Commit graph

9390 commits

Author SHA1 Message Date
Jaeden Amero 3aeb13ef1c ChangeLog: Enable builds as a CMake subproject 2019-07-12 10:40:36 +01:00
Ashley Duncan eb33978fa8 Remove use of CMAKE_SOURCE_DIR
Remove use of CMAKE_SOURCE_DIR in case mbedtls is built from within
another CMake project. Define MBEDTLS_DIR to ${CMAKE_CURRENT_SOURCE_DIR}
in the main CMakeLists.txt file and refer to that when defining target
include paths to enable mbedtls to be built as a sub project.

Fixes #2609

Signed-off-by: Ashley Duncan <ashes.man@gmail.com>
Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
2019-07-12 10:39:21 +01:00
Jaeden Amero 85da85555e Merge remote-tracking branch 'origin/pr/2686' into mbedtls-2.18
* origin/pr/2686:
  Update library version to 2.18.0
2019-06-18 14:21:23 +01:00
Jaeden Amero b1c72f56b1 Update library version to 2.18.0
Increase the SO versions of libmbedx509 and libmbedtls due to the
addition of fields in publicly visible (non-opaque) structs:
  - mbedtls_ssl_config
  - mbedtls_ssl_context
  - mbedtls_x509_crt
2019-06-11 17:19:35 +01:00
Jaeden Amero a3daa21d8c Merge remote-tracking branch 'origin/pr/2678' into development
* origin/pr/2678:
  Update crypto submodule to 1.1.0d2
  all.sh: Perform targeted EtM tests for MAC-less configs
  ssl: Don't access non-existent encrypt_then_mac field
2019-06-10 11:00:14 +01:00
Jaeden Amero e1ae731efa Update crypto submodule to 1.1.0d2 2019-06-07 13:51:36 +01:00
Jaeden Amero 048df33d62 Merge remote-tracking branch 'origin/pr/2679' into development
* origin/pr/2679:
  test: Remove redundant 0-byte decryption test
  test: Check empty buffer decryption for chachapoly
2019-06-06 14:19:23 +01:00
Jaeden Amero bb16d0c956 Merge remote-tracking branch 'origin/pr/2654' into development
* origin/pr/2654:
  Create link to include/mbedtls only when testing is enabled
2019-06-06 14:18:23 +01:00
Jaeden Amero 2353b542d9 test: Remove redundant 0-byte decryption test
Remove the "Decrypt empty buffer" test, as ChaCha20 is a stream cipher
and 0 bytes encrypted is identical to a 0 length buffer. The "ChaCha20
Encrypt and decrypt 0 bytes" test will test decryption of a 0 length
buffer.
2019-06-06 11:56:54 +01:00
Jaeden Amero ab11889958 test: Check empty buffer decryption for chachapoly
Previously, even in the Chacha20 and Chacha20-Poly1305 tests, we would
test that decryption of an empty buffer would work with
MBEDTLS_CIPHER_AES_128_CBC.

Make the cipher used with the dec_empty_buf() test configurable, so that
Chacha20 and Chacha20-Poly1305 empty buffer tests can use ciphers other
than AES CBC. Then, make the Chacha20 and Chacha20-Poly1305 empty buffer
tests use the MBEDTLS_CIPHER_CHACHA20 and
MBEDTLS_CIPHER_CHACHA20_POLY1305 cipher suites.
2019-06-06 11:56:54 +01:00
Jaeden Amero 6b1683dd5d all.sh: Perform targeted EtM tests for MAC-less configs
When testing a configuration where no ciphersuites have MAC, via
component_test_when_no_ciphersuites_have_mac(), perform a targeted test
of only encrypt-then-MAC tests within ssl-opt.sh.
2019-06-05 14:42:50 +01:00
Jaeden Amero 2de07f1dd1 ssl: Don't access non-existent encrypt_then_mac field
When MBEDTLS_SSL_ENCRYPT_THEN_MAC is enabled, but not
MBEDTLS_SSL_SOME_MODES_USE_MAC, mbedtls_ssl_derive_keys() and
build_transforms() will attempt to use a non-existent `encrypt_then_mac`
field in the ssl_transform.

