Commit graph

4583 commits

Author SHA1 Message Date
Andres Amaya Garcia 3c9733a0a3 Fix typo in comment for gmtime macro defines 2018-09-05 11:52:07 +01:00
Andres Amaya Garcia ca04a01bb8 Document shorthand gmtime macros 2018-09-05 11:43:57 +01:00
Andres Amaya Garcia 209960611f Use gmtime_s() for IAR 2018-09-05 11:27:56 +01:00
Andres Amaya Garcia e9b10b21f1 Define _POSIX_C_SOURCE in threading.c before POSIX detection 2018-09-05 11:25:30 +01:00
Simon Butcher 4d075cd7d0 Update library version number to 2.13.0 2018-08-31 15:59:10 +01:00
irwir da642d98c0
Implicit _endthread call: comment changed 2018-08-31 15:14:54 +03:00
irwir e1b82ad25f
Added spaces after type casts
`(void) TimerContext;` seems more consistent with the current style than ((void) TimerContext);
No objections to changing this if necessary.
2018-08-30 11:57:09 +03:00
Simon Butcher 0bbb4fc132 Merge branch 'development' into development 2018-08-30 01:11:35 +01:00
Simon Butcher 552754a6ee Merge remote-tracking branch 'public/pr/1988' into development 2018-08-30 00:57:28 +01:00
Simon Butcher 68dbc94720 Merge remote-tracking branch 'public/pr/1951' into development 2018-08-30 00:56:56 +01:00
Ron Eldor b0ad581526 Remove the invalid input for platform module
Remove the invalid input for the platform module,
as it's not currently used in the Mbed OS platform setup \
termination code.
2018-08-29 19:06:14 +03:00
Ron Eldor 0ff4e0b824 Add platform error codes
Add error codes for the platform module, to be used by
the setup \ terminate API.
2018-08-29 18:53:20 +03:00
Hanno Becker a591c48302 Correct typo in debug message 2018-08-28 17:52:53 +01:00
Hanno Becker 83ab41c665 Correct typo in comment 2018-08-28 17:52:53 +01:00
Hanno Becker cd9dcda0a0 Add const qualifier to handshake header reading functions 2018-08-28 17:52:53 +01:00
Hanno Becker 39b8bc9aef Change wording of debug message 2018-08-28 17:52:49 +01:00
Hanno Becker ef7afdfa5a Rename another_record_in_datagram to next_record_is_in_datagram 2018-08-28 17:16:31 +01:00
Hanno Becker c573ac33dd Fix typos in debug message and comment in ssl-tls.c 2018-08-28 17:15:25 +01:00
Simon Butcher 3af567d4a7 Merge remote-tracking branch 'restricted/pr/437' into development-restricted 2018-08-28 15:33:59 +01:00
Simon Butcher 129fa82908 Merge remote-tracking branch 'restricted/pr/470' into development-restricted 2018-08-28 15:26:11 +01:00
Simon Butcher 7f85563f9b Merge remote-tracking branch 'restricted/pr/491' into development-restricted 2018-08-28 15:22:40 +01:00
Simon Butcher 9ce5160fea Merge remote-tracking branch 'public/pr/1965' into development 2018-08-28 12:34:14 +01:00
Simon Butcher 9d5a9e1213 Merge remote-tracking branch 'public/pr/1625' into development 2018-08-28 12:23:40 +01:00
Simon Butcher 14dac0953e Merge remote-tracking branch 'public/pr/1918' into development 2018-08-28 12:21:41 +01:00
Simon Butcher 1846e406c8 Merge remote-tracking branch 'public/pr/1939' into development 2018-08-28 12:19:56 +01:00
Simon Butcher 9598845d11 Merge remote-tracking branch 'public/pr/1955' into development 2018-08-28 12:00:18 +01:00
Simon Butcher 4613772dea Merge remote-tracking branch 'public/pr/1915' into development 2018-08-28 11:45:44 +01:00
Hanno Becker 0207e533b2 Style: Correct typo in ssl-tls.c 2018-08-28 10:28:28 +01:00
Hanno Becker bc2498a9ff Style: Add numerous comments indicating condition guarded by #endif 2018-08-28 10:13:29 +01:00
Hanno Becker d58477769d Style: Group buffering-related forward declarations in ssl_tls.c 2018-08-28 10:09:23 +01:00
Hanno Becker 360bef3fe3 Reordering: Document that only HS and CCS msgs are buffered 2018-08-28 10:04:33 +01:00
Hanno Becker 4f432ad44d Style: Don't use abbreviations in comments 2018-08-28 10:02:32 +01:00
Hanno Becker b8f50147ee Add explicit MBEDTLS_DEBUG_C-guard around debugging code 2018-08-28 10:01:34 +01:00
Hanno Becker f0da6670dc Style: Add braces around if-branch where else-branch has them 2018-08-28 09:55:10 +01:00
Hanno Becker ecbdf1c048 Style: Correct indentation of debug msgs in mbedtls_ssl_write_record 2018-08-28 09:54:44 +01:00
Hanno Becker 3f7b973e32 Correct typo in mbedtls_ssl_flight_transmit() 2018-08-28 09:53:25 +01:00
Hanno Becker 6e12c1ea7d Enhance debugging output 2018-08-24 14:48:08 +01:00
Hanno Becker 0e96585bdd Merge branch 'datagram_packing' into message_reordering 2018-08-24 12:16:41 +01:00
Hanno Becker 1841b0a11c Rename ssl_conf_datagram_packing() to ssl_set_datagram_packing()
The naming convention is that functions of the form mbedtls_ssl_conf_xxx()
apply to the SSL configuration.
2018-08-24 11:13:57 +01:00
Hanno Becker f4b010efc4 Limit MTU by maximum fragment length setting
By the standard (RFC 6066, Sect. 4), the Maximum Fragment Length (MFL)
extension limits the maximum record payload size, but not the maximum
datagram size. However, not inferring any limitations on the MTU when
setting the MFL means that a party has no means to dynamically inform
the peer about MTU limitations.

