'upstream-public/pr/1861' into development
Add Changelog entry
2018-08-10 11:17:14 +01:00
Jaeden Amero cac0c1a250 Merge remote-tracking branch 'upstream-public/pr/1378' into development 2018-08-10 10:59:53 +01:00
Jaeden Amero 603aee0c46 Merge remote-tracking branch 'upstream-public/pr/1816' into development 2018-08-10 10:56:48 +01:00
Jaeden Amero 372b50b252 Add a ChangeLog entry for #1816 2018-08-10 10:56:31 +01:00
Jaeden Amero f48163a960 Merge remote-tracking branch 'upstream-public/pr/1834' into development 2018-08-10 10:49:10 +01:00
Hanno Becker 448146407f Adapt ChangeLog 2018-08-03 10:07:39 +01:00
Hanno Becker 5b559ac7ab Fix mbedtls_ssl_get_record_expansion() for ChaChaPoly and CBC
`mbedtls_ssl_get_record_expansion()` is supposed to return the maximum
difference between the size of a protected record and the size of the
encapsulated plaintext.

It had the following two bugs:
(1) It did not consider the new ChaChaPoly ciphersuites, returning
    the error code #MBEDTLS_ERR_SSL_INTERNAL_ERROR in this case.
(2) It did not correctly estimate the maximum record expansion in case
    of CBC ciphersuites in (D)TLS versions 1.1 and higher, in which
    case the ciphertext is prefixed by an explicit IV.

This commit fixes both bugs.
2018-08-03 10:07:35 +01:00