Commit graph

8686 commits

Author SHA1 Message Date
Hanno Becker 7345599a7b Grep for dbg msg witnessing writing of CID extension in ClientHello 2019-05-17 10:20:41 +01:00
Hanno Becker 39ec525e4f Implement writing of CID extension in ClientHello 2019-05-17 10:20:41 +01:00
Hanno Becker 46629717c9 Check static bounds of CID lengths in check_config.h 2019-05-17 10:20:41 +01:00
Hanno Becker 4baec2c4bf Add identifier for CID extension
Note: The current draft

   https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-04

does not yet specify the extension value, so we
use a temporary value of 42.
2019-05-17 10:20:41 +01:00
Hanno Becker 9dae9fd57b Modify CID tests in ssl-opt.sh to grep for CID config debug msgs 2019-05-17 10:20:41 +01:00
Hanno Becker 0748986178 Allow configuring own CID fields through mbedtls_ssl_get_peer_cid() 2019-05-17 10:20:41 +01:00
Hanno Becker e5e7f621cc Add fields to SSL structures describing state and config of CID ext
* mbedtls_ssl_context gets fields indicating whether the CID extension
  should be negotiated in the next handshake, and, if yes, which CID
  the user wishes the peer to use.

  This information does not belong to mbedtls_ssl_handshake_params
  because (a) it is configured prior to the handshake, and (b) it
  applies to all subsequent handshakes.

* mbedtls_ssl_handshake_params gets fields indicating the state of CID
  negotiation during the handshake. Specifically, it indicates if the
  use of the CID extension has been negotiated, and if so, which CID
  the peer wishes us to use for outgoing messages.
2019-05-17 10:20:41 +01:00
Simon Butcher 724a695534 Merge remote-tracking branch 'origin/pr/562' into baremetal 2019-05-09 17:11:38 +01:00
Simon Butcher e372d5fb8f Merge remote-tracking branch 'origin/pr/558' into baremetal 2019-05-09 17:03:18 +01:00
Simon Butcher 999ac174cc Merge remote-tracking branch 'origin/pr/566' into baremetal 2019-05-09 16:59:02 +01:00
Simon Butcher ec998c6426 Merge remote-tracking branch 'origin/pr/564' into baremetal 2019-05-09 16:56:42 +01:00
Jarno Lamsa 8751e35751 Remove baremetal from build component names 2019-05-02 13:04:08 +03:00
Jarno Lamsa 4498de57b8 Address review comments about all.sh 2019-05-02 11:45:57 +03:00
Jarno Lamsa 0668b8f59e Description of MBEDTLS_USE_UECC 2019-05-02 09:39:09 +03:00
Jarno Lamsa d91f7fa26b Add native build targets for uecc baremetal config 2019-04-30 14:29:23 +03:00
Jarno Lamsa 65ea285759 Fix typo 2019-04-30 13:00:41 +03:00
Jarno Lamsa f6371ff923 Add armcc5 build for uecc and baremetal config 2019-04-30 10:10:03 +03:00
Jarno Lamsa 46132207f8 Make compiler happy when MBEDTLS_USE_UECC disabled 2019-04-29 14:29:52 +03:00
Hanno Becker 08885813c3 Fix uninitialized variable access in debug output of record enc/dec 2019-04-29 12:21:31 +02:00
Hanno Becker a131766743 Ensure non-NULL key buffer when building SSL test transforms 2019-04-29 12:19:38 +02:00
Hanno Becker 1acadb77cb Catch errors while building SSL test transforms 2019-04-29 12:19:38 +02:00
Hanno Becker afc528ad56 Use mbedtls_{calloc|free}() in SSL unit test suite 2019-04-29 12:19:24 +02:00
Hanno Becker f832343c1d Improve documentation of mbedtls_record 2019-04-29 12:19:07 +02:00
Hanno Becker c5aee96855 Adapt record length value after encryption 2019-04-29 12:19:07 +02:00
Hanno Becker b17a1a2068 Alternative between send/recv transform in SSL record test suite 2019-04-29 12:19:07 +02:00
Hanno Becker 5c1176e53f Fix memory leak on failure in test_suite_ssl 2019-04-29 12:18:50 +02:00
Hanno Becker 30d02cdeb0 Rename ssl_decrypt_buf() to mbedtls_ssl_decrypt_buf() in comment 2019-04-29 12:18:38 +02:00
Hanno Becker 3693c72b82 Add record encryption/decryption tests for ARIA to SSL test suite 2019-04-29 12:18:27 +02:00
Hanno Becker a198bb7359 Improve documentation of mbedtls_ssl_transform 2019-04-29 12:18:11 +02:00
Hanno Becker 93012fe8e8 Double check that record expansion is as expected during decryption 2019-04-29 12:17:58 +02:00
Hanno Becker a795323cd5 Move debugging output after record decryption
The debugging call printing the decrypted record payload happened
before updating ssl->in_msglen.
2019-04-29 12:17:51 +02:00
Hanno Becker d300003b2c Add encryption/decryption tests for small records
This commit adds tests to check the behavior of the record encryption
routine `ssl_encrypt_buf` when the buffer surrounding the plaintext is
too small to hold the expansion in the beginning and end (due to IV's,
padding, and MAC).