This commit changes the function ssl_get_remaining_payload_in_datagram()
to never return more than

MFL - { Total size of all records within the current datagram }

thereby limiting the MTU to MFL + { Maximum Record Expansion }.
2018-08-24 10:47:29 +01:00
Hanno Becker 283f5efe7d Buffering: Free future record epoch after each flight
The function ssl_free_buffered_record() frees a future epoch record, if
such is present. Previously, it was called in mbedtls_handshake_free(),
i.e. an unused buffered record would be cleared at the end of the handshake.
This commit moves the call to the function ssl_buffering_free() responsible
for freeing all buffering-related data, and which is called not only at
the end of the handshake, but at the end of every flight. In particular,
future record epochs won't be buffered across flight boundaries anymore,
and they shouldn't.
2018-08-24 09:34:47 +01:00
Hanno Becker 081bd81865 ssl_write_handshake_msg(): Always append CCS messages to flights
The previous code appended messages to flights only if their handshake type,
as derived from the first byte in the message, was different from
MBEDTLS_SSL_HS_HELLO_REQUEST. This check should only be performed
for handshake records, while CCS records should immediately be appended.
2018-08-23 19:22:26 +02:00
Hanno Becker c83d2b3e09 ssl_write_handshake_msg(): Allow alert on client-side SSLv3
In SSLv3, the client sends a NoCertificate alert in response to
a CertificateRequest if it doesn't have a CRT. This previously
lead to failure in ssl_write_handshake_msg() which only accepted
handshake or CCS records.
2018-08-23 19:22:05 +02:00
Hanno Becker 687c500da3 Return from debugging functions if SSL context is unset
The debugging functions
- mbedtls_debug_print_ret,
- mbedtls_debug_print_buf,
- mbedtls_debug_print_mpi, and
- mbedtls_debug_print_crt
return immediately if the SSL configuration bound to the
passed SSL context is NULL, has no debugging functions
configured, or if the debug threshold is below the debugging
level.
However, they do not check whether the provided SSL context
is not NULL before accessing the SSL configuration bound to it,
therefore leading to a segmentation fault if it is.
In contrast, the debugging function
- mbedtls_debug_print_msg
does check for ssl != NULL before accessing ssl->conf.

This commit unifies the checks by always returning immediately
if ssl == NULL.
2018-08-23 14:54:13 +01:00
Hanno Becker b309b92ee8 ssl_buffering_free_slot(): Double-check validity of slot index 2018-08-23 13:18:05 +01:00
Hanno Becker 65dc885a3b Use size_t for msg_len argument in ssl_get_reassembly_buffer_size() 2018-08-23 09:40:49 +01:00
Hanno Becker 1b20e8e46e Merge branch 'datagram_packing' into message_reordering 2018-08-22 20:36:50 +01:00
Hanno Becker 554b0af195 Fix assertion in mbedtls_ssl_write_record() 2018-08-22 20:33:41 +01:00
Hanno Becker 7428d4fe87 Merge branch 'datagram_packing' into message_reordering 2018-08-22 16:16:59 +01:00
Hanno Becker 551835d5e7 ssl_write_handshake_msg(): Always append CCS messages to flights
The previous code appended messages to flights only if their handshake type,
as derived from the first byte in the message, was different from
MBEDTLS_SSL_HS_HELLO_REQUEST. This check should only be performed
for handshake records, while CCS records should immediately be appended.
2018-08-22 16:16:25 +01:00
Hanno Becker 2c98db2478 ssl_write_handshake_msg(): Allow alert on client-side SSLv3
In SSLv3, the client sends a NoCertificate alert in response to
a CertificateRequest if it doesn't have a CRT. This previously
lead to failure in ssl_write_handshake_msg() which only accepted
handshake or CCS records.
2018-08-22 16:05:47 +01:00
Hanno Becker 635313459f Merge branch 'datagram_packing' into message_reordering 2018-08-22 16:00:57 +01:00
Hanno Becker 11682ccc78 Uniformly treat MTU as size_t 2018-08-22 14:41:02 +01:00
Hanno Becker 3546201dbc Merge branch 'datagram_packing' into message_reordering 2018-08-22 10:25:40 +01:00
Hanno Becker a67dee256d Merge branch 'iotssl-2402-basic-pmtu-adaptation' into datagram_packing 2018-08-22 10:06:38 +01:00
Manuel Pégourié-Gonnard b8eec192f6 Implement PMTU auto-reduction in handshake 2018-08-22 10:50:30 +02:00
Hanno Becker 170e2d89da Merge branch 'iotssl-165-dtls-hs-fragmentation-new' into datagram_packing 2018-08-22 09:44:54 +01:00
Andres Amaya Garcia a658d7dd9d Fix style for mbedtls_platform_gmtime() 2018-08-21 19:33:02 +01:00
Hanno Becker aa71500173 Fix bug in SSL ticket implementation removing keys of age < 1s
Fixes #1968.
2018-08-21 17:48:52 +01:00
Hanno Becker 903ee3d363 Merge branch 'datagram_packing' into message_reordering 2018-08-21 17:24:17 +01:00
Hanno Becker 01315ea03a Account for future epoch records in the total buffering size
Previous commits introduced the field `total_bytes_buffered`
which is supposed to keep track of the cumulative size of
all heap allocated buffers used for the purpose of reassembly
and/or buffering of future messages.

However, the buffering of future epoch records were not reflected
in this field so far. This commit changes this, adding the length
of a future epoch record to `total_bytes_buffered` when it's buffered,
and subtracting it when it's freed.
2018-08-21 17:22:17 +01:00
Hanno Becker a02b0b462d Add function making space for current message reassembly
This commit adds a static function ssl_buffer_make_space() which
takes a buffer size as an argument and attempts to free as many
future message bufffers as necessary to ensure that the desired
amount of buffering space is available without violating the
total buffering limit set by MBEDTLS_SSL_DTLS_MAX_BUFFERING.
2018-08-21 17:20:27 +01:00
Hanno Becker e1801399a9 Add another debug message to ssl_buffer_message()
Report if there's not enough buffering space available to reassemble
the next expected incoming message.
2018-08-21 16:51:05 +01:00
Hanno Becker 55e9e2aa6b Free future buffers if next handshake messages can't be reassembled
If the next expected handshake message can't be reassembled because
buffered future messages have already used up too much of the available
space for buffering, free those future message buffers in order to
make space for the reassembly, starting with the handshake message
that's farthest in the future.
2018-08-21 16:24:30 +01:00
Hanno Becker e605b19631 Add function to free a particular buffering slot
This commit adds a static function ssl_buffering_free_slot()
which allows to free a particular structure used to buffer
and/or reassembly some handshake message.
2018-08-21 16:24:27 +01:00
Hanno Becker 96a6c69d0c Correct bounds check in ssl_buffer_message()
The previous bounds check omitted the DTLS handshake header.
2018-08-21 16:11:09 +01:00
Hanno Becker e0b150f96b Allow limiting the total amount of heap allocations for buffering
This commit introduces a compile time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING
to mbedtls/config.h which allows the user to control the cumulative size of
all heap buffer allocated for the purpose of reassembling and buffering
handshake messages.

It is put to use by introducing a new field `total_bytes_buffered` to
the buffering substructure of `mbedtls_ssl_handshake_params` that keeps
track of the total size of heap allocated buffers for the purpose of
reassembly and buffering at any time. It is increased whenever a handshake
message is buffered or prepared for reassembly, and decreased when a
buffered or fully reassembled message is copied into the input buffer
and passed to the handshake logic layer.

This commit does not yet include future epoch record buffering into
account; this will be done in a subsequent commit.

