Commit graph

9840 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard c86c5df081 Add saved fields from top-level structure 2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard 3309a67996 Fix memory leak in client/server2
context_buf was never free()d. Moreover, since we want to free it on error
paths as well, and even properly zeroize it in order to demonstrate good
memory hygiene, we need to make it and its length main()-scoped.
2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard c2a7b891a1 Add transform (de)serialization 2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard b9dfc9fd30 Fix English in comments 2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard a88399c091 Improve demo/testing code in client/server2
Previously it was missing reset in case 1, and in case 2 the code was never
executed as the option value was reset to 0.

Tighten checking of return values of save(NULL, 0) now that it works.

Also, improve the printed output as well as the comments.

I checked manually that everything now works and fail in the expected way:
save, reset-or-reinit and load all succeed, but the subsequent read or write
fails.
2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard 4b7e6b925f Add session saving/loading
For now, the header (version+format bytes) is duplicated. This might be
optimized later.
2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard 4c90e858b5 Add (stub) header writing and checking
The number of meaning of the flags will be determined later, when handling the
relevant struct members. For now three bytes are reserved as an example, but
this number may change later.
2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard 0ff76407d2 Add usage checks in context_load() 2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard 00400c2bf6 Document internal serialisation format
This mainly follows the design document (saving all fields marked "saved" in
the main structure and the transform sub-structure) with two exceptions:

- things related to renegotiation are excluded here (there weren't quite in
  the design document as the possibility of allowing renegotiation was still
on the table, which is no longer is) - also, ssl.secure_renegotiation (which
is not guarded by MBEDTLS_SSL_RENEGOTIATION because it's used in initial
handshakes even with renegotiation disabled) is still excluded, as we don't
need it after the handshake.

- things related to Connection ID are added, as they weren't present at the
  time the design document was written.

The exact format of the header (value of the bitflag indicating compile-time
options, whether and how to merge it with the serialized session header) will
be determined later.
2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard 1aaf66940e Implement usage checks in context_save()
Enforce restrictions indicated in the documentation.

This allows to make some simplifying assumptions (no need to worry about
saving IVs for CBC in TLS < 1.1, nor about saving handshake data) and
guarantees that all values marked as "forced" in the design document have the
intended values and can be skipped when serialising.

Some of the "forced" values are not checked because their value is a
consequence of other checks (for example, session_negotiated == NULL outside
handshakes). We do however check that session and transform are not NULL (even
if that's also a consequence of the initial handshake being over) as we're
going to dereference them and static analyzers may appreciate the info.
2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard 96fb0ee9cf Save Hello random bytes for later use 2019-08-23 13:11:31 +03:00
Jarno Lamsa ddf72a1cf6 Fix style issues 2019-08-23 13:07:05 +03:00
Jarno Lamsa 8e2532196d Set timer callbacks with serialization 2019-08-23 13:05:43 +03:00
Jarno Lamsa 1a7f7936f3 Fix spacing 2019-08-23 13:05:43 +03:00
Jarno Lamsa 15b3a7ae4d Fix compiler warnings 2019-08-23 13:05:42 +03:00
Jarno Lamsa c2376f049a Add tests for re-init flow for context serialization 2019-08-23 13:05:42 +03:00
Jarno Lamsa 304d61cede Add option for ssl-context re-initialization flow 2019-08-23 13:05:34 +03:00
Jarno Lamsa 12021ee115 Fix spacing 2019-08-23 12:53:40 +03:00
Jarno Lamsa 1d1657f11c Allow stub implementation of the context_save for now 2019-08-23 12:53:40 +03:00
Jarno Lamsa 93c6ff2392 Address review comments for code-style issues 2019-08-23 12:53:40 +03:00
Jarno Lamsa 378d64daad Remove mbedtls_ssl_free() and mbedtls_ssl_init() from serialization flow in test 2019-08-23 12:53:40 +03:00
Jarno Lamsa a0b2cd6f82 ssl-opt.sh tests for serialization are currently using stub implementation 2019-08-23 12:53:40 +03:00
Jarno Lamsa cbee1b3bda Add missing slashes to tests 2019-08-23 12:53:40 +03:00
Jarno Lamsa 2937d81eb8 Add serialization tests to ssl-opt.sh 2019-08-23 12:53:40 +03:00
Jarno Lamsa bbc7b41903 Use MBEDTLS_SSL_CONTEXT_SERIALIZATION flag 2019-08-23 12:53:40 +03:00
Jarno Lamsa 5a3a16cb1b Serialize/deserialize for ssl_server2 2019-08-23 12:53:40 +03:00
Jarno Lamsa af30629686 Rely on opt.exchanges for sending after serialization 2019-08-23 12:53:40 +03:00
Jarno Lamsa 77e6665ffb Serialization/deserialization in ssl_client2 2019-08-23 12:53:40 +03:00
Jarno Lamsa 9831c8a14c Add option for serialization in ssl_client/server2 2019-08-23 12:53:40 +03:00
Manuel Pégourié-Gonnard d0a86f96dc Clarify documentation of mbedtls_ssl_context_load() 2019-08-23 12:52:29 +03:00
Manuel Pégourié-Gonnard 6d8f128790 Fix typos, grammar and wording in documentation 2019-08-23 12:52:29 +03:00
Manuel Pégourié-Gonnard ac87e28bb2 Declare and document ssl_context_save()/load()
Also introduce stub definitions so that things compile and link.
2019-08-23 12:52:29 +03:00
Manuel Pégourié-Gonnard afa8f71700 Add new config MBEDTLS_SSL_CONTEXT_SERIALIZATION
This is enabled by default as we generally enable things by default unless
there's a reason not to (experimental, deprecated, security risk).

