Commit graph

9680 commits

Author SHA1 Message Date
Hanno Becker 4598e49916 Don't use P-256 test CRTs if P-256 is known to be disabled 2019-08-27 11:41:37 +01:00
Hanno Becker 843f5bb06c ssl-opt.sh: Configure trusted CA explicitly
ssl_client2 and ssl_server2 either allow loading specific CRTs
and CAs from files, or to leave them unspecified, in which case
they're automatically picked from the test certificates.

The test certificates should be chosen in a way that when
not specifying any CRT or CA parameters, the automatically
chosen ones match - but if one of them is specified but not
the other, one should not expect tests to succeed.

With the recent switch to Secp256r1-based test certificates,
the default test certificates have changed, which breaks some
ssl-opt.sh tests which specify the server CRT explicitly but
not the client trusted CAs.

This commit fixes this by specifying the client's trusted CA
explicitly in accordance with the explicitly specified server CRT.
2019-08-27 06:39:11 +01:00
Hanno Becker 75bc82702f Load raw certificate and key data from files to certs.c 2019-08-23 11:39:46 +01:00
Hanno Becker ba7082cc43 Add prototypes for Secp256r1 test CRTs and keys to certs.c 2019-08-23 11:39:45 +01:00
Hanno Becker e7124b557d Remove Secp384r1 from baremetal_test config
Previously, configs/baremetal_test.h added MBEDTLS_ECP_DP_SECP384R1_ENABLED
because we didn't have sufficient test certificates using Secp256r1. Now that
these test certificates have been added, we can successfully run
ssl_client2 and ssl_server2 with just Secp256r1 enabled.
2019-08-23 11:33:20 +01:00
Hanno Becker 4a4047c326 Add script to auto-generate certs.c
This commit adds the script scripts/generate_certs.sh which
parses library/certs.c and inserts certificate and key files
for any block of the form

   /* BEGIN FILE [string|binary] [variable|macro] NAME FILE */
   ...
   /* END FILE */

Here, the first argument string / binary indicates whether the
file should be inserted as a string or as a binary array. The
second argument indicates whether the resulting object should
be registered as a C variable or a macro.