Also, it is now conceivable that the reassembly of the next expected
handshake message fails because too much buffering space has already
been used up for future messages. This case currently leads to an
error, but instead, the stack should get rid of buffered messages
to be able to buffer the next one. This will need to be implemented
in one of the next commits.
2018-08-21 16:11:04 +01:00
Gilles Peskine ed7da59798 ctr_drbg: add comments relating the code with the NIST specification 2018-08-21 17:55:46 +03:00
Hanno Becker 2a97b0e7a3 Introduce function to return size of buffer needed for reassembly
A previous commit introduced the function ssl_prepare_reassembly_buffer()
which took a message length and a boolean flag indicating if a reassembly
bit map was needed, and attempted to heap-allocate a buffer of sufficient
size to hold both the message, its header, and potentially the reassembly
bitmap.

A subsequent commit is going to introduce a limit on the amount of heap
allocations allowed for the purpose of buffering, and this change will
need to know the reassembly buffer size before attempting the allocation.

To this end, this commit changes ssl_prepare_reassembly_buffer() into
ssl_get_reassembly_buffer_size() which solely computes the reassembly
buffer size, and performing the heap allocation manually in
ssl_buffer_message().
2018-08-21 15:47:49 +01:00
Hanno Becker e678eaa93e Reject invalid CCS records early
This commit moves the length and content check for CCS messages to
the function mbedtls_ssl_handle_message_type() which is called after
a record has been deprotected.

Previously, these checks were performed in the function
mbedtls_ssl_parse_change_cipher_spec(); however, now that
the arrival of out-of-order CCS messages is remembered
as a boolean flag, the check also has to happen when this
flag is set. Moving the length and content check to
mbedtls_ssl_handle_message_type() allows to treat both
checks uniformly.
2018-08-21 14:57:46 +01:00
Hanno Becker 47db877039 ssl_write_record: Consider setting flush variable only if unset 2018-08-21 13:32:13 +01:00
Hanno Becker 1f5a15d86d Check retval of remaining_payload_in_datagram in ssl_write_record() 2018-08-21 13:31:31 +01:00
Hanno Becker ecff205548 Remove stray bracket if MBEDTLS_ZLIB_SUPPORT is defined 2018-08-21 13:20:00 +01:00
Manuel Pégourié-Gonnard 000281e07d Fix "unused parameter" warning in small configs 2018-08-21 11:20:58 +02:00
Hanno Becker 6aeaa05a95 Merge branch 'iotssl-165-dtls-hs-fragmentation-new' into datagram_packing 2018-08-20 12:53:37 +01:00
Hanno Becker 513815a38d Fix typo in debugging output 2018-08-20 11:56:09 +01:00
Hanno Becker 4cb782d2f6 Return from ssl_load_buffered_record early if no record is buffered 2018-08-20 11:19:05 +01:00
Manuel Pégourié-Gonnard a1071a58a3 Compute record expansion at the right time
Depends on the current transform, which might change when retransmitting a
flight containing a Finished message, so compute it only after the transform
is swapped.
2018-08-20 11:56:14 +02:00
Manuel Pégourié-Gonnard 065a2a3472 Fix some typos and links in comments and doc 2018-08-20 11:09:26 +02:00
Hanno Becker 3a0aad1c9d Rename update_digest to update_hs_digest 2018-08-20 09:44:02 +01:00
Hanno Becker 4422bbb096 Whitespace fixes 2018-08-20 09:40:19 +01:00
Hanno Becker e00ae375d3 Omit debug output in ssl_load_buffered_message outside a handshake 2018-08-20 09:39:42 +01:00
Manuel Pégourié-Gonnard 6e7aaca146 Move MTU setting to SSL context, not config
This setting belongs to the individual connection, not to a configuration
shared by many connections. (If a default value is desired, that can be handled
by the application code that calls mbedtls_ssl_set_mtu().)

There are at least two ways in which this matters:
- per-connection settings can be adjusted if MTU estimates become available
  during the lifetime of the connection
- it is at least conceivable that a server might recognize restricted clients
  based on range of IPs and immediately set a lower MTU for them. This is much
easier to do with a per-connection setting than by maintaining multiple
near-duplicated ssl_config objects that differ only by the MTU setting.
2018-08-20 10:37:23 +02:00
Hanno Becker 0d4b376ddf Return through cleanup section in ssl_load_buffered_message() 2018-08-20 09:36:59 +01:00
Ron Eldor 34b03ef78f Remove redundant else statement
Remove `else` statement, as it is redundant. resolves #1776
2018-08-20 10:39:27 +03:00
Hanno Becker 56d5eaa96c Mark SSL ctx unused in ssl_prepare_reassembly_buffer() if !DEBUG
The SSL context is passed to the reassembly preparation function
ssl_prepare_reassembly_buffer() solely for the purpose of allowing
debugging output. This commit marks the context as unused if
debugging is disabled (through !MBEDTLS_DEBUG_C).
2018-08-17 16:52:08 +01:00
Hanno Becker b063a5ffad Update error codes 2018-08-17 16:52:08 +01:00
Hanno Becker 5f066e7aac Implement future record buffering
This commit implements the buffering of a record from the next epoch.

- The buffering substructure of mbedtls_ssl_handshake_params
  gets another field to hold a raw record (incl. header) from
  a future epoch.
- If ssl_parse_record_header() sees a record from the next epoch,
  it signals that it might be suitable for buffering by returning
  MBEDTLS_ERR_SSL_EARLY_MESSAGE.
- If ssl_get_next_record() finds this error code, it passes control
  to ssl_buffer_future_record() which may or may not decide to buffer
  the record; it does so if
  - a handshake is in progress,
  - the record is a handshake record
  - no record has already been buffered.
  If these conditions are met, the record is backed up in the
  aforementioned buffering substructure.
- If the current datagram is fully processed, ssl_load_buffered_record()
  is called to check if a record has been buffered, and if yes,
  if by now the its epoch is the current one; if yes, it copies
  the record into the (empty! otherwise, ssl_load_buffered_record()
  wouldn't have been called) input buffer.
2018-08-17 16:52:08 +01:00
Hanno Becker 37f9532081 Implement future message buffering and loading
This commit implements future handshake message buffering
and loading by implementing ssl_load_buffered_message()
and ssl_buffer_message().

Whenever a handshake message is received which is
- a future handshake message (i.e., the sequence number
  is larger than the next expected one), or which is
- a proper fragment of the next expected handshake message,
ssl_buffer_message() is called, which does the following:
- Ignore message if its sequence number is too far ahead
  of the next expected sequence number, as controlled by
  the macro constant MBEDTLS_SSL_MAX_BUFFERED_HS.
- Otherwise, check if buffering for the message with the
  respective sequence number has already commenced.
  - If not, allocate space to back up the message within
    the buffering substructure of mbedtls_ssl_handshake_params.
    If the message is a proper fragment, allocate additional
    space for a reassembly bitmap; if it is a full message,
    omit the bitmap. In any case, fall throuh to the next case.
  - If the message has already been buffered, check that
    the header is the same, and add the current fragment
    if the message is not yet complete (this excludes the
    case where a future message has been received in a single
    fragment, hence omitting the bitmap, and is afterwards
    also received as a series of proper fragments; in this
    case, the proper fragments will be ignored).