    Compile [ 93.7%]: ssl_tls.c
    [Error] ssl_tls.c@865,14: 'mbedtls_ssl_transform {aka struct mbedtls_ssl_transform}' ha
s no member named 'encrypt_then_mac'
    [ERROR] ./mbed-os/features/mbedtls/src/ssl_tls.c: In function 'mbedtls_ssl_derive_keys'
:
    ./mbed-os/features/mbedtls/src/ssl_tls.c:865:14: error: 'mbedtls_ssl_transform {aka str
uct mbedtls_ssl_transform}' has no member named 'encrypt_then_mac'
         transform->encrypt_then_mac = session->encrypt_then_mac;
                  ^~

Change mbedtls_ssl_derive_keys() and build_transforms() to only access
`encrypt_then_mac` if `encrypt_then_mac` is actually present.

Add a regression test to detect when we have regressions with
configurations that do not include any MAC ciphersuites.

Fixes d56ed2491b ("Reduce size of `ssl_transform` if no MAC ciphersuite is enabled")
2019-06-05 14:09:29 +01:00
Simon Butcher a1491fe74f Merge remote-tracking branch 'public/pr/2651' into HEAD 2019-06-04 16:09:30 +01:00
Simon Butcher fe20bea3c7 Merge remote-tracking branch 'public/pr/2643' into HEAD 2019-06-04 16:09:20 +01:00
Simon Butcher 150deca7b9 Merge remote-tracking branch 'public/pr/2642' into HEAD 2019-06-04 16:09:14 +01:00
Simon Butcher ca6aee4a45 Merge remote-tracking branch 'public/pr/2641' into HEAD 2019-06-04 16:09:07 +01:00
Hanno Becker b9355b77d2 Add description of CID feature to ChangeLog 2019-06-03 16:07:50 +01:00
Hanno Becker d0ac5faa72 Insert records with unexpected CID in CID tests in ssl-opt.sh 2019-06-03 16:07:50 +01:00
Hanno Becker e8d6afd627 Add debug line witnessing receipt of unexpected CID 2019-06-03 16:07:50 +01:00
Hanno Becker 98aaf25686 Add bad_cid option UDP proxy to insert unexpected CID records
This commit adds the command line option 'bad_cid' to the UDP proxy
`./programs/test/udp_proxy`. It takes a non-negative integral value N,
which if not 0 has the effect of duplicating every 1:N CID records
and modifying the CID in the first copy sent.

This is to exercise the stacks documented behaviour on receipt
of unexpected CIDs.

It is important to send the record with the unexpected CID first,
because otherwise the packet would be dropped already during
replay protection (the same holds for the implementation of the
existing 'bad_ad' option).
2019-06-03 16:07:50 +01:00
Hanno Becker 92d30f5bcf Fix indentation in debug message in ssl_tls.c 2019-06-03 16:07:50 +01:00
Hanno Becker 8e55b0f852 Improve comment in ssl_parse_record_header() 2019-06-03 16:07:50 +01:00
Hanno Becker 3739e203cf Disable Connection ID feature by default 2019-06-03 16:07:50 +01:00
Hanno Becker 3978d10e9e Remove superfluous new line in ssl_server2 2019-06-03 16:07:50 +01:00
Hanno Becker 3279822e24 Improve readability of ssl_client2/ssl_server2 usage instructions 2019-06-03 16:07:50 +01:00
Hanno Becker 1d433a3294 Remove superfluous newline in ssl_client2 2019-06-03 16:07:50 +01:00
Hanno Becker d5eed4258a Use negative-hex format for error codes in ssl_client2/ssl_server2 2019-06-03 16:07:50 +01:00
Hanno Becker 1125952107 Expand CID to Connection ID in documentation of mbedtls_ssl_conf_cid 2019-06-03 16:07:50 +01:00
Hanno Becker 6ae14c086d Exemplify ways of calling mbedtls_ssl_get_peer_cid() in ssl_client2 2019-06-03 16:07:50 +01:00
Hanno Becker 615ef17b67 Allow passing NULL pointers to mbedtls_ssl_get_peer_cid()
This commit modifies mbedtls_ssl_get_peer_cid() to also allow passing
NULL pointers in the arguments for the peer's CID value and length, in
case this information is needed.

