Commit graph

4658 commits

Author SHA1 Message Date
Hanno Becker 2f41b248c1 Remove calc_verify SSL function pointer 2019-08-29 16:01:32 +01:00
Hanno Becker 8443491280 Make SSL checksum update function inline
This saves a few bytes in configurations where only one hash
is enabled, and configurations allowing multiple hashes probably
don't care about code-size anyway.
2019-08-29 16:01:31 +01:00
Hanno Becker 8a4b59049b Remove checksum update function pointer from SSL handshake params 2019-08-29 16:01:31 +01:00
Hanno Becker 533f5b1d8d Remove ssl_optimize_checksum()
This function is called on client-only once the ciphersuite has
been chosen and it it is known which digest the client will need
for the handshake transcript throughout the handshake, and causes
all other unneeded handshake transcripts to be discontinued.

(On the server, we cannot call this function because we don't know
 which hash the client will those in its CertificateVerify message).

However, the benefit of this call is marginal, since transcript hash
computation is negligible compared to asymmetric crypto, and moreover
the handshake transcript contexts for the unused digests are still
stored in the SSL handshake parameter structure and not freed until
the end of the handshake.

Finally, if we're running on a _really_ constrained client, there
will be only one hash function enabled anyway, and in this case
the checksum optimization has no effect.

This commit therefore removes checksum optimization altogether,
saving some code on constrained systems.
2019-08-29 16:01:31 +01:00
Hanno Becker c2fb759f3b Remove TLS calc_finished function pointer from SSL handshake params 2019-08-29 16:01:31 +01:00
Hanno Becker 39c7f7e3de Remove TLS PRF function pointer from SSL handshake parameters 2019-08-29 16:01:30 +01:00
Manuel Pégourié-Gonnard 7228167843
Merge pull request #647 from hanno-arm/hmac_drbg_entropy_fix-baremetal
[Baremetal] Fix incompatibility between HMAC DRBG and entropy module
2019-08-28 09:20:38 +02:00
Manuel Pégourié-Gonnard 87f57f6df0
Merge pull request #642 from jarvte/mbedtls_ssl_set_hostname_to_optional
[baremetal] Make function mbedtls_ssl_set_hostname(...) as optional
2019-08-28 09:20:20 +02:00
Hanno Becker 31c95e1e94 Fix and improve documentation of HMAC DRBG
- a comment regarding the implementation of hmac_drbg_reseed_core()
  was misplaced.
- add more references to the standard, and add details on how the
  comments in the code refer to various parts of the standard.
2019-08-27 09:22:09 +01:00
Hanno Becker b3a06e66d8 hmac_drbg.c: Rename hmac_drbg_reseed_internal->hmac_drbg_reseed_core 2019-08-27 09:21:44 +01:00
Teppo Järvelin 4009d8f377 Make function mbedtls_ssl_set_hostname(...) as optional
Now function mbedtls_ssl_set_hostname is compile-time configurable
in config.h with define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION.
This affects to many x509 API's. See config.h for details.
2019-08-27 10:47:08 +03:00
Hanno Becker eab304caf5 HMAC DRBG: Split entropy-gathering requests to reduce request sizes
According to SP800-90A, the DRBG seeding process should use a nonce
of length `security_strength / 2` bits as part of the DRBG seed. It
further notes that this nonce may be drawn from the same source of
entropy that is used for the first `security_strength` bits of the
DRBG seed. The present HMAC DRBG implementation does that, requesting
`security_strength * 3 / 2` bits of entropy from the configured entropy
source in total to form the initial part of the DRBG seed.

However, some entropy sources may have thresholds in terms of how much
entropy they can provide in a single call to their entropy gathering
function which may be exceeded by the present HMAC DRBG implementation
even if the threshold is not smaller than `security_strength` bits.
Specifically, this is the case for our own entropy module implementation
which only allows requesting at most 32 Bytes of entropy at a time
in configurations disabling SHA-512, and this leads to runtime failure
of HMAC DRBG when used with Mbed TLS' own entropy callbacks in such
configurations.