For loading buffered messages in ssl_load_buffered_message(),
the approach is the following:
- Check the first entry in the buffering window (the window
  is always based at the next expected handshake message).
  If buffering hasn't started or if reassembly is still
  in progress, ignore. If the next expected message has been
  fully received, copy it to the input buffer (which is empty,
  as ssl_load_buffered_message() is only called in this case).
2018-08-17 16:52:08 +01:00
Hanno Becker 6d97ef5a03 Use uniform treatment for future messages and proper HS fragments
This commit returns the error code MBEDTLS_ERR_SSL_EARLY_MESSAGE
for proper handshake fragments, forwarding their treatment to
the buffering function ssl_buffer_message(); currently, though,
this function does not yet buffer or reassembly HS messages, so:

! This commit temporarily disables support for handshake reassembly !
2018-08-17 16:52:08 +01:00
Hanno Becker 44650b7a74 Introduce function checking sanity of the DTLS HS header
This commit introduces helper functions
- ssl_get_hs_frag_len()
- ssl_get_hs_frag_off()
to parse the fragment length resp. fragment offset fields
in the handshake header.

Moreover, building on these helper functions, it adds a
function ssl_check_hs_header() checking the validity of
a DTLS handshake header with respect to the specification,
i.e. the indicated fragment must be a subrange of the total
handshake message, and the total handshake fragment length
(including header) must not exceed the record content size.

These checks were previously performed at a later stage during
ssl_reassemble_dtls_handshake().
2018-08-17 16:52:08 +01:00
Hanno Becker 12555c61d3 Introduce function to parse total handshake length
This commit introduces a static helper function ssl_get_hs_total_len()
parsing the total message length field in the handshake header, and
puts it to use in mbedtls_ssl_prepare_handshake_record().
2018-08-17 16:52:08 +01:00
Hanno Becker 0271f967d6 Introduce buffering structure for handshake messages
This commit introduces, but does not yet put to use, a sub-structure
of mbedtls_ssl_handshake_params::buffering that will be used for the
buffering and/or reassembly of handshake messages with handshake
sequence numbers that are greater or equal to the next expected
sequence number.
2018-08-17 16:52:08 +01:00
Hanno Becker d7f8ae2508 Introduce sub-structure of ssl_handshake_params for buffering
This commit introduces a sub-structure `buffering` within
mbedtls_ssl_handshake_params that shall contain all data
related to the reassembly and/or buffering of handshake
messages.

Currently, only buffering of CCS messages is implemented,
so the only member of this struct is the previously introduced
`seen_ccs` field.
2018-08-17 16:52:08 +01:00
Hanno Becker e25e3b7d96 Add function to check is HS msg is a proper fragment
This commit introduces a static function ssl_hs_is_proper_fragment()
to check if the current incoming handshake message is a proper fragment.
It is used within mbedtls_ssl_prepare_handshake_record() to decide whether
handshake reassembly through ssl_reassemble_dtls_handshake() is needed.

The commit changes the behavior of the library in the (unnatural)
situation where proper fragments for a handshake message are followed
by a non-fragmented version of the same message. In this case,
the previous code invoked the handshake reassembly routine
ssl_reassemble_dtls_handshake(), while with this commit, the full
handshake message is directly forwarded to the user, no altering
the handshake reassembly state -- in particular, not freeing it.
As a remedy, freeing of a potential handshake reassembly structure
is now done as part of the handshake update function
mbedtls_ssl_update_handshake_status().
2018-08-17 16:52:08 +01:00
Hanno Becker d07df86871 Make allocation of reassembly bitmap optional
This commit adds a parameter to ssl_prepare_reassembly_buffer()
allowing to disable the allocation of space for a reassembly bitmap.
This will allow this function to be used for the allocation of buffers
for future handshake messages in case these need no fragmentation.
2018-08-17 16:52:08 +01:00
Hanno Becker 56e205e2c9 Prepare handshake reassembly in separate function
This commit moves the code-path preparing the handshake
reassembly buffer, consisting of header, message content,
and reassembly bitmap, to a separate function
ssl_prepare_reassembly_buffer().
2018-08-17 16:52:08 +01:00
Hanno Becker 9e1ec22c36 Return MBEDTLS_ERR_SSL_EARLY_MESSAGE for future HS messages
This leads future HS messages to traverse the buffering
function ssl_buffer_message(), which however doesn't do
anything at the moment for HS messages. Since the error
code MBEDTLS_ERR_SSL_EARLY_MESSAGE is afterwards remapped
to MBEDTLS_ERR_SSL_CONTINUE_PROCESSING -- which is what
was returned prior to this commit when receiving a future
handshake message -- this commit therefore does not yet
introduce any change in observable behavior.
2018-08-17 16:52:08 +01:00
Hanno Becker 2ed6bcc793 Implement support for remembering CCS messages
This commit implements support for remembering out-of-order
CCS messages. Specifically, a flag is set whenever a CCS message
is read which remains until the end of a flight, and when a
CCS message is expected and a CCS message has been seen in the
current flight, a synthesized CCS record is created.
2018-08-17 16:52:08 +01:00
Hanno Becker 40f50848fa Add frame for loading and storing buffered messages
This commit introduces the frame for saving and loading
buffered messages within message reading function
mbedtls_ssl_read_record().
2018-08-17 16:52:08 +01:00
Hanno Becker e74d556b43 Introduce function to indicate if record is fully processed
This commit introduces a function ssl_record_is_in_progress()
to indicate if there is there is more data within the current
record to be processed. Further, it moves the corresponding
call from ssl_read_record_layer() to the parent function
mbedtls_ssl_read_record(). With this change, ssl_read_record_layer()
has the sole purpose of fetching and decoding a new record,
and hence this commit also renames it to ssl_get_next_record().
2018-08-17 16:52:08 +01:00
Hanno Becker 2699459529 Move call to ssl_consume_current_message()
Subsequent commits will potentially inject buffered
messages after the last incoming message has been
consumed, but before a new one is fetched. As a
preparatory step to this, this commit moves the call
to ssl_consume_current_message() from ssl_read_record_layer()
to the calling function mbedtls_ssl_read_record().
2018-08-17 16:52:08 +01:00
Hanno Becker 1097b34022 Extract message-consuming code-path to separate function
The first part of the function ssl_read_record_layer() was
to mark the previous message as consumed. This commit moves
the corresponding code-path to a separate static function
ssl_consume_current_message().
2018-08-17 16:52:08 +01:00
Hanno Becker 4162b11eb4 Make mbedtls_ssl_read_record_layer() static
This function was previously global because it was
used directly within ssl_parse_certificate_verify()
in library/ssl_srv.c. The previous commit removed
this dependency, replacing the call by a call to
the global parent function mbedtls_ssl_read_record().
This renders mbedtls_ssl_read_record_layer() internal
and therefore allows to make it static, and accordingly
rename it as ssl_read_record_layer().
2018-08-17 16:52:08 +01:00
Hanno Becker a4b143a57c Remove nested loop in mbedtls_ssl_read_record() 2018-08-17 16:52:08 +01:00
Hanno Becker 02f5907499 Correct misleading debugging output
Usually, debug messages beginning with "=> and "<="
match up and indicate entering of and returning from
functions, respectively. This commit fixes one exception
to this rule in mbedtls_ssl_read_record(), which sometimes
printed two messages of the form "<= XXX".
2018-08-17 16:52:08 +01:00
Hanno Becker 327c93b182 Add parameter to ssl_read_record() controlling checksum update
Previously, mbedtls_ssl_read_record() always updated the handshake
checksum in case a handshake record was received. While desirable
most of the time, for the CertificateVerify message the checksum
update must only happen after the message has been fully processed,
because the validation requires the handshake digest up to but
excluding the CertificateVerify itself. As a remedy, the bulk
of mbedtls_ssl_read_record() was previously duplicated within
ssl_parse_certificate_verify(), hardening maintenance in case
mbedtls_ssl_read_record() is subject to changes.