This script allows to easily update certs.c in case any of the
test certificates from tests/data_files change, or new test
certificates / keys need to be added.
2019-08-23 11:33:20 +01:00
Hanno Becker 585dfc4f56 Add Secp256R1 test keys and CRTs 2019-08-23 11:33:20 +01:00
Hanno Becker 4efd089ed5 Add build instructions for CRTs and keys using P-256 2019-08-23 11:33:20 +01:00
Simon Butcher 6617a24056 Merge remote-tracking branch 'origin/pr/633' into baremetal 2019-08-21 13:46:18 +01:00
Simon Butcher 7d8a807daf Merge remote-tracking branch 'origin/pr/637' into baremetal 2019-08-21 13:46:07 +01:00
Simon Butcher f0f01e1f0a Merge remote-tracking branch 'origin/pr/630' into baremetal 2019-08-14 16:53:38 +01:00
Simon Butcher 434ab19164 Merge remote-tracking branch 'origin/pr/629' into baremetal 2019-08-14 16:53:13 +01:00
Simon Butcher 0863b2a259 Merge remote-tracking branch 'origin/pr/612' into baremetal 2019-08-14 16:50:13 +01:00
Hanno Becker a9d5c452f3 Remove mbedtls_ssl_transform::minlen 2019-08-13 15:04:39 +01:00
Hanno Becker 0f36e7bfa3 Explain why RNG ctx parameter is kept in MBEDTLS_SSL_CONF_RNG 2019-08-13 11:36:34 +01:00
Hanno Becker 665d698972 Fix typo in documentation of MBEDTLS_SSL_CONF_RNG in config.h 2019-08-13 11:36:29 +01:00
Jarno Lamsa 7ba6288c37 Add all.sh tests for testing tinycrypt
One test for running with MBEDTLS_ECDH_C on and one
for running MBEDTLS_ECDH_C off. Run ssl-opt.sh with Default, DTLS
and compatibility tests with TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.
2019-08-13 13:01:13 +03:00
Hanno Becker 3a33679ab1 Fix style issue in ssl_internal.h 2019-08-12 18:01:48 +01:00
Jarno Lamsa b4983468e1 Add documentation for MBEDTLS_USE_TINYCRYPT
Add documentation about requiring the usage of
a single EC and an external RNG-function.
2019-08-12 18:01:48 +01:00
Hanno Becker 19bf09ee92 Remove standalone tinyCrypt tests from all.sh
tinyCrypt is still tested in the baremetal tests since it
is enabled in baremetal.h. Tests for minimal modifictions
of the default / full config enabling tinyCrypt will be
added elsewhere.
2019-08-12 18:01:48 +01:00
Hanno Becker b72fc6a648 Don't use const var in initialization of another const var
ARM Compiler doesn't like it.
2019-08-12 18:01:48 +01:00
Hanno Becker 8295ff0b04 tinyCrypt: Don't store public ECDH-share in handshake struct
Instead, write it to the message buffer directly.
2019-08-12 18:01:47 +01:00
Hanno Becker b1626fb619 tinyCrypt: Remove check for Secp256r1 in SrvKeyExch writing
The use of tinyCrypt is restricted Secp256r1-only, and a check in
ssl_ciphersuite_is_match() ensures that an EC ciphersuite is chosen
only if the client advertised support for Secp256r1, too.
2019-08-12 18:01:47 +01:00
Hanno Becker 9175c21b72 tinyCrypt: Move key buffers to end of mbedtls_ssl_handshake_params
This saves considerable amount of code on Thumb due to single-instruction
load/stores for fields preceding these buffers.
2019-08-12 18:01:47 +01:00
Hanno Becker af9ff4ab9d tinyCrypt: Enforce matching setting of MBEDTLS_SSL_CONF_SINGLE_EC
We support only Secp256r1 through tinyCrypt, so enforce this by requiring
that MBEDTLS_SSL_CONF_SINGLE_EC is set and fixes that curve.
2019-08-12 18:01:47 +01:00
Hanno Becker 9cf087d2e7 Use tinyCrypt only for ECDHE-RSA/ECDSA in SrvKeyExch writing
In a way inconsistent with the rest of the library restricting the
use of tinyCrypt to pure-ECDHE, the previous ServerKeyExchange writing
routine would use tinyCrypt also for ECDHE-PSK-based ciphersuites.
This commit fixes this.
2019-08-12 18:01:47 +01:00
Hanno Becker cdce332d8c Remove MBEDTLS_ECDH_C from baremetal configuration
Baremetal uses the tinyCrypt implementation of ECDHE.
2019-08-12 18:01:47 +01:00
Hanno Becker 7a19633c99 tinyCrypt: Avoid unused var warning by marking vars as unused 2019-08-12 18:01:47 +01:00
Hanno Becker 29d165565c Add MBEDTLS_ECDH_C guards to ECDH code-paths using legacy ECDH
Previously, MBEDTLS_KEY_EXCHANGE_ECDH[E]_XXX_ENABLED would imply
that MBEDTLS_ECDH_C is set, but with the introduction of tinyCrypt
as an alternative ECDH implementation, this is no longer the case.
2019-08-12 18:01:40 +01:00
Hanno Becker 975b9ee3c8 Fix guards around use of legacy ECDH context
mbedtls_ssl_handshake_params::ecdh_ctx should only be guarded
by MBEDTLS_ECDH_C, not by MBEDTLS_ECDSA_C.
2019-08-12 17:05:38 +01:00
Hanno Becker 49dc8edd26 Don't require MBEDTLS_ECDH_C for ECDHA-{ECDSA|RSA}-based suites
The ECDHE key derivation in such suites is now also supported
through tinyCrypt, enabled via MBEDTLS_USE_TINYCRYPT.
2019-08-12 17:05:38 +01:00
Hanno Becker 00a9b6df77 tinyCrypt: Enforce global RNG
tinyCrypt uses a global RNG without context parameter while Mbed TLS in its
default configuration uses RNG+CTX bound to the SSL configuration.