This commit fixes this by splitting the seed entropy acquisition into
two calls, one requesting `security_strength` bits first, and another
one requesting `security_strength / 2` bits for the nonce.
2019-08-26 15:39:23 +01:00
Simon Butcher 6617a24056 Merge remote-tracking branch 'origin/pr/633' into baremetal 2019-08-21 13:46:18 +01:00
Simon Butcher f0f01e1f0a Merge remote-tracking branch 'origin/pr/630' into baremetal 2019-08-14 16:53:38 +01:00
Simon Butcher 434ab19164 Merge remote-tracking branch 'origin/pr/629' into baremetal 2019-08-14 16:53:13 +01:00
Simon Butcher 0863b2a259 Merge remote-tracking branch 'origin/pr/612' into baremetal 2019-08-14 16:50:13 +01:00
Hanno Becker a9d5c452f3 Remove mbedtls_ssl_transform::minlen 2019-08-13 15:04:39 +01:00
Hanno Becker b72fc6a648 Don't use const var in initialization of another const var
ARM Compiler doesn't like it.
2019-08-12 18:01:48 +01:00
Hanno Becker 8295ff0b04 tinyCrypt: Don't store public ECDH-share in handshake struct
Instead, write it to the message buffer directly.
2019-08-12 18:01:47 +01:00
Hanno Becker b1626fb619 tinyCrypt: Remove check for Secp256r1 in SrvKeyExch writing
The use of tinyCrypt is restricted Secp256r1-only, and a check in
ssl_ciphersuite_is_match() ensures that an EC ciphersuite is chosen
only if the client advertised support for Secp256r1, too.
2019-08-12 18:01:47 +01:00
Hanno Becker 9cf087d2e7 Use tinyCrypt only for ECDHE-RSA/ECDSA in SrvKeyExch writing
In a way inconsistent with the rest of the library restricting the
use of tinyCrypt to pure-ECDHE, the previous ServerKeyExchange writing
routine would use tinyCrypt also for ECDHE-PSK-based ciphersuites.
This commit fixes this.
2019-08-12 18:01:47 +01:00
Hanno Becker 7a19633c99 tinyCrypt: Avoid unused var warning by marking vars as unused 2019-08-12 18:01:47 +01:00
Hanno Becker 29d165565c Add MBEDTLS_ECDH_C guards to ECDH code-paths using legacy ECDH
Previously, MBEDTLS_KEY_EXCHANGE_ECDH[E]_XXX_ENABLED would imply
that MBEDTLS_ECDH_C is set, but with the introduction of tinyCrypt
as an alternative ECDH implementation, this is no longer the case.
2019-08-12 18:01:40 +01:00
Hanno Becker 975b9ee3c8 Fix guards around use of legacy ECDH context
mbedtls_ssl_handshake_params::ecdh_ctx should only be guarded
by MBEDTLS_ECDH_C, not by MBEDTLS_ECDSA_C.
2019-08-12 17:05:38 +01:00
Hanno Becker 621113fd3a tinyCrypt: Write client's key share 2019-08-12 17:05:38 +01:00
Hanno Becker a3c2c1712c tinyCrypt: Share ECDH secret calculation code-path 2019-08-12 17:05:38 +01:00
Hanno Becker 75f12d1eb9 tinyCrypt: Add ServerKeyExchange parsing code 2019-08-12 17:05:38 +01:00
Hanno Becker d849c7ca19 tinyCrypt: Hardcode ECDH parameter header
Saves a few bytes of code when tinyCrypt is used.
2019-08-12 17:05:38 +01:00
Hanno Becker d089fad925 tinyCrypt: Adapt RNG wrapper to return 0 on failure 2019-08-12 17:05:38 +01:00
Hanno Becker ef982d57bf tinyCrypt: Bind RNG wrapper to tinyCrypt in mbedtls_ssl_setup() 2019-08-12 17:05:38 +01:00
Jarno Lamsa e12aafbdc7 tinyCrypt: Initial commit towards ECDHE support
This commit is a first step towards using uECC for ECDH
during TLS handshakes.
2019-08-12 17:05:38 +01:00
Hanno Becker 3328b1822a Move ssl_process_in_server_key_exchange to avoid func use-before-def 2019-08-12 17:05:03 +01:00
