Commit graph

4601 commits

Author SHA1 Message Date
Simon Butcher feb1cee36e Merge remote-tracking branch 'origin/pr/602' into baremetal 2019-07-15 19:24:11 +01:00
Hanno Becker 7decea9ea9 Simplify supported EC extension writing code
The previous code writes the content (the EC curve list) of the extension
before writing the extension length field at the beginning, which is common
in the library in places where we don't know the length upfront. Here,
however, we do traverse the EC curve list upfront to infer its length
and do the bounds check, so we can reorder the code to write the extension
linearly and hence improve readability.
2019-07-12 15:25:03 +01:00
Hanno Becker c1096e7514 Allow hardcoding single supported elliptic curve
This commit introduces the option MBEDTLS_SSL_CONF_SINGLE_EC
which can be used to register a single supported elliptic curve
at compile time. It replaces the runtime configuration API
mbedtls_ssl_conf_curves() which allows to register a _list_
of supported elliptic curves.

In contrast to other options used to hardcode configuration options,
MBEDTLS_SSL_CONF_SINGLE_EC isn't a numeric option, but instead it's
only relevant if it's defined or not. To actually set the single
elliptic curve that should be supported, numeric options

MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID
MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID

must both be defined and provide the TLS ID and the Mbed TLS internal
ID and the chosen curve, respectively.
2019-07-12 15:25:03 +01:00
Hanno Becker ee24f8cecb Remove unnecessary check for presence of supported EC list
For both client/server the EC curve list is assumed not to be NULL:

- On the client-side, it's assumed when writing the
  supported elliptic curve extension:

    c54ee936d7/library/ssl_cli.c (L316)

- On the server, it is assumed when searching for a
  suitable curve for the ECDHE exchange:

    c54ee936d7/library/ssl_srv.c (L3200)

It is therefore not necessary to check this in mbedtls_ssl_check_curve().
2019-07-12 15:25:03 +01:00
Hanno Becker a4a9c696c1 Introduce helper macro for traversal of supported EC TLS IDs 2019-07-12 15:25:03 +01:00
Hanno Becker 80855881ec Remove unnecessary guards in client-side EC curve extension writing
ssl_write_supported_elliptic_curves_ext() is guarded by

```
    #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
       defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
```

each of which implies (by check_config.h) that MBEDTLS_ECP_C
is enabled.
2019-07-12 15:25:03 +01:00
Hanno Becker 84fb902ea5 Work on client-provided supported EC TLS ID list in-place 2019-07-12 15:25:01 +01:00
Hanno Becker 004619fa25 Store TLS curve ID instead of information structure
This will reduce the number of grp ID <-> tls ID <-> curve info structs
conversions once a single EC can be hardcoded through its TLS ID.
2019-07-12 15:19:43 +01:00
Hanno Becker 33b9b25a48 Remove SSL version configuration API if versions are hardcoded 2019-07-12 15:15:08 +01:00
Hanno Becker 0a92b8156d Remove mbedtls_ssl_transform::minor_ver if the version is hardcoded 2019-07-12 15:15:08 +01:00
Hanno Becker 18729aeaac Guard RSA-only max_major/minor_ver fields from SSL handshake params
The fields
- mbedtls_ssl_handshake_params::max_major_ver,
- mbedtls_ssl_handshake_params::max_minor_ver
are used only for server-side RSA-based key exchanges
can be removed otherwise.
2019-07-12 15:15:07 +01:00
Hanno Becker 7b628e5b88 Make mbedtls_ssl_read/write_version static inline
Reasons:
- If the transport type is fixed at compile-time,
  mbedtls_ssl_read_version() and mbedtls_ssl_write_version()
  are called with a compile-time determined `transport`
  parameter, so the transport-type branch in their body
  can be eliminated at compile-time.
- mbedtls_ssl_read_version() is called with addresses of
  local variables, which so far need to be put on the stack
  to be addressable. Inlining the call allows to read directly
  into the registers holding these local variables.

This saves 60 bytes w.r.t. the measurement performed by

> ./scripts/baremetal.sh --rom --gcc
2019-07-12 15:15:07 +01:00
Hanno Becker 381eaa5976 Remove min/maj version from SSL context if only one version enabled
If the minor/major version is enforced at compile-time, the `major_ver`
and `minor_ver` fields in `mbedtls_ssl_context` are redundant and can
be removed.
2019-07-12 15:15:07 +01:00
Hanno Becker 2881d80138 Introduce getter function for max/min SSL version
This is a first step towards hardcoding ssl->{major|minor}_ver
in configurations which accept only a single version.
2019-07-12 15:15:06 +01:00
Hanno Becker 3fa1ee567c Set SSL minor version only after validation 2019-07-12 15:14:53 +01:00
Hanno Becker e965bd397e Allow hardcoding of min/max minor/major SSL version at compile-time
This commit introduces the numeric compile-time constants

- MBEDTLS_SSL_CONF_MIN_MINOR_VER
- MBEDTLS_SSL_CONF_MAX_MINOR_VER
- MBEDTLS_SSL_CONF_MIN_MAJOR_VER
- MBEDTLS_SSL_CONF_MAX_MAJOR_VER

which, when defined, overwrite the runtime configurable fields
mbedtls_ssl_config::min_major_ver etc. in the SSL configuration.

As for the preceding case of the ExtendedMasterSecret configuration,
it also introduces and puts to use getter functions for these variables
which evaluate to either a field access or the macro value, maintaining
readability of the code.

The runtime configuration API mbedtls_ssl_conf_{min|max}_version()
is kept for now but has no effect if MBEDTLS_SSL_CONF_XXX are set.
This is likely to be changed in a later commit but deliberately omitted
for now, in order to be able to study code-size benefits earlier in the
process.
2019-07-12 15:14:51 +01:00
Simon Butcher fabfb8578a Merge remote-tracking branch 'origin/pr/603' into baremetal 2019-07-10 15:40:32 +01:00
Simon Butcher 133294eb4a Merge remote-tracking branch 'origin/mbedtls-2.16' into baremetal 2019-07-10 11:38:01 +01:00
Hanno Becker 14a4a44e60 Remove mbedtls_ssl_conf_dbg() if !MBEDTLS_DEBUG_C 2019-07-08 11:32:50 +01:00
Hanno Becker 272063abfd Don't store debug func ptr cb + ctx in SSL config if !DEBUG_C
Note: This is an structure-API breaking change that we might
      not be able to upstream.
2019-07-08 11:32:10 +01:00
Hanno Becker 779d79dcd7 Restore static inline qualif'n of some helpers in ssl_ciphersuites.h 2019-07-08 11:23:25 +01:00
Hanno Becker a1552ac37c Use "unknown" instead of NULL as name of unknown ciphersuite 2019-07-08 11:23:25 +01:00
Hanno Becker 9b3ec12863 Add missing spaces at the end of comments 2019-07-08 11:23:24 +01:00
Hanno Becker f4d6b49352 Allow use of continue in single-ciphersuite 'loops' 2019-07-08 11:23:24 +01:00
Hanno Becker 67fb16e59d Make ciphersuite helpers static inline if only one suite enabled
This commit restructures ssl_ciphersuites.h and ssl_ciphersuites.c to
define all ciphersuite helper functions static inline in ssl_ciphersuites.h
if MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE is set, and to otherwise put their
definitions in ssl_ciphersuites.c.
2019-07-08 11:23:24 +01:00
Hanno Becker 73f4cb126d Rename XXX_SINGLE_CIPHERSUITE -> XXX_CONF_SINGLE_CIPHERSUITE
This is in line with the other configurations options used
to hardcoded aspects of the SSL configuration.
2019-07-08 11:23:24 +01:00
Hanno Becker e02758c9c8 Remove ciphersuite from SSL session if single suite hardcoded
If MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled, the type

  mbedtls_ssl_ciphersuite_handle_t

is logically a boolean (concretely realized as `unsigned char`),
containing the invalid handle and the unique valid handle, which
represents the single enabled ciphersuite.

