Commit graph

1612 commits

Author SHA1 Message Date
Gilles Peskine f11d33b2df Cleaned up negative test predicate for test case
The test infrastructure does support negative predicates for test
cases, thanks to Andreas for letting me know.
2017-06-06 19:16:18 +02:00
Gilles Peskine 5d2511c4d4 SHA-1 deprecation: allow it in key exchange
By default, keep allowing SHA-1 in key exchange signatures. Disabling
it causes compatibility issues, especially with clients that use
TLS1.2 but don't send the signature_algorithms extension.

SHA-1 is forbidden in certificates by default, since it's vulnerable
to offline collision-based attacks.
2017-06-06 18:44:14 +02:00
Gilles Peskine 4fa6bed0c6 X.509 tests: obey compile-time SHA-1 support option
There is now one test case to validate that SHA-1 is rejected in
certificates by default, and one test case to validate that SHA-1 is
supported if MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 is #defined.
2017-06-06 18:44:14 +02:00
Gilles Peskine 5e79cb3662 Remove SHA-1 in TLS by default
Default to forbidding the use of SHA-1 in TLS where it is unsafe: for
certificate signing, and as the signature hash algorithm for the TLS
1.2 handshake signature. SHA-1 remains allowed in HMAC-SHA-1 in the
XXX_SHA ciphersuites and in the PRF for TLS <= 1.1.

For easy backward compatibility for use in controlled environments,
turn on the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 compiled-time option.
2017-06-06 18:44:13 +02:00
Manuel Pégourié-Gonnard 23b33f8663 Merge remote-tracking branch 'hanno/sig_hash_compatibility' into development
* hanno/sig_hash_compatibility:
  Improve documentation
  Split long lines
  Remember suitable hash function for any signature algorithm.
  Introduce macros and functions to characterize certain ciphersuites.
2017-06-06 18:14:57 +02:00
Simon Butcher 9f77017a8d Updated version number to 2.5.0 2017-05-16 10:22:37 +01:00
Andres AG f5bf7189d3 Change return type of AES decrypt and encrypt
This patch modifies the following 2 functions in the AES module to
change the return type from void to int:
    * mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
    * mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
This change is necessary to allow users of MBEDTLS_AES_ALT,
MBEDTLS_AES_DECRYPT_ALT and MBEDTLS_AES_ENCRYPT_ALT to return an error
code when replacing the default with their own implementation, e.g.
a hardware crypto accelerator.
2017-05-16 10:22:37 +01:00
Janos Follath 088ce43ffe Implement optional CA list suppression in Certificate Request
According to RFC5246 the server can indicate the known Certificate
Authorities or can constrain the aurhorisation space by sending a
certificate list. This part of the message is optional and if omitted,
the client may send any certificate in the response.

The previous behaviour of mbed TLS was to always send the name of all the
CAs that are configured as root CAs. In certain cases this might cause
usability and privacy issues for example:
- If the list of the CA names is longer than the peers input buffer then
  the handshake will fail
- If the configured CAs belong to third parties, this message gives away
  information on the relations to these third parties

Therefore we introduce an option to suppress the CA list in the
Certificate Request message.

Providing this feature as a runtime option comes with a little cost in
code size and advantages in maintenance and flexibility.
2017-05-16 10:22:37 +01:00
Andres Amaya Garcia 75fdf631fd Remove obsolete macros from compat-1.3.h 2017-05-16 10:22:37 +01:00
Hanno Becker 7e5437a972 Remember suitable hash function for any signature algorithm.
This commit changes `ssl_parse_signature_algorithms_ext` to remember
one suitable ( := supported by client and by our config ) hash
algorithm per signature algorithm.

It also modifies the ciphersuite checking function
`ssl_ciphersuite_match` to refuse a suite if there
is no suitable hash algorithm.

Finally, it adds the corresponding entry to the ChangeLog.
2017-05-15 11:50:11 +01:00
Hanno Becker 1aa267cbc3 Introduce macros and functions to characterize certain ciphersuites.
The routine `mbedtls_ssl_write_server_key_exchange` heavily depends on
what kind of cipher suite is active: some don't need a
ServerKeyExchange at all, some need (EC)DH parameters but no server
signature, some require both. Each time we want to restrict a certain
piece of code to some class of ciphersuites, it is guarded by a
lengthy concatentation of configuration checks determining whether at
least one of the relevant cipher suites is enabled in the config; on
the code level, it is guarded by the check whether one of these
cipher suites is the active one.