This commit restricts the use of tinyCrypt to configurations that use a
global RNG function with NULL context by setting MBEDTLS_SSL_CONF_RNG in
the configuration. This allows to define a wrapper RNG to be used by
tinyCrypt which maps to this global hardcoded RNG.
2019-08-12 17:05:38 +01:00
Hanno Becker 621113fd3a tinyCrypt: Write client's key share 2019-08-12 17:05:38 +01:00
Hanno Becker a3c2c1712c tinyCrypt: Share ECDH secret calculation code-path 2019-08-12 17:05:38 +01:00
Hanno Becker 75f12d1eb9 tinyCrypt: Add ServerKeyExchange parsing code 2019-08-12 17:05:38 +01:00
Hanno Becker d849c7ca19 tinyCrypt: Hardcode ECDH parameter header
Saves a few bytes of code when tinyCrypt is used.
2019-08-12 17:05:38 +01:00
Hanno Becker d089fad925 tinyCrypt: Adapt RNG wrapper to return 0 on failure 2019-08-12 17:05:38 +01:00
Hanno Becker ef982d57bf tinyCrypt: Bind RNG wrapper to tinyCrypt in mbedtls_ssl_setup() 2019-08-12 17:05:38 +01:00
Hanno Becker c6c0fe6c5f Add MBEDTLS_USE_TINYCRYPT to baremetal configuration 2019-08-12 17:05:38 +01:00
Jarno Lamsa e12aafbdc7 tinyCrypt: Initial commit towards ECDHE support
This commit is a first step towards using uECC for ECDH
during TLS handshakes.
2019-08-12 17:05:38 +01:00
Hanno Becker 36ae758798 Include Mbed TLS config in tinycrypt compilation units 2019-08-12 17:05:38 +01:00
Hanno Becker 3328b1822a Move ssl_process_in_server_key_exchange to avoid func use-before-def 2019-08-12 17:05:03 +01:00
Hanno Becker 4e46709800 Document precoditions on some HS parsing/writing functions
Eventually, all HS parsing/writing functions should take an arbitrary buffer +
length pair as their argument, and return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if
the provided buffer is too short. So far, we've only made a first step by
allowing to pass an arbitrary buffer, but don't yet add bounds checks
throughout. While deliberate for now, this must be clearly documented.
2019-08-12 17:05:03 +01:00
Hanno Becker 7d552fad65 Avoid collision of ssl_xxx_key_exchange_yyy() func names in cli/srv
This makes grepping the functions more difficult, and also leads to compilation failures
when trying to build the library from a single source file (which might be useful for
code-size reasons).
2019-08-12 17:05:03 +01:00
Hanno Becker 48e526b380 Document parameter precondition for ssl_rsa_generate_partial_pms() 2019-08-12 17:05:03 +01:00
Hanno Becker aa49620f6e Minor documentation improvement to ssl_rsa_encrypt_partial_pms() 2019-08-12 17:05:03 +01:00
Hanno Becker 084694dd57 Fix copy-pasta in documentation for outgoing CliKeyExchange 2019-08-12 17:05:03 +01:00
Hanno Becker 44a29f4a6f Remove redundant use of local variable in CliKeyExch writing 2019-08-12 17:05:03 +01:00
Hanno Becker ae22dd3820 Simplify logic of restartable ECDHE in CliKeyExch writing 2019-08-12 17:05:03 +01:00
Hanno Becker 2fc84cebf6 Remove unused restartable ECC state for SrvKeyExchange
Previously, ssl_ecrs_ske_start_processing was used to indicate that
the ServerKeyExchange has been fetched from the record layer, but
that parsing its ECDHE parameter component has been preempted by the
restartable ECP feature. On re-entry of ssl_parse_server_key_exchange()
in this state, the code would directly jump into the parsing routine.
However, the only non-reentrant code that's jumped over this way is
the record fetching routine mbedtls_ssl_parse_record(), which is now
made re-entrant by setting `ssl->keep_current_message = 1` in case of
pre-emption due to restartable ECC.

The ssl_ecrs_ske_start_processing state is therefore redundant and
can be removed, which is what this commit does.
2019-08-12 17:05:03 +01:00