The SSL session structure mbedtls_ssl_session contains an instance
of mbedtls_ssl_ciphersuite_handle_t which is guaranteed to be valid,
and which is hence redundant in any two-valued implementation of
mbedtls_ssl_ciphersuite_handle_t.

This commit replaces read-uses of

  mbedtls_ssl_session::ciphersuite_info

by a getter functions which, and defines this getter function
either by just reading the field from the session structure
(in case MBEDTLS_SSL_SINGLE_CIPHERSUITE is disabled), or by
returning the single valid ciphersuite handle (in case
MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled) and removing the
field from mbedtls_ssl_session in this case.
2019-07-08 11:23:24 +01:00
Hanno Becker 6ace4657b6 Remove ciphersuite from SSL config if single suite hardcoded
If MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled, it overwrites
the runtime configuration of supported ciphersuites, which
includes both the configuration API and the fields which are
used to store the configuration. Both are therefore no longer
needed and should be removed for the benefit of code-size,
memory usage, and API clarity (no accidental hiccup of runtime
vs. compile-time configuration possible).

The configuration API mbedtls_ssl_conf_ciphersuites() has
already been removed in case MBEDTLS_SSL_SINGLE_CIPHERSUITE,
and this commit removes the field

  mbedtls_ssl_config::ciphersuite_list

which it updates.
2019-07-08 11:23:24 +01:00
Hanno Becker df64596733 Remove ciphersuite from handshake params if single suite hardcoded
If MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled, the type

  mbedtls_ssl_ciphersuite_handle_t

is logically a boolean (concretely realized as `unsigned char`),
containing the invalid handle and the unique valid handle, which
represents the single enabled ciphersuite.

The SSL handshake structure mbedtls_ssl_handshake_params contains
an instance of mbedtls_ssl_ciphersuite_handle_t which is guaranteed
to be valid, and which is hence redundant in any two-valued
implementation of mbedtls_ssl_ciphersuite_handle_t.

This commit replaces read-uses of

  mbedtls_ssl_handshake_params::ciphersuite_info

by a getter functions which, and defines this getter function
either by just reading the field from the handshake structure
(in case MBEDTLS_SSL_SINGLE_CIPHERSUITE is disabled), or by
returning the single valid ciphersuite handle (in case
MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled) and removing the
field from mbedtls_ssl_handshake_params in this case.
2019-07-08 11:23:24 +01:00
Hanno Becker 2d46b4f2a1 Adapt ClientHello parsing to case of single hardcoded ciphersuite
This commit adapts the ClientHello parsing routines in ssl_srv.c
to use the ciphersuite traversal macros

  MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE
  MBEDTLS_SSL_END_FOR_EACH_CIPHERSUITE

introduced in the last commit, thereby making them work
both with and without MBEDTLS_SSL_SINGLE_CIPHERSUITE.

Another notable change concerns the ssl_ciphersuite_match:
Previous, this function would take a ciphersuite ID and a
pointer to a destination ciphersuite info structure as input
and write eithe NULL or a valid ciphersuite info structure
to that destination address, depending on whether the suite
corresponding to the given ID was suitable or not. The
function would always return 0 outside of a fatal error.
This commit changes this to ssl_ciphersuite_is_match() which
instead already takes a ciphersuite handle (which outside
of a hardcoded ciphersuite is the same as the ptr to a
ciphersuite info structure) and returns 0 or 1 (or a
negative error code in case of a fatal error) indicating
whether the suite corresponding to the handle was acceptable
or not. The conversion of the ciphersuite ID to the ciphersuite
info structure is done prior to calling ssl_ciphersuite_is_match().
2019-07-08 11:23:17 +01:00
Hanno Becker 1499027d02 Adapt ClientHello writing to case of single hardcoded ciphersuite
This commit modifies the ClientHello writing routine ssl_write_client_hello
in ssl_cli.c to switch between
(a) listing all runtime configured ciphersuites
    (in case MBEDTLS_SSL_SINGLE_CIPHERSUITE is not defined)
(b) listing just the single hardcoded ciphersuite
    (in case MBEDTLS_SSL_SINGLE_CIPHERSUITE is defined)

The approach taken is to introduce a pair of helper macros

  MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE( ssl, ver, info )
  MBEDTLS_SSL_END_FOR_EACH_CIPHERSUITE

which when delimiting a block of code lead to that block of
code being run once for each ciphersuite that's enabled in the
context `ssl` and version `ver`, referenced through the (fresh)
`info` variable. Internally, this is implemented either through
a plain `for` loop traversing the runtime configured ciphersuite
list (if MBEDTLS_SSL_SINGLE_CIPHERSUITE is disabled) or by just
hardcoding `info` to the single enabled ciphersuite (if
MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled).

These helper macros will prove useful whereever previous code
traversed the runtime configured ciphersuite list, but adaptations
of those occasions outside ClientHello writing are left for later
commits.
2019-07-08 11:17:53 +01:00
Hanno Becker 5cce936e62 Add compile-time option to hardcode choice of single ciphersuite 2019-07-08 11:17:53 +01:00
Hanno Becker b09132d33a Introduce framework for macro-based definitions of ciphersuites
This commit is a step towards the goal of allowing to hardcode the choice
of a single ciphersuite at compile-time. The hoped for benefit of this is
that whereever a ciphersuite attribute is queried and checked against a
compile-time constant, the check can be recognized as either true or false
at compile-time, hence leading to a code-size reduction.

For this to work, the ciphersuite attribute getter functions
mbedtls_ssl_suite_get_xxx() will be modified to return something
the compiler can recognize as a compile-time constant. In particular,
in order to avoid relying on constant propagation abilities of the
compiler, these functions should ideally return constant symbols
(instead of, say, fields in a globally const structure instance).

This puts us in the following situation: On the one hand, there's the
array of ciphersuite information structures defining the attribute of
those ciphersuites the stack knows about. On the other hand, we need
direct access to those fields through constant symbols in the getter
functions.

In order to avoid any duplication of information, this commit exemplifies
how ciphersuites can be conveniently defined on the basis of macro
definitions, and how the corresponding instances of the ciphersuite
information structure can be auto-generated from this.

In the approach, to add support for a ciphersuite with official name
NAME (such as TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8), the following macro
constants need to be defined in ssl_ciphersuites.h:

  MBEDTLS_SUITE__ NAME __ID
  MBEDTLS_SUITE__ NAME __NAME
  MBEDTLS_SUITE__ NAME __CIPHER
  MBEDTLS_SUITE__ NAME __MAC
  ...