This commit adds a boolean parameter to mbedtls_ssl_read_record()
indicating whether the checksum should be updated in case of a
handshake message or not. This allows using it also for
ssl_parse_certificate_verify(), manually updating the checksum
after the message has been processed.
2018-08-17 16:52:08 +01:00
Hanno Becker e1dcb03557 Don't send empty fragments of nonempty handshake messages
This for example lead to the following corner case bug:
The code attempted to piggy-back a Finished message at
the end of a datagram where precisely 12 bytes of payload
were still available. This lead to an empty Finished fragment
being sent, and when  mbedtls_ssl_flight_transmit() was called
again, it believed that it was just starting to send the
Finished message, thereby calling ssl_swap_epochs() which
had already happened in the call sending the empty fragment.
Therefore, the second call would send the 'rest' of the
Finished message with wrong epoch.
2018-08-17 16:47:58 +01:00
Hanno Becker 04da189225 Make datagram packing dynamically configurable
This commit adds a public function

   `mbedtls_ssl_conf_datagram_packing()`

that allows to allow / forbid the packing of multiple
records within a single datagram.
2018-08-17 15:45:25 +01:00
Hanno Becker 7e7721350b Fix unused variable warning in ssl_session_reset_int()
The `partial` argument is only used when DTLS and same port
client reconnect are enabled. This commit marks the variable
as unused if that's not the case.
2018-08-17 15:45:10 +01:00
Hanno Becker 0defedb488 Fix unused variable warning in mbedtls_ssl_get_max_record_payload
If neither the maximum fragment length extension nor DTLS
are used, the SSL context argument is unnecessary as the
maximum payload length is hardcoded as MBEDTLS_SSL_MAX_CONTENT_LEN.
2018-08-17 15:45:05 +01:00
Hanno Becker f29d4702f7 Reset in/out pointers on SSL session reset
If a previous session was interrupted during flushing, the out
pointers might point arbitrarily into the output buffer.
2018-08-17 15:44:57 +01:00
Hanno Becker 4ccbf064ed Minor improvements in ssl_session_reset_int() 2018-08-17 15:44:53 +01:00
Hanno Becker 2a43f6f539 Introduce function to reset in/out pointers 2018-08-17 15:44:43 +01:00
Hanno Becker b50a253a87 Move size check for records 2018-08-17 15:44:26 +01:00
Hanno Becker 67bc7c3a38 Don't immediately flush datagram after preparing a record
This commit finally enables datagram packing by modifying the
record preparation function ssl_write_record() to not always
calling mbedtls_ssl_flush_output().
2018-08-17 15:44:09 +01:00
Hanno Becker 2b1e354754 Increase record buffer pointer after preparing a record
The packing of multiple records within a single datagram works
by increasing the pointer `out_hdr` (pointing to the beginning
of the next outgoing record) within the datagram buffer, as
long as space is available and no flush was mandatory.

This commit does not yet change the code's behavior of always
flushing after preparing a record, but it introduces the logic
of increasing `out_hdr` after preparing the record, and resetting
it after the flush has been completed.
2018-08-17 15:41:02 +01:00
Hanno Becker 3b235902b8 Log calls to ssl_flight_append() in debugging output 2018-08-17 15:40:55 +01:00
Hanno Becker 04484621d0 Increment record sequence number in ssl_write_record()
Previously, the record sequence number was incremented at the
end of each successful call to mbedtls_ssl_flush_output(),
which works as long as there is precisely one such call for
each outgoing record.

When packing multiple records into a single datagram, this
property is no longer true, and instead the increment of the
record sequence number must happen after the record has been
prepared, and not after it has been dispatched.

This commit moves the code for incrementing the record sequence
number from mbedtls_ssl_flush_output() to ssl_write_record().
2018-08-17 15:40:52 +01:00
Hanno Becker 198594709b Store outgoing record sequence number outside record buffer
This commit is another step towards supporting the packing of
multiple records within a single datagram.

Previously, the incremental outgoing record sequence number was
statically stored within the record buffer, at its final place
within the record header. This slightly increased efficiency
as it was not necessary to copy the sequence number when writing
outgoing records.

When allowing multiple records within a single datagram, it is
necessary to allow the position of the current record within the
datagram buffer to be flexible; in particular, there is no static
address for the record sequence number field within the record header.

This commit introduces an additional field `cur_out_ctr` within
the main SSL context structure `mbedtls_ssl_context` to keep track
of the outgoing record sequence number independent of the buffer used
for the current record / datagram. Whenever a new record is written,
this sequence number is copied to the the address `out_ctr` of the
sequence number header field within the current outgoing record.
2018-08-17 15:40:35 +01:00
Hanno Becker 5aa4e2cedd Move deduction of internal record buffer pointers to function
The SSL/TLS module maintains a number of internally used pointers
`out_hdr`, `out_len`, `out_iv`, ..., indicating where to write the
various parts of the record header.

These pointers have to be kept in sync and sometimes need update:
Most notably, the `out_msg` pointer should always point to the
beginning of the record payload, and its offset from the pointer
`out_iv` pointing to the end of the record header is determined
by the length of the explicit IV used in the current record
protection mechanism.

This commit introduces functions deducing these pointers from
the pointers `out_hdr` / `in_hdr` to the beginning of the header
of the current outgoing / incoming record.