Each test starts successively increases the space available at the
beginning, end, or both, of the record buffer, and checks that the
record encryption either fails with a BUFFER_TOO_SMALL error, or
that it succeeds. Moreover, if it succeeds, it is checked that
decryption succeeds, too, and results in the original record.
2019-04-29 12:15:30 +02:00
Hanno Becker 611a83b571 Add tests for record encryption/decryption
This commit adds tests exercising mutually inverse pairs of
record encryption and decryption transformations for the various
transformation types allowed in TLS: Stream, CBC, and AEAD.
2019-04-29 12:15:21 +02:00
Hanno Becker 92231325a7 Reduce size of ssl_transform if no MAC ciphersuite is enabled
The hash contexts `ssl_transform->md_ctx_{enc/dec}` are not used if
only AEAD ciphersuites are enabled. This commit removes them from the
`ssl_transform` struct in this case, saving a few bytes.
2019-04-29 12:15:05 +02:00
Hanno Becker f122944b7d Remove code from ssl_derive_keys if relevant modes are not enabled
This commit guards code specific to AEAD, CBC and stream cipher modes
in `ssl_derive_keys` by the respective configuration flags, analogous
to the guards that are already in place in the record decryption and
encryption functions `ssl_decrypt_buf` resp. `ssl_decrypt_buf`.
2019-04-29 12:14:51 +02:00
Hanno Becker 4c6876b134 Provide standalone version of ssl_decrypt_buf
Analogous to the previous commit, but concerning the record decryption
routine `ssl_decrypt_buf`.

An important change regards the checking of CBC padding:
Prior to this commit, the CBC padding check always read 256 bytes at
the end of the internal record buffer, almost always going past the
boundaries of the record under consideration. In order to stay within
the bounds of the given record, this commit changes this behavior by
always reading the last min(256, plaintext_len) bytes of the record
plaintext buffer and taking into consideration the last `padlen` of
these for the padding check. With this change, the memory access
pattern and runtime of the padding check is entirely determined by
the size of the encrypted record, in particular not giving away
any information on the validity of the padding.

The following depicts the different behaviors:

1) Previous CBC padding check

1.a) Claimed padding length <= plaintext length

  +----------------------------------------+----+
  |   Record plaintext buffer   |          | PL |
  +----------------------------------------+----+
                                 \__ PL __/

                                +------------------------------------...
                                |  read for padding check            ...
                                +------------------------------------...
                                                |
                                                 contents discarded
                                                 from here

1.b) Claimed padding length > plaintext length

  +----------------------------------------+----+
  |   Record plaintext buffer              | PL |
  +----------------------------------------+----+
                                           +-------------------------...
                                           |  read for padding check ...
                                           +-------------------------...
                                                |
                                                 contents discarded
                                                 from here

2) New CBC padding check

  +----------------------------------------+----+
  |   Record plaintext buffer   |          | PL |
  +----------------------------------------+----+
                                 \__ PL __/

        +---------------------------------------+
        |        read for padding check         |
        +---------------------------------------+
                                |
                                 contents discarded
                                 until here
2019-04-29 12:13:25 +02:00
Jarno Lamsa 00c0aa01b4 Exclude MBEDTLS_USE_UECC from the full config 2019-04-29 12:59:10 +03:00
Jarno Lamsa ce3cb64aeb Fix check-names.sh 2019-04-29 12:07:43 +03:00
Hanno Becker 3307b53413 Provide standalone version of ssl_encrypt_buf
The previous version of the record encryption function
`ssl_encrypt_buf` takes the entire SSL context as an argument,
while intuitively, it should only depend on the current security
parameters and the record buffer.

Analyzing the exact dependencies, it turned out that in addition
to the currently active `ssl_transform` instance and the record
information, the encryption function needs access to
- the negotiated protocol version, and
- the status of the encrypt-then-MAC extension.

This commit moves these two fields into `ssl_transform` and
changes the signature of `ssl_encrypt_buf` to only use an instance
of `ssl_transform` and an instance of the new `ssl_record` type.
The `ssl_context` instance is *solely* kept for the debugging macros
which need an SSL context instance.