To make check-names.sh happy, one also needs a dummy macro

  MBEDTLS_SUITE__ NAME()

These ciphersuite attribute values can then be queried via

  MBEDTLS_SSL_SUITE_ID( NAME_MACRO )
  ...

where NAME_MACRO can be any macro expanding to a defined NAME.

Further, a convenience macro

  MBEDTLS_SSL_SUITE_INFO( NAME_MACRO )

is provided that again takes a macro NAME_MACRO expanding to a
defined NAME, and itself expands to an instance of
mbedtls_ssl_ciphersuite_info_t using the macro attributes
defined for NAME. This macro is then used in ssl_ciphersuites.c
when defining the array of known ciphersuite information structures,
(a) without duplicating the information, and (b) with increased
readability, because there's only one line for each ciphersuite.
2019-07-08 11:17:53 +01:00
Hanno Becker 473f98f2e0 Introduce ciphersuite handle type
This commit introduces an internal zero-cost abstraction layer for
SSL ciphersuites: Instead of addressing ciphersuites via pointers
to instances of mbedtls_ssl_ciphersuite_t and accessing their fields
directly, this commit introduces an opaque type

  mbedtls_ssl_ciphersuite_handle_t,

and getter functions

  mbedtls_ssl_suite_get_xxx()

operating on ciphersuite handles.

The role of NULL is played by a new macro constant

  MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE

which results of functions returning handles can be checked against.
(For example, when doing a lookup of a ciphersuite from a peer-provided
ciphersuite ID in the per's Hello message).

The getter functions have the validity of the handle as a precondition
and are undefined if the handle is invalid.

So far, there's only one implementation of this abstraction layer, namely

  mbedtls_ssl_ciphersuite_handle_t being mbedtls_ssl_ciphersuite_t const *

and

  getter functions being field accesses.

In subsequent commits, however, the abstraction layer will be useful
to save code in the situation where only a single ciphersuite is enabled.
2019-07-08 11:17:53 +01:00
Jaeden Amero c041b4fc94 Merge remote-tracking branch 'origin/pr/2700' into mbedtls-2.16
* origin/pr/2700:
  Changelog entry for HAVEGE fix
  Prevent building the HAVEGE module on platforms where it doesn't work
  Fix misuse of signed ints in the HAVEGE module
2019-07-05 15:43:18 +01:00
Manuel Pégourié-Gonnard 5455afd74e
Merge pull request #599 from ARMmbed/baremetal-ec-preparation
[Baremetal] Avoid heap-allocation for client-supported elliptic curves
2019-07-05 14:16:41 +02:00
Hanno Becker 600ddf45c3 Update query_config.c and version_features.c 2019-07-04 14:05:00 +01:00
Hanno Becker d07614c529 Introduce MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID removing IDs 2019-07-04 14:04:03 +01:00
Hanno Becker 843b71a1df Introduce MBEDTLS_X509_CRT_REMOVE_TIME removing time fields from CRT 2019-07-04 14:04:03 +01:00
Hanno Becker 6f61b7bb5c Remove 'CRT fallback' during X.509 CRT verification if !TIME_DATE 2019-07-04 14:03:26 +01:00
Hanno Becker c00cceaa3f Move def'n of X.509 time-verif funcs to hdr if no time available 2019-07-04 14:03:26 +01:00
Hanno Becker d3b2fcb7c6 Don't store client-supported ECs in heap-allocated buffer
So far, the client-proposed list of elliptic curves was stored for the
duration of the entire handshake in a heap-allocated buffer referenced
from mbedtls_ssl_handshake_params::curves. It is used in the following
places:
1) When the server chooses a suitable ciphersuite, it checks that
   it has a certificate matching the ciphersuite; in particular, if
   the ciphersuite involves ECDHE, the server needs an EC certificate
   with a curve suitable for the client.
2) When performing the ECDHE key exchange, the server choose one
   curve among those proposed by the client which matches the server's
   own supported curve configuration.

This commit removes the hold back the entire client-side curve list
during the handshake, by performing (1) and (2) on during ClientHello
parsing, and in case of (2) only remembering the curve chosen for ECDHE
within mbedtls_ssl_handshake_params.
2019-07-04 12:41:08 +01:00
Hanno Becker 0ae6b244c8 Allow compile-time configuration of timer callbacks
Introduces
- MBEDTLS_SSL_CONF_SET_TIMER
- MBEDTLS_SSL_CONF_GET_TIMER
which allows to configure timer callbacks at compile-time.

Impact on code-size:

|  | GCC 8.2.1 | ARMC5 5.06 | ARMC6 6.12 |
| --- | --- | --- | --- |
| `libmbedtls.a` before | 23379 | 23981 | 26941 |
| `libmbedtls.a` after | 23351 | 23953 | 26869 |
| gain in Bytes | 28 | 28 | 72 |
2019-07-04 10:29:44 +01:00
Hanno Becker a58a896172 Allow compile-time configuration of I/O function pointers
Introduce the compile-time options
- MBEDTLS_SSL_CONF_RECV
- MBEDTLS_SSL_CONF_SEND
- MBEDTLS_SSL_CONF_RECV_TIMEOUT
which can be used to configure the callbacks for the underlying
transport at compile-time.

Code-size impact:

|  | GCC 8.2.1 | ARMC5 5.06 | ARMC6 6.12 |
| --- | --- | --- | --- |
| `libmbedtls.a` before | 23471 | 24077 | 27045 |
| `libmbedtls.a` before | 23379 | 23981 | 26941 |
| gain in Bytes | 92 | 96 | 104 |
2019-07-04 10:28:55 +01:00
Hanno Becker ece325c8dd Allow compile-time configuration of PRNG in SSL module
Introduces MBEDTLS_SSL_CONF_RNG to allow configuring the
RNG to be used by the SSL module at compile-time.

Impact on code-size:

|  | GCC 8.2.1 | ARMC5 5.06 | ARMC6 6.12 |
| --- | --- | --- | --- |
| `libmbedtls.a` before | 23535 | 24089 | 27103 |
| `libmbedtls.a` after | 23471 | 24077 | 27045 |
| gain in Bytes | 64 | 12 | 58 |
2019-07-04 10:27:41 +01:00
Manuel Pégourié-Gonnard b391766802 Fix unused variable that happened during merge
Fix an "unused variable" warning that happened in some configurations
(without EC, found by depend-pkalg.pl) and was not present in any parent PR
but only in the result of merging them: one of the PRs clarified the
distinction between `ret` and `verify_ret` and the other removed one
occurrence of using `ret`, and the conjunction of the two made `ret` unused in
some cases. Resolving by reducing the scope of that variable.
2019-07-03 11:24:24 +02:00
Manuel Pégourié-Gonnard de8869c529 Merge remote-tracking branch 'restricted/pr/608' into baremetal-proposed
* restricted/pr/608:
  programs: Make `make clean` clean all programs always
  ssl_tls: Enable Suite B with subset of ECP curves
  windows: Fix Release x64 configuration
  timing: Remove redundant include file
  net_sockets: Fix typo in net_would_block()
  Add all.sh component that exercises invalid_param checks
  Remove mbedtls_param_failed from programs
  Make it easier to define MBEDTLS_PARAM_FAILED as assert
  Make test suites compatible with #include <assert.h>
  Pass -m32 to the linker as well
  Update library to 2.16.2
  Use 'config.pl baremetal' in all.sh
  Clarify ChangeLog entry for fix to #1628
  Fix #2370, minor typos and spelling mistakes
  Add Changelog entry for clang test-ref-configs.pl fix
  Enable more compiler warnings in tests/Makefile
  Change file scoping of test helpers.function
2019-07-03 10:31:46 +02:00
Manuel Pégourié-Gonnard 44ba6b0d26 Merge remote-tracking branch 'restricted/pr/594' into baremetal-proposed
* restricted/pr/594:
  Adapt baremetal.h and baremetal.sh
  Don't incl. CAs in CertReq message in baremetal build
  Allow config'n of incl of CertificateReq CA list Y/N at compile-time
  Allow configuration of endpoint (cli/srv) at compile-time
  Allow configuration of read timeouts at compile-time
  Allow configuration of ConnectionID at compile-time
  Allow compile-time configuration of legacy renegotiation
  Allow compile-time configuration of authentication mode
  Allow compile-time configuration of DTLS badmac limit
  Allow compile-time configuration of DTLS anti replay
2019-07-03 10:22:28 +02:00
Manuel Pégourié-Gonnard 37261e6f6b Merge remote-tracking branch 'restricted/pr/601' into baremetal-proposed
* restricted/pr/601: (27 commits)
  Fix compile-time guard for optional field in struct
  Move code to reduce probability of conflicts
  Fix typos caught by check-names.sh
  Clarify conditions related to resumption in client
  Introduce getter function for renego_status
  Add getter function for handshake->resume
  Remove now-redundant code
  Remove cache callbacks from config on client
  Fix a few style issues
  Expand documentation of new options a bit
  Fix renaming oversight in documentation
  Remove backticks in doxygen in config.h
  Declare dependency on tickets for two ssl-opt.sh tests
  Exclude new negative options from config.pl full
  Restore config.h defaults
  Address review comments
  Fix ssl_cli resumption guards
  Fix check-files, check-names and check-generated-features
  Add test to all.sh
  Add changelog entry
  ...
2019-07-03 10:04:13 +02:00
Manuel Pégourié-Gonnard 417d2ce076 Merge remote-tracking branch 'restricted/pr/584' into baremetal-proposed
* restricted/pr/584: (140 commits)
  Remove superfluous new line in x509.c
  Add comment about X.509 name comparison of buffer with itself
  [Fixup] Add missing PK release call in Cert Verify parsing
  Fix guard controlling whether nested acquire calls are allowed
  Add X.509 CRT test for nested calls for CRT frame / PK acquire
  Don't return threading error on release()-without-acquire() calls
  Don't allow nested CRT acquire()-calls if MBEDTLS_X509_ALWAYS_FLUSH
  Make X.509 CRT cache reference counting unconditional
  Remove memory buffer alloc from i386 test in all.sh
  Don't mention pk_sign() in the context of public-key contexts
  Don't use assertion for failures of mbedtls_x509_crt_x_acquire()
  Fix copy pasta in x509_crt.h
  Reference copy-less versions of X.509 CRT frame/PK getters
  x509_crt.c: Add blank line to increase readability
  [FIXUP] Fix bug in ASN.1 traversal of silently ignored tag
  [FIXUP] Fix typo in declaration of mbedtls_x509_memcasecmp()
  Move signature-info extraction out of MBEDTLS_X509_REMOVE_INFO
  Fix certificate validity checking logic to work with !TIME_DATE
  Simplify X.509 CRT version check in UID parsing
  Remove unused variable warning in on-demand X.509 parsing
  ...
2019-07-03 10:03:45 +02:00
Hanno Becker b1d720c016 Remove superfluous new line in x509.c 2019-07-02 16:47:57 +01:00
Hanno Becker 3aa121660e Add comment about X.509 name comparison of buffer with itself 2019-07-02 16:47:40 +01:00
Hanno Becker c2cfdaa693 Allow config'n of incl of CertificateReq CA list Y/N at compile-time
Introduces MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST which allows to configure
at compile-time whether a CA list should be included in the
CertificateRequest message sent by the server.

Impact on code-size:

|  | GCC 8.2.1 | ARMC5 5.06 | ARMC6 6.12 |
| --- | --- | --- | --- |
| `libmbedtls.a` before  | 23131 | 23805 | 26673 |
| `libmbedtls.a` after | 23099 | 23781 | 26639 |
| gain in Bytes | 32 | 24 | 34 |
2019-07-02 16:42:45 +01:00
Hanno Becker 2d9623f7d5 Allow configuration of endpoint (cli/srv) at compile-time
Introduces MBEDTLS_SSL_CONF_ENDPOINT to allow to choose between
server- or client-builds at compile-time.

Impact on code-size:

|  | GCC 8.2.1 | ARMC5 5.06 | ARMC6 6.12 |
| --- | --- | --- | --- |
| `libmbedtls.a` (client only) before  | 18355 | 18815 | 21485 |
| `libmbedtls.a` (client only) after | 18219 | 18683 | 21347 |
| gain in Bytes (client only) | 136 | 132 | 138 |
| `libmbedtls.a` (server only) before  | 18715 | 18987 | 21883 |
| `libmbedtls.a` (server only) after | 18595 | 18823 | 21717 |
| gain in Bytes (server only) | 120 | 164 | 166 |
2019-07-02 16:42:41 +01:00
Hanno Becker 1f835fa22b Allow configuration of read timeouts at compile-time
Introduces compile-time constants
- MBEDTLS_SSL_CONF_READ_TIMEOUT
- MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN
- MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX
which allow to configure the read timeouts and
minimum/maximum handshake timeout at compile time.

Impact on code-size:

|  | GCC 8.2.1 | ARMC5 5.06 | ARMC6 6.12 |
| --- | --- | --- | --- |
| `libmbedtls.a` before  | 23147 | 23781 | 26703 |
| `libmbedtls.a` after | 23131 | 23753 | 26673 |
| gain in Bytes | 16 | 28 | 30 |
2019-07-02 16:42:10 +01:00
Hanno Becker e0200dad63 Allow configuration of ConnectionID at compile-time
Introduces
- MBEDTLS_SSL_CONF_CID_LEN and
- MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID
to control
- the length of incoming CIDs
- the behaviour in receipt of unexpected CIDs
at compile-time.

Impact on code-size:

|  | GCC 82.1 | ARMC5 5.06 | ARMC6 6.12 |
| --- | --- | --- | --- |
| `libmbedtls.a` before | 23223 | 23865 | 26775 |
| `libmbedtls.a` after  | 23147 | 23781 | 26703 |
| gain in Bytes | 76 | 84 | 72 |
2019-07-02 16:41:35 +01:00
Hanno Becker b0b2b67568 Allow compile-time configuration of legacy renegotiation
Introduces MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION
allowing to configure enforcing secure renegotiation at
compile-time.

Impact on code-size:

|  | GCC | ARMC5 | ARMC6 |
| --- | --- | --- | --- |
| `libmbedtls.a` after  | 23379 | 23929 | 27727 |
| `libmbedtls.a` before | 23307 | 23865 | 27615 |
| gain in Bytes | 72 | 64 | 112 |
2019-07-02 16:41:34 +01:00
Hanno Becker acd4fc0ac9 Allow compile-time configuration of authentication mode
Introduces MBEDTLS_SSL_CONF_AUTHMODE to fix the authentication
mode (none, optional, mandatory) at compile-time.