The flexibility gained by these functions will subsequently
be used to allow shifting of `out_hdr` for the purpose of
packing multiple records into a single datagram.
2018-08-17 15:40:24 +01:00
Hanno Becker 3136ede0e8 Compute record expansion in steps to ease readability 2018-08-17 15:28:19 +01:00
Jaeden Amero 141e767fa9 Merge remote-tracking branch 'upstream-public/pr/1942' into development
Resolve conflicts in ChangeLog
2018-08-17 14:26:51 +01:00
Manuel Pégourié-Gonnard 3879fdfece Merge remote-tracking branch 'public/pr/1955' into iotssl-165-dtls-hs-fragmentation-new
* public/pr/1955:
  Adapt ChangeLog
  Fix overly strict bounds check in ssl_parse_certificate_request()
2018-08-17 10:49:47 +02:00
Andres Amaya Garcia 248e27c487 Remove redundant statement from x509_get_current_time 2018-08-16 21:50:23 +01:00
Andres Amaya Garcia 1abb368b87 Make gmtime() configurable at compile-time 2018-08-16 21:42:09 +01:00
Hanno Becker ad17fe9c37 Fix overly strict bounds check in ssl_parse_certificate_request() 2018-08-16 15:51:34 +01:00
Manuel Pégourié-Gonnard 19c62f90e4 Add test for session resumption 2018-08-16 10:50:39 +02:00
Manuel Pégourié-Gonnard 7e89c17788 Fix two typos in comments 2018-08-16 10:01:47 +02:00
Manuel Pégourié-Gonnard b747c6cf9b Add basic first tests for MTU setting
For now, just check that it causes us to fragment. More tests are coming in
follow-up commits to ensure we respect the exact value set, including when
renegotiating.
2018-08-16 10:01:47 +02:00
Manuel Pégourié-Gonnard 637e234d9f Merge remote-tracking branch 'public/pr/1915' into iotssl-165-dtls-hs-fragmentation-new
* public/pr/1915:
  Adapt ChangeLog
  Fix mbedtls_ssl_get_record_expansion() for ChaChaPoly and CBC
2018-08-16 10:01:21 +02:00
Manuel Pégourié-Gonnard 9468ff1966 Implement support for MTU setting 2018-08-16 10:01:10 +02:00
Manuel Pégourié-Gonnard 0b1d9b2c75 Declare ssl_conf_mtu() 2018-08-16 10:01:10 +02:00
Manuel Pégourié-Gonnard 2cb17e201b Make handshake fragmentation follow max_frag_len
Note: no interop tests in ssl-opt.sh for now, as some of them make us run into
bugs in (the CI's default versions of) OpenSSL and GnuTLS, so interop tests
will be added later once the situation is clarified. <- TODO
2018-08-16 10:01:10 +02:00
Manuel Pégourié-Gonnard 28f4beab1c Start implementing fragmentation 2018-08-16 10:01:10 +02:00
Manuel Pégourié-Gonnard 87a346f64e Always save flight first, (re)send later
This will allow fragmentation to always happen in the same place, always from
a buffer distinct from ssl->out_msg, and with the same way of resuming after
returning WANT_WRITE
2018-08-16 10:01:10 +02:00
Manuel Pégourié-Gonnard 9c3a8caa92 Clarify code a bit in write_handshake_msg()
- take advantage of the fact that we're only called for first send
- put all sanity checks at the top
- rename and constify shortcut variables
- improve comments
2018-08-16 10:00:35 +02:00
Manuel Pégourié-Gonnard 31c1586893 Start separating handshake from record writing 2018-08-16 10:00:27 +02:00
Hanno Becker 7864090ec1 Reset session_in/out pointers in ssl_session_reset_int()
Fixes #1941.
2018-08-13 16:35:15 +01:00
Ron Eldor d1a4762adb Use mbedtls_printf instead of printf
Replace usages of `printf()` with `mbedtls_printf()` in `aria.c`
which were accidently merged. Fixes #1908
2018-08-13 13:49:52 +03:00
Jaeden Amero d8f41698d2 Merge remote-tracking branch 'upstream-public/pr/1598' into development
Add a Changelog entry
2018-08-10 11:23:15 +01:00
Jaeden Amero cac0c1a250 Merge remote-tracking branch 'upstream-public/pr/1378' into development 2018-08-10 10:59:53 +01:00
Andres Amaya Garcia d7177435e3 Fix check-names.sh fail with USE_GMTIME macro 2018-08-08 09:41:17 +01:00
Andres Amaya Garcia ce6eebb0b8 Use gmtime when target is not windows or posix 2018-08-07 20:26:55 +01:00
Hanno Becker 5b559ac7ab Fix mbedtls_ssl_get_record_expansion() for ChaChaPoly and CBC
`mbedtls_ssl_get_record_expansion()` is supposed to return the maximum
difference between the size of a protected record and the size of the
encapsulated plaintext.

It had the following two bugs:
(1) It did not consider the new ChaChaPoly ciphersuites, returning
    the error code #MBEDTLS_ERR_SSL_INTERNAL_ERROR in this case.
(2) It did not correctly estimate the maximum record expansion in case
    of CBC ciphersuites in (D)TLS versions 1.1 and higher, in which
    case the ciphertext is prefixed by an explicit IV.

This commit fixes both bugs.
2018-08-03 10:07:35 +01:00
k-stachowiak 9f7798ed3f Revert change of a return variable name 2018-07-31 16:52:32 +02:00
Ron Eldor 1b9b217abf enforce input and output of ccm selftest on stack
In `mbedtls_ccm_self_test()`, enforce input and output
buffers sent to the ccm API to be contigous and aligned,
by copying the test vectors to buffers on the stack.
2018-07-30 11:29:26 +03:00
Angus Gratton 608a487b9c Fix memory leak in ecp_mul_comb() if ecp_precompute_comb() fails
In ecp_mul_comb(), if (!p_eq_g && grp->T == NULL) and then ecp_precompute_comb() fails (which can
happen due to OOM), then the new array of points T will be leaked (as it's newly allocated, but
hasn't been asigned to grp->T yet).