To ease readability of the code, this commit introduces several helper
macros and helper functions that can be used to determine whether a
certain class of ciphersuites (a) is active in the config, and
(b) contains the currently present ciphersuite.
2017-05-15 11:46:57 +01:00
Andres Amaya Garcia af610a0baf Fix check-doxy-blocks.pl errors (cmac.c ecjpake.h) 2017-05-12 00:18:04 +01:00
Janos Follath 5634b8609b Apply feedback to ECP internal interface documentation 2017-05-11 22:42:14 +01:00
Janos Follath aab9efb4ce Add doxygen documentation to the new ECP interface
Document the functions in the Elliptic Curve Point module hardware
acceleration to guide silicon vendors when implementing the drivers.
2017-05-11 22:42:14 +01:00
Janos Follath 333d163523 Remove obsolote ECP abstraction macros
Some macros have been removed from the Elliptic Curve Point abstraction
layer, and they shouldn't have remained in the check_config.h
2017-05-11 22:42:14 +01:00
Janos Follath c44ab97cc9 Apply review feedback on ECP interface
Naming conventions are revised, style issues corrected and minor
optimisation added.
2017-05-11 22:42:14 +01:00
Janos Follath b8a90fb51c Update ECP hardware abstraction interface
With this commit the Elliptic Curve Point interface is rewised. Two
compile time options has been removed to simplify the interface and
the function names got a new prefix that indicates that these functions
are for internal use and not part of the public interface.
2017-05-11 22:42:14 +01:00
Janos Follath ee782bcd54 Adjust documentation to new ECP function names. 2017-05-11 22:42:14 +01:00
Janos Follath 552f6b6d17 Add global mutex for asymmetric crypto accelerator
The primary use case behind providing an abstraction layer to enable
alternative Elliptic Curve Point arithmetic implementation, is making
use of cryptographic acceleration hardware if it is present.

To provide thread safety for the hardware accelerator we need a mutex
to guard it.
2017-05-11 22:42:14 +01:00
Janos Follath 16e63ea2e2 Fix alternative ECP function names
The alternative Elliptic Curve Point arithmetic functions didn't have
an 'mbedtls_' prefix as required by check-names.sh.
2017-05-11 22:42:14 +01:00
Janos Follath 4d9c69dde8 Fix ECP alternative macro names
The compile time macros enabling the initialisation and deinitialisation
in the alternative Elliptic Curve Point arithmetic implementation had
names that did not end with '_ALT' as required by check-names.sh.
2017-05-11 22:42:14 +01:00
Janos Follath 47d28f08a6 Remove alt_internal directory 2017-05-11 22:42:14 +01:00
Janos Follath 372697b6b7 Clean up ECP abstraction layer code
This commit fixes several style issues and fixes in the documentation
of the Elliptic Curve Point arithmetic abstraction layer.
2017-05-11 22:42:14 +01:00
Janos Follath b069753313 ECP: Add module and function level replacement options. 2017-05-11 22:42:14 +01:00
Jaakko Korhonen aca11a071d Fixed typo in ssl.h 2017-02-28 08:58:02 +00:00
Simon Butcher ee75b9b417 Add clarification to the TLS renegotiation period
Expanded details on use of mbedtls_ssl_conf_renegotiation_period()
2017-02-03 00:21:28 +00:00
Simon Butcher 1d4db5b7b5 Merge 'iotssl-1099-incorrect-renego-dtls'
Fix an incorrect condition in ssl_check_ctr_renegotiate() that compared
64 bits of record counter instead of 48 bits as described in RFC 6347
Section 4.3.1. This would cause the function's return value to be
occasionally incorrect and the renegotiation routines to be triggered
at unexpected times.
2017-02-02 23:47:08 +00:00
Simon Butcher a90f6bd657 Merge PR #737 - type in ssl.h 2017-02-02 15:32:47 +00:00
Simon Butcher 4d1e104bc1 Merge iotssl-1079-macro-redefinition-warning
Fix redefinition of macro ssl_set_bio to undefined symbol
mbedtls_ssl_set_bio_timeout in compat-1.3.h.
2017-02-02 12:19:04 +00:00
Andres AG 18c5c59b5b Fix renegotiation at incorrect times in DTLS
Fix an incorrect condition in ssl_check_ctr_renegotiate() that compared
64 bits of record counter instead of 48 bits as described in RFC 6347
Section 4.3.1. This would cause the function's return value to be
occasionally incorrect and the renegotiation routines to be triggered
at unexpected times.
2017-01-19 16:30:15 +00:00
Jaakko Korhonen 14918fbda4 Fixed typo in ssl.h 2017-01-09 11:07:46 +02:00
Simon Butcher f4957a8855 Clarify CMAC API
Added additional text to cmac.h to make the API clearer.
2016-12-14 15:27:22 +00:00
Janos Follath 1808dc01bd Update library version number to 2.4.1 2016-12-13 16:00:52 +00:00
Andres AG ee7157e735 Fix redefinition of macro ssl_set_bio
Fix redefinition of macro ssl_set_bio to undefined symbol
mbedtls_ssl_set_bio_timeout in compat-1.3.h.
2016-12-07 10:27:00 +00:00
DSiekmeier b67c897ded removed outdated comment 2016-11-17 14:17:23 +00:00
Brian J Murray 2adecba01f Clarify Comments and Fix Typos (#651)
Fixes many typos, and errors in comments.