Impact on code-size:

|  | GCC | ARMC5 | ARMC6 |
| --- | --- | --- | --- |
| `libmbedtls.a` before | 23487 | 24025 | 27885 |
| `libmbedtls.a` after  | 23379 | 23929 | 27727 |
| gain in Bytes | 108 | 96 | 157 |
2019-07-02 16:41:29 +01:00
Hanno Becker de67154658 Allow compile-time configuration of DTLS badmac limit
Introduces MBEDTLS_SSL_CONF_BADMAC_LIMIT to fix the maximum
number of records with bad MAC tolerated in DTLS at compile-time.

Impact on code-size:

|  | GCC | ARMC5 | ARMC6 |
| --- | --- | --- | --- |
| `libmbedtls.a` before  | 23511 | 24049 | 27903 |
| `libmbedtls.a` after | 23487 | 24025 | 27885 |
| gain in Bytes | 24 | 24 | 18 |
2019-07-02 16:40:50 +01:00
Hanno Becker bc6b59859f [Fixup] Add missing PK release call in Cert Verify parsing
mbedtls_ssl_read() can fail non-fatally, in which case
ssl_parse_certificate_verify() returned immediately without
calling mbedtls_x509_crt_pk_release(), which in turn lead
to a fatal error because of nested acquire calls in the
next call to the function.
2019-07-02 15:36:44 +01:00
Manuel Pégourié-Gonnard 7b80c64de4 Fix compile-time guard for optional field in struct 2019-07-02 16:24:55 +02:00
Manuel Pégourié-Gonnard 93c8262d4a Clarify conditions related to resumption in client 2019-07-02 15:13:18 +02:00
Manuel Pégourié-Gonnard 754b9f32db Introduce getter function for renego_status
While not strictly related to this PR, this change improves readability in
some resumption-related runtime conditions that previously had rather ugly
preprocessor directives in the middle of already complex predicates.
2019-07-02 15:13:18 +02:00
Manuel Pégourié-Gonnard 3652e99100 Add getter function for handshake->resume
This makes the code more readable by having fewer #ifdefs all over the place.
2019-07-02 15:13:18 +02:00
Manuel Pégourié-Gonnard 44b10761cc Remove now-redundant code
Due to previous change of conditions, this is now in the 'else' branch of 'if
resume == 1' and the only allowed values are 0 or 1, so setting to 0 is
redundant.
2019-07-02 15:12:29 +02:00
Manuel Pégourié-Gonnard 594a1bbc4f Fix a few style issues 2019-07-02 15:12:29 +02:00
Jarno Lamsa 29f2dd0a7b Address review comments 2019-07-02 15:12:29 +02:00
Jarno Lamsa dbf6073fa3 Fix ssl_cli resumption guards 2019-07-02 15:12:29 +02:00
Jarno Lamsa 4f74f6d301 Fix check-files, check-names and check-generated-features 2019-07-02 15:12:29 +02:00
Jarno Lamsa 5165169a05 Fix test issues 2019-07-02 15:12:29 +02:00
Jarno Lamsa 59bd12bf14 Add new config MBEDTLS_SSL_SESSION_RESUMPTION
Add a new configuration option MBEDTLS_SSL_SESSION_RESUMPTION
to enable/disable the session resumption feature including
ticket and cache based session resumption.
2019-07-02 15:12:29 +02:00
Jarno Lamsa 7be14065e2 Add config MBEDTLS_SSL_SESSION_CACHE
Add configuration option MBEDTLS_SSL_SESSION_CACHE to control
enabling/disabling of the cache based session resumption.
2019-07-02 15:12:29 +02:00
Hanno Becker 410322f23e Fix guard controlling whether nested acquire calls are allowed
Resource counting as a safe-guard against nested acquire calls
is implemented if and only if MBEDTLS_X509_ALWAYS_FLUSH is disabled
_or_ MBEDTLS_THREADING_C is enabled.
2019-07-02 13:37:12 +01:00
Hanno Becker abd929c89c Merge branch 'mbedtls-2.16' into baremetal-2.16-01_07_19 2019-07-01 11:25:42 +01:00
Hanno Becker fc99a09cc4 Don't allow nested CRT acquire()-calls if MBEDTLS_X509_ALWAYS_FLUSH
Forbidding nested calls to acquire() allows to remove the reference
counting logic and hence saving some bytes of code. This is valuable
because MBEDTLS_X509_ALWAYS_FLUSH is likely to be used on constrained
systems where code-size is limited.
2019-06-28 14:48:32 +01:00
Hanno Becker a4bfaa8204 Make X.509 CRT cache reference counting unconditional
Previously, reference counting for the CRT frames and PK contexts
handed out by mbedtls_x509_crt_{frame|pk}_acquire() was implemented
only in case threading support was enabled, which leaves the door
open for a potential use-after-free should a single-threaded application
use nested calls to mbedtls_x509_crt_acquire().

Since Mbed TLS itself does not use such nested calls, it might be
preferred long-term to forbid nesting of acquire calls on the API
level, and hence get rid of reference counting in the interest of
code-size benefits. However, this can be considered as an optimization
of X.509 on demand parsing, and for now this commit introduces
reference counting unconditionally to have a safe version of
on demand parsing to build further optimizations upon.
2019-06-28 14:48:32 +01:00
Hanno Becker 2224ccf390 Don't use assertion for failures of mbedtls_x509_crt_x_acquire()
These functions may afil in a regular run, e.g. due to an out of memory
error.
2019-06-28 14:48:31 +01:00
Hanno Becker ed05888195 x509_crt.c: Add blank line to increase readability 2019-06-28 14:48:31 +01:00
Hanno Becker 35b86a872f [FIXUP] Fix bug in ASN.1 traversal of silently ignored tag 2019-06-25 10:41:34 +01:00
Hanno Becker 08d341211d Move signature-info extraction out of MBEDTLS_X509_REMOVE_INFO
During rebase, the definition of ::mbedtls_x509_crt_sig_info
as well as x509_crt_free_sig_info() and x509_crt_get_sig_info()
were accidentally guarded by !MBEDTLS_X509_REMOVE_INFO.