For example, some users might only be interested in whether the use of
the CID was negotiated, in which case both CID value and length pointers
can be set to NULL. Other users might only be interested in confirming
that the use of CID was negotiated and the peer chose the empty CID,
in which case the CID value pointer only would be set to NULL.
It doesn't make sense to pass a NULL pointer for the CID length but a
non-NULL pointer for the CID value, as the caller has no way of telling
the length of the returned CID - and this case is therefore forbidden.
2019-06-03 16:07:50 +01:00
Hanno Becker 8c07beeb84 Rename MBEDTLS_SSL_CID->MBEDTLS_SSL_DTLS_CONNECTION_ID in SSL suite 2019-06-03 16:07:50 +01:00
Hanno Becker 62e5afabcb Fix typo in Doxygen documentation of mbedtls_ssl_conf_cid() 2019-06-03 16:07:50 +01:00
Hanno Becker a0e20d04b2 Rename MBEDTLS_SSL_CID to MBEDTLS_SSL_DTLS_CONNECTION_ID
Files modified via

sed -i 's/MBEDTLS_SSL_CID\([^_]\|$\)/MBEDTLS_SSL_DTLS_CONNECTION_ID\1/g' **/*.c **/*.h **/*.sh **/*.function
2019-06-03 16:07:50 +01:00
Hanno Becker ebcc9137ca Consistently reference CID draft through name + URL 2019-06-03 16:07:50 +01:00
Hanno Becker d1f203557f Slightly reorder CID debug messages during creation of transforms 2019-06-03 16:07:50 +01:00
Hanno Becker f1a2808b8f Fix typo in documentation of mbedtls_ssl_context::cid_in_use 2019-06-03 16:07:50 +01:00
Hanno Becker fb034e852e Improve wording of documentation of mbedtls_ssl_get_peer_cid() 2019-06-03 16:07:50 +01:00
Hanno Becker 5cc145d4db Slightly reword documentation of mbedtls_ssl_set_cid() 2019-06-03 16:07:50 +01:00
Hanno Becker 08cd9db836 Use full sentences in Doxygen documentation of mbedtls_ssl_set_cid() 2019-06-03 16:07:50 +01:00
Hanno Becker 08cbc0c19e Use uniform spacing in def's of MBEDTLS_SSL_CID_{IN|OUT}_LEN_MAX 2019-06-03 16:07:50 +01:00
Hanno Becker d9d4adbeae Improve wording in documentation of mbedtls_ssl_set_cid() 2019-06-03 16:07:50 +01:00
Hanno Becker 4cac442211 Update references to CID draft to version 5 2019-06-03 16:07:50 +01:00
Hanno Becker 56f81c7178 Improve wording in documentation of MBEDTLS_SSL_CID 2019-06-03 16:07:50 +01:00
Hanno Becker 611ac77127 Fix mbedtls_ssl_conf_cid() to not depend on macro constant values
The previous implementation of mbedtls_ssl_conf_cid() relied on
MBEDTLS_SSL_UNEXPECTED_CID_IGNORE being defined as 1.
2019-06-03 16:07:50 +01:00
Hanno Becker 7fefd83b34 Modify MBEDTLS_SSL_UNEXPECTED_CID_{FAIL|IGNORE} to ignore by default 2019-06-03 16:07:50 +01:00
Hanno Becker 5d12467fad Remove warnings about unfinished CID implementation
The implementation is complete now.
2019-06-03 16:07:50 +01:00
Hanno Becker 8367ccc03b Allow to configure the stack's behaviour on unexpected CIDs
This commit modifies the CID configuration API mbedtls_ssl_conf_cid_len()
to allow the configuration of the stack's behaviour when receiving an
encrypted DTLS record with unexpected CID.
2019-06-03 16:07:50 +01:00
Hanno Becker c37c96a3c5 Add specific SSL error code for unexpected CIDs
Currently, the stack silently ignores DTLS frames with an unexpected CID.
However, in a system which performs CID-based demultiplexing before passing
datagrams to the Mbed TLS stack, unexpected CIDs are a sign of something not
working properly, and users might want to know about it.

This commit introduces an SSL error code MBEDTLS_ERR_SSL_UNEXPECTED_CID
which the stack can return in response to an unexpected CID. It will
conditionally be put to use in subsequent commits.
2019-06-03 16:07:50 +01:00
Hanno Becker b9ec44fcf6 Remove restriction on value of MBEDTLS_SSL_CID_PADDING_GRANULARITY 2019-06-03 16:07:50 +01:00
Hanno Becker ddf775a97f Reword CID documentation 2019-06-03 16:07:50 +01:00