We need a compile-time option because, even though the functions themselves
can be easily garbage-collected by the linker, implementing them will require
saving 64 bytes of Client/ServerHello.random values after the handshake, that
would otherwise not be needed, and people who don't need this feature
shouldn't have to pay the price of increased RAM usage.
2019-08-23 12:52:29 +03:00
Hanno Becker be34e8e9c0 Remove reference to outdated compile-time option 2019-08-23 12:51:21 +03:00
Hanno Becker f9b3303eb9 Introduce specific error for ver/cfg mismatch on deserialization
This commit introduces a new SSL error code

  `MBEDTLS_ERR_SSL_VERSION_MISMATCH`

which can be used to indicate operation failure due to a
mismatch of version or configuration.

It is put to use in the implementation of `mbedtls_ssl_session_load()`
to signal the attempt to de-serialize a session which has been serialized
in a build of Mbed TLS using a different version or configuration.
2019-08-23 12:51:21 +03:00
Hanno Becker fe1275e3fe Improve test for detection of ver/cfg corruption in serialized data
This commit improves the test exercising the behaviour of
session deserialization when facing an unexpected version
or config, by testing ver/cfg corruption at any bit in the
ver/cfg header of the serialized data; previously, it had
only tested the first bit of each byte.
2019-08-23 12:51:21 +03:00
Hanno Becker 363b646dd8 Use US spelling 'serialize' instead of UK spelling 'serialise' 2019-08-23 12:51:21 +03:00
Hanno Becker 3e08866e06 Use def'n consts for bits in config-identifier of serialized data 2019-08-23 12:51:21 +03:00
Hanno Becker dc28b6c5e1 Note that ver+fmt bytes in serialized data must not be removed 2019-08-23 12:51:21 +03:00
Hanno Becker 50b596666d Improve doc'n of config-identifying bitfield in serialized session 2019-08-23 12:51:21 +03:00
Hanno Becker f37d91830a Session serialization: Fail with BAD_INPUT_DATA if buffer too small 2019-08-23 12:51:21 +03:00
Hanno Becker bb54d5a3b1 Use consistent spelling of 'serialise/serialize' in SSL test suite 2019-08-23 12:51:21 +03:00
Hanno Becker 861d0bbbf2 Add negative tests for unexpected ver/cfg in session deserialization 2019-08-23 12:51:21 +03:00
Hanno Becker 94ef3b35f4 Encode relevant parts of the config in serialized session header
This commit makes use of the added space in the session header to
encode the state of those parts of the compile-time configuration
which influence the structure of the serialized session in the
present version of Mbed TLS. Specifically, these are
- the options which influence the presence/omission of fields
  from mbedtls_ssl_session (which is currently shallow-copied
  into the serialized session)
- the setting of MBEDTLS_X509_CRT_PARSE_C, which determines whether
  the serialized session contains a CRT-length + CRT-value pair after
  the shallow-copied mbedtls_ssl_session instance.
- the setting of MBEDTLS_SSL_SESSION_TICKETS, which determines whether
  the serialized session contains a session ticket.
2019-08-23 12:51:21 +03:00
Hanno Becker f878707b8f Add configuration identifier to serialized SSL sessions
This commit adds space for two bytes in the header of serizlied
SSL sessions which can be used to determine the structure of the
remaining serialized session in the respective version of Mbed TLS.

Specifically, if parts of the session depend on whether specific
compile-time options are set or not, the setting of these options
can be encoded in the added space.

This commit doesn't yet make use of the fields.
2019-08-23 12:51:21 +03:00
Hanno Becker a835da5cb1 Add Mbed TLS version to SSL sessions
The format of serialized SSL sessions depends on the version and the
configuration of Mbed TLS; attempts to restore sessions established
in different versions and/or configurations lead to undefined behaviour.

This commit adds an 3-byte version header to the serialized session
generated and cleanly fails ticket parsing in case a session from a
non-matching version of Mbed TLS is presented.
2019-08-23 12:51:21 +03:00
Manuel Pégourié-Gonnard aa75583ced Re-enable test that now works with new format
Previously the test didn't work because of embedded pointer values that
are not predictable. Now it works as we no longer serialize such values.
2019-08-23 12:50:17 +03:00
Manuel Pégourié-Gonnard eef4c753f1 Adapt buffering test to new ticket size
The size of the ticket used in this test dropped from 192 to 143 bytes, so
move all sizes used in this test down 50 bytes. Also, we now need to adapt the
server response size as the default size would otherwise collide with the new
mtu value.
2019-08-23 12:50:17 +03:00
Manuel Pégourié-Gonnard f743c03ea7 Add new ABI-independent format for serialization 2019-08-23 12:50:17 +03:00
Manuel Pégourié-Gonnard ee13a732d6 Fix serialization tests for !SSL_KEEP_PEER_CERT
The chosen fix matches what's currently done in the baremetal branch - except
the `#ifdef` have been adapted because now in baremetal the digest is not kept
if renegotiation is disabled.
2019-08-23 12:48:41 +03:00