Symptom was a memory leak in ECDHE key exchange under low memory conditions.
2018-07-27 09:15:34 +10:00
Jaeden Amero 193c86425e Update version to 2.12.0 2018-07-25 15:42:26 +01:00
Simon Butcher 37b9fd5df6 Merge remote-tracking branch 'restricted/pr/490' into development 2018-07-24 23:40:37 +01:00
Simon Butcher 2c92949e0a Merge remote-tracking branch 'public/pr/1198' into development 2018-07-24 17:20:17 +01:00
Simon Butcher c88c627fba Merge remote-tracking branch 'public/pr/1658' into development 2018-07-24 17:19:10 +01:00
Ron Eldor 9ab746c7c9 Add selftests
Add selftests for key wrapping
2018-07-24 16:43:20 +01:00
Ron Eldor cb349ac279 Implement the KW and KWP algorithm
1. Add kw to the Makefiles
2. Implement the algorithms as defined in SP800-38F, and RFC 3394.
2018-07-24 16:43:20 +01:00
Ron Eldor 466a57fbbe Key wrapping API definition
Define the Key Wrapping API
2018-07-24 16:43:20 +01:00
Simon Butcher dad05b7fc9 Merge remote-tracking branch 'public/pr/1844' into development 2018-07-24 13:05:09 +01:00
k-stachowiak c9a5f02eab Move comment to a separate line 2018-07-24 13:53:31 +02:00
Simon Butcher 116ac43d00 Merge remote-tracking branch 'public/pr/1852' into development 2018-07-24 12:18:59 +01:00
k-stachowiak 463928a74b Fix code formatting 2018-07-24 12:50:59 +02:00
Simon Butcher fced1f2fb3 Merge remote-tracking branch 'public/pr/1854' into development 2018-07-24 10:26:46 +01:00
Brian J Murray ca2ea4e217 Fix issue if salt = NULL and salt_len !=0 in mbedtls_hkdf_extract() 2018-07-23 10:34:47 -07:00
Ron Eldor bb4bbbbbb4 Resolve PR review comments
Address review comments:
1. add `mbedtls_cipher_init()` after freeing context, in test code
2. style comments
3. set `ctx->iv_size = 0` in case `IV == NULL && iv_len == 0`
2018-07-23 18:18:35 +01:00
Ron Eldor 4e64e0b922 Fix after PR comments
1. Don't set IV onECB
2. Fix style issues
3. reduce number of tests
2018-07-23 18:18:32 +01:00
Ron Eldor 7b01244b99 Add tests for mbedtls_cipher_crypt API
1. Add tests for 'mbedtls_cipher_crypt()' API
2. Resolves #1091, by ignoring IV when the cipher mode is MBEDTLS_MODE_ECB
2018-07-23 18:02:09 +01:00
Angus Gratton 1a7a17e548 Check for invalid short Alert messages
(Short Change Cipher Spec & Handshake messages are already checked for.)
2018-07-20 23:09:29 +01:00
Angus Gratton 34817929ea TLSv1.2: Treat zero-length fragments as invalid, unless they are application data
TLS v1.2 explicitly disallows other kinds of zero length fragments (earlier standards
don't mention zero-length fragments at all).
2018-07-20 23:09:29 +01:00
Angus Gratton b512bc1d29 CBC mode: Allow zero-length message fragments (100% padding)
Fixes https://github.com/ARMmbed/mbedtls/issues/1632
2018-07-20 23:09:29 +01:00
Simon Butcher 922bd1efb2 Merge remote-tracking branch 'public/pr/1752' into development 2018-07-20 14:33:18 +01:00
Simon Butcher df15356259 Merge remote-tracking branch 'public/pr/1663' into development 2018-07-19 19:48:10 +01:00
k-stachowiak 21feae58cb Update change log 2018-07-11 17:34:55 +02:00
k-stachowiak a47911cb70 Fix memory leak in ssl_setup 2018-07-11 17:26:07 +02:00
Dawid Drozd 0e2c07e83e
Remove unnecessary mark as unused #1098
`ret` is used always at line 1305 in statement:
`if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen ) ) == 0 )`
2018-07-11 15:16:53 +02:00
Manuel Pégourié-Gonnard 8744a02357 Clarify a few comments
The "+" sign could be misinterpreted as addition.
2018-07-11 12:30:40 +02:00
Simon Butcher e7aeef09ee Merge remote-tracking branch 'public/pr/536' into development 2018-07-10 15:24:26 +01:00
Simon Butcher 32b074720e Merge remote-tracking branch 'public/pr/1737' into development 2018-07-10 14:57:50 +01:00
Simon Butcher cdbb2f2168 Merge remote-tracking branch 'public/pr/1563' into development 2018-07-10 12:49:26 +01:00
Simon Butcher 6331cb0607 Fix some whitespace issues in ChangeLog and CMakeLists.txt
Stray tab in library/CMakeLists.txt and incorrect formatting in ChangeLog.
2018-07-10 11:48:42 +01:00
Simon Butcher d21bd31759 Merge remote-tracking branch 'public/pr/1567' into development 2018-07-10 11:43:06 +01:00
Manuel Pégourié-Gonnard 6a25cfae2a Avoid debug message that might leak length
The length to the debug message could conceivably leak through the time it
takes to print it, and that length would in turn reveal whether padding was
correct or not.
2018-07-10 11:15:36 +02:00
k-stachowiak a5fbfd7cd8 Enable snprintf on FreeBSD 2018-07-08 13:22:11 +01:00
Brian J Murray a61d123e0e Minor changes to comments in hkdf.c 2018-07-06 10:02:39 -07:00
Manuel Pégourié-Gonnard 7b42030b5d Add counter-measure to cache-based Lucky 13
The basis for the Lucky 13 family of attacks is for an attacker to be able to
distinguish between (long) valid TLS-CBC padding and invalid TLS-CBC padding.
Since our code sets padlen = 0 for invalid padding, the length of the input to
the HMAC function, and the location where we read the MAC, give information
about that.

A local attacker could gain information about that by observing via a
cache attack whether the bytes at the end of the record (at the location of
would-be padding) have been read during MAC verification (computation +
comparison).

Let's make sure they're always read.
2018-07-05 14:44:49 +02:00
Manuel Pégourié-Gonnard 1cc1fb0599 Fix Lucky 13 cache attack on MD/SHA padding
The basis for the Lucky 13 family of attacks is for an attacker to be able to
distinguish between (long) valid TLS-CBC padding and invalid TLS-CBC padding.
Since our code sets padlen = 0 for invalid padding, the length of the input to
the HMAC function gives information about that.

Information about this length (modulo the MD/SHA block size) can be deduced
from how much MD/SHA padding (this is distinct from TLS-CBC padding) is used.
If MD/SHA padding is read from a (static) buffer, a local attacker could get
information about how much is used via a cache attack targeting that buffer.