This commit moves their definition outside of that guard.
2019-06-25 10:41:31 +01:00
Hanno Becker 040c564888 Fix certificate validity checking logic to work with !TIME_DATE
If MBEDTLS_HAVE_TIME_DATE is undefined, the functions
`mbedtls_x509_time_is_past()` and `mbedtls_x509_time_is_future()`
are still defined but return `0` (that is, no time is seen to in
the past or future). To maintain functional correctness, this
means that these functions have to be called in a way where
the condition being checked for is the erroneous one: Concretely,
one shouldn't check that a CRT's `validFrom` is in the past,
or that its `validTo` is in the future, because that would
fail if !MBEDTLS_HAVE_TIME_DATE. Instead, one should check
that `validFrom` is NOT in the future, and `validTo` is NOT
in the past. That was the logic previously, but an uncautious
change during transition to X.509 on-demand parsing has
changed it. This commit fixes this.
2019-06-25 09:11:11 +01:00
Hanno Becker 97aa4363e1 Simplify X.509 CRT version check in UID parsing
WHen parsing the CRT version, we already check that
version is either 1, 2, or 3, so checking whether
version == 2 or version == 3 is equivalent to
version != 1.
2019-06-25 09:11:11 +01:00
Hanno Becker e908412a35 Simplify logic for issuer/subject ID parsing 2019-06-25 09:11:11 +01:00
Hanno Becker fd64f14ef9 Remove redundant CRT version check during CRT parsing 2019-06-25 09:11:11 +01:00
Hanno Becker b36a245654 Add comment to #endif indicating which condition was guarded 2019-06-25 09:10:57 +01:00
Hanno Becker 484caf0abc Consistently use (type *) instead of (type*) for pointer conversion 2019-06-25 09:10:57 +01:00
Hanno Becker 2ba9fbdfe9 Allow multiple concurrent readers for X.509 CRT frame and PK context
Previously, only one thread could access the parsing cache of an X.509 CRT
at a time. Firstly, this leads to significant performance penalties on
systems running many concurrent threads which share CRT structures --
for example, server threads sharing an SSL configuration containing the
server CRT. Secondly, the locking should be logically unnecessary, because
the threads are supposed to access the CRT frame and PK in a read-only,
or at least thread-safe manner.

This commit modifies the X.509 CRT cache implementation by allowing an
arbitrary number of concurrent readers, locking only the path of setting
up and clearing the cache.
2019-06-25 09:10:57 +01:00
Hanno Becker 5f268b3cf6 Don't allow change of CRT frame returned by x509_crt_frame_acquire() 2019-06-25 09:10:57 +01:00
Hanno Becker 1250623ad1 Mark CRT frame argument to mbedtls_x509_xxx_from_frame() constant 2019-06-25 09:10:57 +01:00
Hanno Becker fd5c185ed6 Use uint16_t to store key usage field in X.509 CRT
Also, reorder the fields to avoid padding, thereby reducing the size of
mbedtls_x509_crt_frame by 2 Bytes.
2019-06-25 09:10:57 +01:00
Hanno Becker 54f1c2cb20 Rename MBEDTLS_X509_SAFE_SNPRINTF_WITH_ERROR to _WITH_CLEANUP 2019-06-25 09:10:57 +01:00
Hanno Becker f332a97e1b Add ASN.1 API to free linked list representation of ASN.1 sequences 2019-06-25 09:10:57 +01:00
Hanno Becker 7b8e11e724 Avoid allocating empty buffers when handling length-0 CRTs 2019-06-25 09:10:57 +01:00
Hanno Becker 529f25d119 Don't use mbedtls_asn1_get_sequence_of() in x509_crt.c
This commit modifies the implementation of x509_get_ext_key_usage()
to not rely on mbedtls_asn1_get_sequence_of() but to instead use
mbedtls_asn1_traverse_sequence_of() with the same sequence-building
callback that also x509_get_subject_alt_name() uses, and which agrees
with the callback used by mbedtls_asn1_get_sequence_of().

The reason for this is that with this change, Mbed TLS itself isn't
using mbedtls_asn1_get_sequence_of() anymore, but only the more powerful
mbedtls_asn1_traverse_sequence_of(), so that unless application code
makes use of mbedtls_asn1_get_sequence_of(), its implementation
-- including the underlying sequence building callback -- will be
removed by link time garbage collection.
2019-06-25 09:10:57 +01:00
Hanno Becker 15b73b4066 Correct placement of comment on X.509 SAN parsing 2019-06-25 09:10:57 +01:00
Hanno Becker e452add01e Comment on return value type in two internal X.509 functions 2019-06-25 09:10:57 +01:00
Hanno Becker be0cf9b1f6 Improve formatting in x509.c 2019-06-25 09:10:57 +01:00
Hanno Becker f6bc8886c7 Move declarations of internal X.509 functions to separate header
This makes it easier to distinguish public from internal functions;
for us, for users, and for automated API compatibility checkers.
2019-06-25 09:10:57 +01:00
Hanno Becker 1421246d44 Update version_features.c 2019-06-25 09:07:16 +01:00
Hanno Becker 76428359b3 Move existence check for pk/frame to mbedtls_x509_crt_provide_xxx() 2019-06-25 09:07:16 +01:00
Hanno Becker bc685199d9 Implement MBEDTLS_X509_ALWAYS_FLUSH 2019-06-25 09:07:16 +01:00
Hanno Becker c6d1c3ed1c Remove frame/pk parameter from mbedtls_x509_crt_xxx_release() 2019-06-25 09:07:16 +01:00
Hanno Becker 38f0cb487c Introduce helpers for conversion between X.509 buffer structs
This commit introduces two static helpers
- `x509_buf_to_buf_raw()`
- `x509_buf_raw_to_buf()`
which convert to/from the old `mbedtls_x509_buf` and
the new `mbedtls_x509_buf_raw` (the latter omitting the
ASN.1 tag field).
2019-06-25 09:07:16 +01:00
Hanno Becker 1e11f217d4 Solely use raw X.509 name data references including SEQUENCE header
So far, the CRT frame structure `mbedtls_x509_crt_frame` used
as `issuer_raw` and `subject_raw` the _content_ of the ASN.1
name structure for issuer resp. subject. This was in contrast
to the fields `issuer_raw` and `subject_raw` from the legacy
`mbedtls_x509_crt` structure, and caused some information
duplication by having both variants `xxx_no_hdr` and `xxx_with_hdr`
in `mbedtls_x509_crt` and `mbedtls_x509_crt_frame`.

This commit removes this mismatch by solely using the legacy
form of `issuer_raw` and `subject_raw`, i.e. those _including_
the ASN.1 name header.
2019-06-25 09:07:16 +01:00
Hanno Becker 4e021c8f50 Remove raw SubjectAltNames and ExtKeyUsage from legacy CRT struct 2019-06-25 09:07:16 +01:00
Hanno Becker ea32d8ba2a Provide direct way of setting up a CRT frame from legacy CRT struct
Previously, `mbedtls_x509_crt_cache_provide_frame()` provided the requested
CRT frame by always parsing the raw data underlying the CRT. That's inefficient
in legacy mode, where the CRTs fields are permanently accessible through the
legacy `mbedtls_x509_crt` structure.

This commit modifies `mbedtls_x509_crt_cache_provide_frame()` in legacy mode
(that is, !MBEDTLS_X509_ON_DEMAND_PARSING) to setup the CRT frame by copying
fields from the legacy CRT structure.
2019-06-25 09:07:16 +01:00
Hanno Becker 5226c53e13 Modify mbedtls_x509_crt_info() to use getter API 2019-06-25 09:06:26 +01:00
Hanno Becker 7a4de9cdab Flush CRT cache after parsing
This commit modifies the CRT parsing routine to flush
the CRT cache after parsing. More specifically, the
frame cache is flushed before the PK is parsed, to
avoid storing the PK and frame in RAM at the same time.
2019-06-25 09:06:26 +01:00
Hanno Becker 828a8c08b6 Add compile-guard for < TLS1.2 path in server-side ssl_pick_cert()
Minor code-size optimization along the way.
2019-06-25 09:06:26 +01:00
Hanno Becker 2bcc7640f8 Give x509_{sequence|name}_free() external linkage
With the introduction of `mbedtls_x509_crt_get_{issuer|name}()`,
users need an easy way of freeing the dynamic name structures these
functions return.