* Clarifies many comments
* Grammar correction in config.pl help text
* Removed comment about MBEDTLS_X509_EXT_NS_CERT_TYPE.
* Comment typo fix (Dont => Don't)
* Comment typo fix (assure => ensure)
* Comment typo fix (byes => bytes)
* Added citation for quoted standard
* Comment typo fix (one complement => 1's complement)

The is some debate about whether to prefer "one's complement",  "ones'
complement", or "1's complement".  The more recent RFCs related to TLS
(RFC 6347,  RFC 4347, etc) use " 1's complement", so I followed that
convention.

* Added missing ")" in comment
* Comment alignment
* Incorrect comment after #endif
2016-11-06 12:45:15 +00:00
Simon Butcher 2cb4739ad2 Fix multiple erroneously named source files in comments
This fixes many incorrect references to filenames in the comments in config.h.
2016-11-04 12:23:11 +00:00
Simon Butcher 16c54ee9c8 Update library version number to 2.4.0 2016-10-16 19:34:39 +01:00
Simon Butcher 8e00410402 Merge fix for AEAD Random IVs 2016-10-14 00:48:33 +01:00
Simon Butcher 99000142cb Merge fix for IE Certificate Compatibility 2016-10-13 17:21:01 +01:00
Andres AG 314d8a8400 Fix documentation for mbedtls_gcm_finish()
Fix implementation and documentation missmatch for the function
arguments to mbedtls_gcm_finish(). Also, removed redundant if condition
that always evaluates to true.
2016-10-13 13:54:47 +01:00
Andres AG 2280e9cc48 Fix typo in docs for mbedtls_x509write_csr_der() 2016-10-13 13:53:56 +01:00
Janos Follath 2b3b740574 Remove unnecessary flag from CMAC context 2016-10-13 13:53:33 +01:00
Andres AG 8254b6c9f3 Clean up of formatting, and potential integer overflow fix 2016-10-13 13:51:13 +01:00
Simon Butcher f394e09431 Clean up and minor fixes following review
Minor fixes following review including:
    * formatting changes including indentation and code style
    * corrections
    * removal of debug code
    * clarification of code through variable renaming
    * memory leak
    * compiler warnings
2016-10-13 13:51:12 +01:00
Simon Butcher 5805fbedcb Fix CMAC interface for doxygen
Parameters didn't match the function definition.
2016-10-13 13:51:12 +01:00
Simon Butcher 08e890004c Fix naming in cmac.h to comply with check-names.sh 2016-10-13 13:51:12 +01:00
Simon Butcher 59b4c888fe Clean up comment formatting in md.h 2016-10-13 13:51:12 +01:00
Simon Butcher 53b5e9c0a9 Remove CMAC as a separate and independent error group 2016-10-13 13:51:12 +01:00
Simon Butcher 0c79073a8b Refactor and change CMAC interface
Change the CMAC interface to match the mbedtls_md_hmac_xxxx() interface. This
changes the overall design of the CMAC interface to make it more consistent with
the existing HMAC interface, and will allow incremental updates of input data
rather than requiring all data to be presented at once, which is what the
current interface requires.
2016-10-13 13:51:11 +01:00