The benefit of the change is twofold:
1) It avoids the need of the MPS to deal with instances of
   `ssl_context`. The MPS should only work with records and
   opaque security parameters, which is what the change in
   this commit makes progress towards.
2) It significantly eases testing of the encryption function:
   independent of any SSL context, the encryption function can
   be passed some record buffer to encrypt alongside some arbitrary
   choice of parameters, and e.g. be checked to not overflow the
   provided memory.
2019-04-29 10:58:15 +02:00
Hanno Becker 4a5eeaee2e Improve documentation of mbedtls_ssl_transform 2019-04-29 10:37:01 +02:00
Hanno Becker 9d2e4b4742 Add structure representing TLS records
This commit adds a structure `mbedtls_record` whose instances
represent (D)TLS records. This structure will be used in the
subsequent adaptions of the record encryption and decryption
routines `ssl_decrypt_buf` and `ssl_encrypt_buf`, which currently
take the entire SSL context as input, but should only use the
record to be acted on as well as the record transformation to use.
2019-04-29 10:36:44 +02:00
Hanno Becker b628a80b76 Fix definition of SSL_SOME_MODES_USE_MAC
The previous definition was lacking the case of the ARIA and DES ciphers.
2019-04-29 10:36:26 +02:00
Hanno Becker 5cc04d5ae7 Correct space needed for MAC in case of NULL cipher
The macro constant `MBEDTLS_SSL_MAC_ADD` defined in `ssl_internal.h`
defines an upper bound for the amount of space needed for the record
authentication tag. Its definition distinguishes between the
presence of an ARC4 or CBC ciphersuite suite, in which case the maximum
size of an enabled SHA digest is used; otherwise, `MBEDTLS_SSL_MAC_ADD`
is set to 16 to accomodate AEAD authentication tags.

This assignment has a flaw in the situation where confidentiality is
not needed and the NULL cipher is in use. In this case, the
authentication tag also uses a SHA digest, but the definition of
`MBEDTLS_SSL_MAC_ADD` doesn't guarantee enough space.

The present commit fixes this by distinguishing between the presence
of *some* ciphersuite using a MAC, including those using a NULL cipher.
For that, the previously internal macro `SSL_SOME_MODES_USE_MAC` from
`ssl_tls.c` is renamed and moved to the public macro
`MBEDTLS_SOME_MODES_USE_MAC` defined in `ssl_internal.h`.
2019-04-29 10:36:09 +02:00
Hanno Becker 8759e16242 Remove ciphersuite_info from ssl_transform
Prior to this commit, the security parameter struct `ssl_transform`
contained a `ciphersuite_info` field pointing to the information
structure for the negotiated ciphersuite. However, the only
information extracted from that structure that was used in the core
encryption and decryption functions `ssl_encrypt_buf`/`ssl_decrypt_buf`
was the authentication tag length in case of an AEAD cipher.

The present commit removes the `ciphersuite_info` field from the
`ssl_transform` structure and adds an explicit `taglen` field
for AEAD authentication tag length.

This is in accordance with the principle that the `ssl_transform`
structure should contain the raw parameters needed for the record
encryption and decryption functions to work, but not the higher-level
information that gave rise to them. For example, the `ssl_transform`
structure implicitly contains the encryption/decryption keys within
their cipher contexts, but it doesn't contain the SSL master or
premaster secrets. Likewise, it contains an explicit `maclen`, while
the status of the 'Truncated HMAC' extension -- which  determines the
value of `maclen` when the `ssl_transform` structure is created in
`ssl_derive_keys` -- is not contained in `ssl_transform`.

The `ciphersuite_info` pointer was used in other places outside
the encryption/decryption functions during the handshake, and for
these functions to work, this commit adds a `ciphersuite_info` pointer
field to the handshake-local `ssl_handshake_params` structure.
2019-04-29 10:36:01 +02:00
Hanno Becker e7f2df03a3 Remove key length field from ssl_transform
The `ssl_transform` security parameter structure contains opaque
cipher contexts for use by the record encryption/decryption functions
`ssl_decrypt_buf`/`ssl_encrypt_buf`, while the underlying key material
is configured once in `ssl_derive_keys` and is not explicitly dealt with
anymore afterwards. In particular, the key length is not needed
explicitly by the encryption/decryption functions but is nonetheless
stored in an explicit yet superfluous `keylen` field in `ssl_transform`.
This commit removes this field.
2019-04-29 09:32:08 +02:00
Jarno Lamsa 5b871285f5 MBEDTLS_USE_UECC and MBEDTLS_NO_64BIT_MULTIPLICATION conflicting 2019-04-29 10:29:06 +03:00
Jarno Lamsa 55427964b1 Guard tinycrypt files with MBEDTLS_USE_UECC 2019-04-29 10:25:23 +03:00
Jarno Lamsa 8557fc9220 Add whitelist for uECC files for check-names.sh
Whitelist currently includes the unmatching symbols from uECC files.
This is now specific for the baremetal branch.
2019-04-26 16:22:10 +03:00
Jarno Lamsa 95de220ade Ignore tinycrypt headers from doxygen input 2019-04-25 15:11:29 +03:00
Jarno Lamsa 02493afe6c Ignore tinycrypt files from check-files.py 2019-04-25 14:56:17 +03:00