Hanno Becker 4e46709800 Document precoditions on some HS parsing/writing functions
Eventually, all HS parsing/writing functions should take an arbitrary buffer +
length pair as their argument, and return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if
the provided buffer is too short. So far, we've only made a first step by
allowing to pass an arbitrary buffer, but don't yet add bounds checks
throughout. While deliberate for now, this must be clearly documented.
2019-08-12 17:05:03 +01:00
Hanno Becker 7d552fad65 Avoid collision of ssl_xxx_key_exchange_yyy() func names in cli/srv
This makes grepping the functions more difficult, and also leads to compilation failures
when trying to build the library from a single source file (which might be useful for
code-size reasons).
2019-08-12 17:05:03 +01:00
Hanno Becker 48e526b380 Document parameter precondition for ssl_rsa_generate_partial_pms() 2019-08-12 17:05:03 +01:00
Hanno Becker aa49620f6e Minor documentation improvement to ssl_rsa_encrypt_partial_pms() 2019-08-12 17:05:03 +01:00
Hanno Becker 084694dd57 Fix copy-pasta in documentation for outgoing CliKeyExchange 2019-08-12 17:05:03 +01:00
Hanno Becker 44a29f4a6f Remove redundant use of local variable in CliKeyExch writing 2019-08-12 17:05:03 +01:00
Hanno Becker ae22dd3820 Simplify logic of restartable ECDHE in CliKeyExch writing 2019-08-12 17:05:03 +01:00
Hanno Becker 91cf7693b9 Remove restartable ECP return code check from ECDH suite handling
mbedtls_ecdh_read_params() is not restartable.
2019-08-12 17:05:03 +01:00
Manuel Pégourié-Gonnard fb02e96cf5 Fix indentation to a multiple of 4 spaces 2019-08-12 17:05:03 +01:00
Manuel Pégourié-Gonnard 8793fab635 Fix two typos in comments 2019-08-12 17:05:03 +01:00
Hanno Becker 587c1ae195 Make IAR happy by dummy-initializing an unused variable
IAR doesn't like `((void) var);` as a means to indicate an unused
variable if that variable hasn't been initialized before. Make it
happy by initializing the variable before.
2019-08-12 17:05:03 +01:00
Hanno Becker 7ba0a886bd Fix 'set but not used' ARM compiler warning 2019-08-12 17:05:03 +01:00
Hanno Becker a855cb635d Avoid unused variable warning in ServerKeyExchange parsing
ssl_server_key_exchange_parse() is compiled even if there's no ciphersuite
enabled which uses it (for example, that's the case in RSA-only builds).
The rationale for that is to avoid cluttering the code with numerous
compile-time guards. A consequence, however, is the top of
ssl_server_key_exchange_parse() contains declarations for variables
which are never put to use, and rightfully leading to compiler warnings.

This commit silences these warnings by putting `((void) VAR);` statements
in the branch which detects if we ever happen to call the function in an
unexpected ciphersuite.
2019-08-12 17:05:03 +01:00
Hanno Becker 868cb586cc Rename SSL_PROC_CHK -> MBEDTLS_SSL_CHK 2019-08-12 17:05:03 +01:00
Hanno Becker 572d448ab2 Enforce NULL context for hardcoded RNG 2019-08-12 17:05:03 +01:00
Hanno Becker 9a12243b01 Introduce getter function for RNG context 2019-08-12 17:05:03 +01:00
Hanno Becker 9db697e8c6 Async operations: Simplify restart logic 2019-08-12 17:05:03 +01:00
Hanno Becker 4ec73cb251 Restructure SrvKeyExchange: Move parsing code 2019-08-12 17:05:03 +01:00