To that end, this commit renames `x509_{sequence|name}_free()`
to `mbedtls_x509_{sequence|name}_free()` and gives them external linkage.
2019-06-25 09:06:26 +01:00
Hanno Becker ab6c8ea8bc Add public API to query SubjectAltNames and ExtKeyUsage extensions 2019-06-25 09:06:26 +01:00
Hanno Becker 63e6998dd7 Add public API to query subject and issuer from CRT
The legacy `mbedtls_x509_crt` contains fields `issuer/subject`
which are dynamically allocated linked list presentations of the
CRTs issuer and subject names, respectively.

The new CRT frame structure `mbedtls_x509_crt_frame`, however,
only provides pointers to the raw ASN.1 buffers for the issuer
and subject, for reasons of memory usage.

For convenience to users that previously used the `issuer`/`subject`
fields of `mbedtls_x509_crt`, this commit adds two public API functions
`mbedtls_x509_crt_get_subject()` and `mbedtls_x509_crt_get_issuer()`
which allow to request the legacy linked list presentation of the
CRTs subject / issuer names.

Similar to `mbedtls_x509_crt_get_pk()`, the returned names are owned
by the user, and must be freed through a call to `mbedtls_x509_name_free()`.
2019-06-25 09:06:26 +01:00
Hanno Becker 823efad6e8 Add public API to query for CRT frame and PK
This commit unconditionally adds two convenience API functions:
- mbedtls_x509_crt_get_frame()
- mbedtls_x509_crt_get_pk()
which allow users to extract a CRT frame or PK context
from a certificate.

The difference with the existing acquire/release API for frame and PK
contexts is that in contrast to the latter, the structures returned by
the new API are owned by the user (and, in case of the PK context, need
to be freed by him). This makes the API easier to use, but comes at the
cost of additional memory overhead.
2019-06-25 09:06:26 +01:00
Hanno Becker 180f7bf60b Add compile-time option to remove legacy CRT fields 2019-06-25 09:06:26 +01:00
Hanno Becker b6c39fca5c Add parsing cache to mbedtls_x509_crt
This commit replaces the dummy implementation of the CRT acquire/release
framework by a cache-based implementation which remembers frame and PK
associated to a CRT across multiple `acquire/release` pairs.
2019-06-25 09:06:26 +01:00
Hanno Becker 73cd8d8adc Make use of acquire/release in ssl_parse_certificate_verify() 2019-06-25 09:06:26 +01:00
Hanno Becker 2fefa4845d Make use of acquire/release in ssl_parse_server_key_exchange() 2019-06-25 09:06:26 +01:00
Hanno Becker 39ae65cf73 Make use of acquire/release in ssl_get_ecdh_params_from_cert() 2019-06-25 09:06:26 +01:00
Hanno Becker 0c1681685c Make use of acquire/release in client-side ssl_write_encrypted_pms() 2019-06-25 09:06:26 +01:00
Hanno Becker 232f8faf00 Make use of CRT acquire/release in ssl_write_certificate_request() 2019-06-25 09:06:26 +01:00
Hanno Becker 30649f7a17 Make use of CRT acquire/release in server-side ssl_pick_cert() 2019-06-25 09:06:26 +01:00
Hanno Becker 8c13ee615f Make use of CRT acquire/release in ssl_parse_certificate_verify()
Access the peer's PK through the PK acquire/release API only.

Care has to be taken not to accidentally overwrite the return
value `ret` from the CRT chain verification.
2019-06-25 09:06:26 +01:00
Hanno Becker 6cb5f86dac Make use of CRT acquire/release in mbedtls_debug_print_crt() 2019-06-25 09:06:26 +01:00
Hanno Becker 8723336831 Make use of CRT acquire/release in x509_crt_verify_restartable 2019-06-25 09:06:26 +01:00
Hanno Becker 082435c011 Make use of CRT acquire/release in x509_crt_verify_name()
This commit modifies the static function `x509_crt_verify_name()` to
use the acquire/release API to access the given CRTs `subject` field.

This function is solely called from the beginning of the CRT chain
verification routine, which also needs to access the child's CRT frame.
It should therefore be considered - for a later commit - to collapse
the two acquire/release pairs to one, thereby saving some code.
2019-06-25 09:06:26 +01:00
Hanno Becker 58c35646df Make use of CRT acquire/release in CRT chain verification #2 2019-06-25 09:06:26 +01:00
Hanno Becker bb26613d32 Make use of CRT acquire/release in x509_crt_verifycrl() 2019-06-25 09:06:26 +01:00
Hanno Becker 79ae5b68e7 Make use of CRT acquire/release in x509_serial_is_revoked() 2019-06-25 09:06:26 +01:00
Hanno Becker e9718b451a Make use of CRT acquire/release in ExtKeyUsage checking 2019-06-25 09:06:26 +01:00
Hanno Becker 371e0e4573 Determine whether CRT is initialized or not through raw data pointer
Previously, `mbedtls_x509_crt_der_internal()` used the `version` field
(which is `0` after initialization but strictly greater than 0 once a
CRT has successfully been parsed) to determine whether an
`mbedtls_x509_crt` instance had already been setup.

Preparating for the removal of `version` from the structure, this
commit modifies the code to instead peek at the raw data pointer,
which is NULL as long as the CRT structure hasn't been setup with a CRT,
and will be kept in the new CRT structure.
2019-06-25 09:06:26 +01:00
Hanno Becker 4f869eda64 Make use of CRT acquire/release in mbedtls_x509_crt_info()
This commit adapts `mbedtls_x509_crt_info()` to no longer access
structure fields from `mbedtls_x509_crt` directly, but to instead
query for a `mbedtls_x509_crt_frame` and `mbedtls_pk_context` and
use these to extract the required CRT information.
2019-06-25 09:06:26 +01:00
Hanno Becker 45eedf1ace Make use of CRT acquire/release in mbedtls_x509_crt_check_key_usage 2019-06-25 09:06:26 +01:00
Hanno Becker 43bf900018 Make use of CRT acquire/release searching for issuer in CRT verif.
This commit continues rewriting the CRT chain verification to use
the new acquire/release framework for CRTs. Specifically, it replaces
all member accesses of the current _parent_ CRT by accesses to the
respective frame.
2019-06-25 09:06:26 +01:00
Hanno Becker e449e2d846 Make use of CRT acquire/release for X.509 CRT signature checking 2019-06-25 09:06:26 +01:00
Hanno Becker 5299cf87d4 Add structure holding X.509 CRT signature information
This commit introduces an internal structure `mbedtls_x509_crt_sig_info`
containing all information that has to be kept from a child CRT when searching
for a potential parent:
- The issuer name
- The signature type
- The signature
- The hash of the CRT

The structure can be obtained from a CRT frame via `x509_crt_get_sig_info()`
and freed via `x509_crt_free_sig_info()`.

The purpose of this is to reduce the amount of RAM used during CRT
chain verification; once we've extracted the signature info structure
from the current child CRT, we can free all cached data for that CRT
(frame and PK) before searching for a suitable parent. This way, there
will ultimately not be more than one frame needed at a single point
during the verification.
2019-06-25 09:06:26 +01:00
Hanno Becker a788cab46d Check validity of potential parent before checking signature
The function `x509_crt_find_parent_in()` traverses a list of CRTs
to find a potential parent to a given CRT. So far, the logic was
the following: For each candidate,
- check basic parenting skills (mostly name match)
- verify signature
- verify validity
This order is insuitable for the new acquire/release layer of
indirection when dealing with CRTs, because we either have to
query the candidate's CRT frame twice, or query frame and PK
simultaneously.

This commit moves the validity check to the beginning of the
routine to allow querying for the frame and then for the PK.

The entry point for restartable ECC needs to be moved for that
to not forget the validity-flag while pausing ECC computations.
2019-06-25 09:06:26 +01:00
Hanno Becker 1e0677acc1 Make use of CRT acquire/release for child in CRT chain verification
During CRT verification, `x509_crt_check_signature()` checks whether a
candidate parent CRT correctly signs the current child CRT.

This commit rewrites this function to use the new acquire/release
framework for using CRTs.
2019-06-25 09:06:26 +01:00
Hanno Becker 337088aa2d Add internal API for acquire/release of CRT frames and PKs
The goal of the subsequent commits is to remove all direct uses
of the existing `mbedtls_x509_crt` apart from the `raw` buffer
and the linked list `next` pointer.

The approach is the following: Whenever a code-path needs to inspect
a CRT, it can request a frame for the CRT through the API
`x509_crt_frame_acquire()`. On success, this function returns a pointer
to a frame structure for the CRT (the origin of which is flexible and
need not concern the caller) that can be used to inspect the desired
fields. Once done, the caller hands back the frame through an explicit
call to `x509_crt_frame_release()`.

This commit also adds an inefficient dummy implementation for
`x509_crt_frame_acquire()` which always allocates a new
`mbedtls_x509_crt_frame` structure on the heap and parses it
from the raw data underlying the CRT. This will change in subsequent
commits, but it constitutes a valid implementation to test against.

Ultimately, `x509_crt_frame_acquire()` is to compute a frame for the
given CRT only once, and cache it for subsequent calls.

The need for `x509_crt_frame_release()` is the following: When
implementing `x509_crt_frame_acquire()` through a flushable cache
as indicated above, it must be ensured that no thread destroys
a cached frame structure for the time it is needed by another
thread. The `acquire/release` pair allows to explicitly delimit
the lifetime requirements for the returned frame structure.
The frame pointer must not be used after the `release` call anymore;
and in fact, the dummy implementation shows that it would
immediately lead to a memory failure.

Analogously to `x509_crt_frame_{acquire|release}()`, there's also
`x509_crt_pk_{acquire|release}()` which allows to acquire/release
a PK context setup from the public key contained within the CRT.
2019-06-25 09:06:26 +01:00
Hanno Becker 21f5567571 Introduce X.509 CRT frame structure
This commit restructures the parsing of X.509 CRTs in the following way:

First, it introduces a 'frame' structure `mbedtls_x509_crt_frame`, which
contains pointers to some structured fields of a CRT as well as copies of
primitive fields. For example, there's a pointer-length pair delimiting the raw
public key data in the CRT, but there's a C-uint8 to store the CRT version
(not a pointer-length pair delimiting the ASN.1 structure holding the version).

Setting up a frame from a raw CRT buffer does not require any memory outside
of the frame structure itself; it's just attaches a 'template' to the buffer
that allows to inspect the structured parts of the CRT afterwards.

Note that the frame structure does not correspond to a particular ASN.1
structure; for example, it contains pointers to delimit the three parts
of a CRT (TBS, SignatureAlgorithm, Signature), but also pointers to the
fields of the TBS, and pointers into the Extensions substructure of the TBS.

Further, the commit introduces an internal function `x509_crt_parse_frame()`
which sets up a frame from a raw CRT buffer, as well as several small helper
functions which help setting up the more complex structures (Subject, Issuer, PK)
from the frame.

These functions are then put to use to rewrite the existing parsing function
`mbedtls_x509_crt_parse_der_core()` by setting up a CRT frame from the input
buffer, residing on the stack, and afterwards copying the respective fields
to the actual `mbedtls_x509_crt` structure and performing the deeper parsing
through the various helper functions.
2019-06-25 09:06:26 +01:00
Hanno Becker c6573a27a1 Convert X.509 name buffer to linked list via name traversal callback 2019-06-25 09:06:26 +01:00
Hanno Becker 6b37812a45 Add next_merged field to X.509 name comparison abort callback 2019-06-25 09:06:26 +01:00
Hanno Becker 10e6b9b2b5 Move point of re-entry for restartable X.509 verification 2019-06-25 09:06:26 +01:00
Hanno Becker b59d3f1692 Add single function to parse ASN.1 AlgorithmIdentifier to x509.c 2019-06-25 09:06:26 +01:00
Hanno Becker 1898b68f09 Allow NULL pointer in mbedtls_x509_get_sig_alg if params not needed
Also, set `sig_opts` pointer to `NULL` if no signature algorithm
parameters are given (to reflect exactly that).
2019-06-25 09:06:26 +01:00
Hanno Becker c84fd1cd95 Check whether CRT is revoked by passing its serial number only
CRLs reference revoked CRTs through their serial number only.
2019-06-25 09:06:26 +01:00
Hanno Becker b3def1d341 Move length check into mbedtls_x509_memcasecmp()
At every occasion where we're using `mbedtls_x509_memcasecmp()` we're
checking that the two buffer lengths coincide before making the call.

This commit saves a few bytes of code by moving this length check
to `mbedtls_x509_memcasecmp()`.
2019-06-25 09:06:26 +01:00
Hanno Becker f1b39bf18c Implement v3 Extension parsing through ASN.1 SEQUENCE OF traversal
This commit rewrites the v3 ext parsing routine `x509_crt_get_ext_cb()`
in terms of the generic ASN.1 SEQUENCE traversal routine.
2019-06-25 09:06:26 +01:00
Hanno Becker c7c638eddd Implement ExtKeyUsage traversal via ASN.1 SEQUENCE OF traversal
This commit re-implements the `ExtendedKeyUsage` traversal
routine in terms of the generic ASN.1 SEQUENCE traversal routine.
2019-06-25 09:06:26 +01:00
Hanno Becker 90b9408dd0 Implement SubjectAltName traversal via ASN.1 SEQUENCE OF traversal
This commit re-implements the `SubjectAlternativeName` traversal
routine in terms of the generic ASN.1 SEQUENCE traversal routine.
2019-06-25 09:06:26 +01:00
Hanno Becker 8730610ae0 Introduce ASN.1 API for traversing ASN.1 SEQUENCEs
This commit adds a new function `mbedtls_asn1_traverse_sequence_of()`
which traverses an ASN.1 SEQUENCE and calls a user-provided callback
for each entry.

It allows to put the following constraints on the tags allowed
in the SEQUENCE:
- A tag mask and mandatory tag value w.r.t. that mask.
  A non-matching tag leads to an MBEDTLS_ERR_ASN1_UNEXPECTED_TAG error.
  For example, it the mask if 0xFF, this means that only
  a single tag will be allowed in the SEQUENCE.
- A tag mask and optional tag value w.r.t. that mask.
  A non-matching tag is silently ignored.

The main use for this flexibility is the traversal of the
`SubjectAlternativeNames` extension, where some parts of the
tag are fixed but some are flexible to indicate which type
of name the entry describes.
2019-06-25 09:06:26 +01:00