Let's get rid of this buffer. Now the only buffer used is the internal MD/SHA
one, which is always read fully by the process() function.
2018-07-05 10:47:00 +02:00
Manuel Pégourié-Gonnard c8c12b6007 Add NULL pointer check for consistency
Most other functions in this module have a similar check.
2018-07-02 13:09:39 +02:00
Manuel Pégourié-Gonnard 78d7e8cbc7 Rename internal variable for consistency 2018-07-02 12:33:14 +02:00
Ron Eldor ab8d58cb2d Move definition of MBEDTLS_CIPHER_MODE_STREAM
Move definition of `MBEDTLS_CIPHER_MODE_STREAM` to header file
(`mbedtls_cipher_internal.h`), because it is used by more than
one file. Raised by TrinityTonic in #1719
2018-07-01 10:20:43 +03:00
k-stachowiak dcae78a7a9 Make a buffer limit more specific 2018-06-28 16:32:54 +02:00
k-stachowiak 470dfbabb9 Simplify OID tag parsing in x509_get_cert_ext( ) 2018-06-28 16:23:39 +02:00
Simon Butcher 034e1398f0 Merge remote-tracking branch 'public/pr/1621' into development 2018-06-28 12:09:15 +01:00
Simon Butcher 4b6b08e7d2 Merge remote-tracking branch 'public/pr/1006' into development 2018-06-28 12:08:59 +01:00
Simon Butcher 1d97cab5f5 Merge remote-tracking branch 'public/pr/1645' into development 2018-06-28 12:06:16 +01:00
Simon Butcher bea00bd89c Merge remote-tracking branch 'public/pr/1783' into development 2018-06-28 12:04:19 +01:00
Simon Butcher 6665b67ddf Merge remote-tracking branch 'public/pr/1390' into development 2018-06-27 10:51:47 +01:00
Nicholas Wilson 2682edf205 Fix build using -std=c99
In each place where POSIX/GNU functions are used, the file must declare
that it wants POSIX functionality before including any system headers.
2018-06-25 12:00:26 +01:00
Nicholas Wilson 512b4ee9c7 Use gmtime_r to fix thread-safety issue, and use mbedtls_time on Windows 2018-06-25 11:59:54 +01:00
niisato 8ee2422ef8 about a issue Replace "new" variable #1782 2018-06-25 19:05:48 +09:00
irwir e931d0efe5 Replace Windows API threading with CRT functions 2018-06-24 01:58:37 +03:00
Andres Amaya Garcia bf7fe4f3f0 Replace check with APPLE with CMAKE_SYSTEM_NAME 2018-06-21 20:21:38 +01:00
Andres Amaya Garcia 5b92352374 Document ssl_write_real() behaviour in detail 2018-06-21 19:23:21 +01:00
Ron Eldor 755bb6af5f Add ecc extensions only if ecc ciphersuite is used
Fix compliancy to RFC4492. ECC extensions should be included
only if ec ciphersuites are used. Interoperability issue with
bouncy castle. #1157
2018-06-21 16:35:26 +03:00
Andres Amaya Garcia e3402ce44f Enable APPLE_BUILD in makefile if using system ar 2018-06-20 10:43:21 +01:00
Manuel Pégourié-Gonnard 95e2ecae95 Fix IAR warning
The IAR compiler doesn't like it when we assign an int to an enum variable.

"C:\builds\ws\mbedtls-restricted-pr\library\ecp.c",509  Error[Pe188]:
          enumerated type mixed with another type
2018-06-20 10:29:47 +02:00
Manuel Pégourié-Gonnard 79d9b50421 Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted
* development: (180 commits)
  Change the library version to 2.11.0
  Fix version in ChangeLog for fix for #552
  Add ChangeLog entry for clang version fix. Issue #1072
  Compilation warning fixes on 32b platfrom with IAR
  Revert "Turn on MBEDTLS_SSL_ASYNC_PRIVATE by default"
  Fix for missing len var when XTS config'd and CTR not
  ssl_server2: handle mbedtls_x509_dn_gets failure
  Fix harmless use of uninitialized memory in ssl_parse_encrypted_pms
  SSL async tests: add a few test cases for error in decrypt
  Fix memory leak in ssl_server2 with SNI + async callback
  SNI + SSL async callback: make all keys async
  ssl_async_resume: free the operation context on error
  ssl_server2: get op_name from context in ssl_async_resume as well
  Clarify "as directed here" in SSL async callback documentation
  SSL async callbacks documentation: clarify resource cleanup
  Async callback: use mbedtls_pk_check_pair to compare keys
  Rename mbedtls_ssl_async_{get,set}_data for clarity
  Fix copypasta in the async callback documentation
  SSL async callback: cert is not always from mbedtls_ssl_conf_own_cert
  ssl_async_set_key: detect if ctx->slots overflows
  ...
2018-06-20 09:46:17 +02:00
Philippe Antoine 21f73b57ed Coding style
Commit to be squashed
2018-06-20 08:13:24 +02:00
Andres Amaya Garcia c51d613eac Ensure crosscompiling with make works in Mac OS X 2018-06-19 17:25:42 +01:00
Manuel Pégourié-Gonnard 2e58e8ee34 Implement ChachaPoly mode in TLS 2018-06-19 12:12:47 +02:00
Manuel Pégourié-Gonnard ce66d5e8e1 Declare ChaCha-Poly ciphersuites
Prefer them over AES-GCM as they have better performance and fewer side
channel considerations in software implementations.
2018-06-19 12:11:38 +02:00
Manuel Pégourié-Gonnard f57bf8b467 Define specific mode for ChachaPoly
The TLS layer is checking for mode, such as GCM, CCM, CBC, STREAM. ChachaPoly
needs to have its own mode, even if it's used just one cipher, in order to
allow consistent handling of mode in the TLS layer.
2018-06-19 11:32:48 +02:00
Manuel Pégourié-Gonnard a18034a8e2 Adjust to added fields in cipher_base_t
This is a follow-up to the previous merge commit: two fields were added in the
merged development branch
2018-06-19 11:32:01 +02:00
Manuel Pégourié-Gonnard 0dadba2b58 Merge branch 'development' into iotssl-2257-chacha-poly-primitives
* development: (182 commits)
  Change the library version to 2.11.0
  Fix version in ChangeLog for fix for #552
  Add ChangeLog entry for clang version fix. Issue #1072
  Compilation warning fixes on 32b platfrom with IAR
  Revert "Turn on MBEDTLS_SSL_ASYNC_PRIVATE by default"
  Fix for missing len var when XTS config'd and CTR not
  ssl_server2: handle mbedtls_x509_dn_gets failure
  Fix harmless use of uninitialized memory in ssl_parse_encrypted_pms
  SSL async tests: add a few test cases for error in decrypt
  Fix memory leak in ssl_server2 with SNI + async callback
  SNI + SSL async callback: make all keys async
  ssl_async_resume: free the operation context on error
  ssl_server2: get op_name from context in ssl_async_resume as well
  Clarify "as directed here" in SSL async callback documentation
  SSL async callbacks documentation: clarify resource cleanup
  Async callback: use mbedtls_pk_check_pair to compare keys
  Rename mbedtls_ssl_async_{get,set}_data for clarity
  Fix copypasta in the async callback documentation
  SSL async callback: cert is not always from mbedtls_ssl_conf_own_cert
  ssl_async_set_key: detect if ctx->slots overflows
  ...
2018-06-19 11:13:50 +02:00
Simon Butcher 2fcd3e4441 Change the library version to 2.11.0
* Change the Mbed TLS library version to 2.11.0
 * Increase the soversion of libmbedcrypto
 * Increase the soversion of libmbedtls
2018-06-18 14:39:06 +01:00
Angus Gratton d8213d00db Let MBEDTLS_SSL_MAX_CONTENT_LEN to be split into outward & inward sizes
For the situation where the mbedTLS device has limited RAM, but the
other end of the connection doesn't support the max_fragment_length
extension. To be spec-compliant, mbedTLS has to keep a 16384 byte
incoming buffer. However the outgoing buffer can be made smaller without
breaking spec compliance, and we save some RAM.

See comments in include/mbedtls/config.h for some more details.

(The lower limit of outgoing buffer size is the buffer size used during
handshake/cert negotiation. As the handshake is half-duplex it might
even be possible to store this data in the "incoming" buffer during the
handshake, which would save even more RAM - but it would also be a lot
hackier and error-prone. I didn't really explore this possibility, but
thought I'd mention it here in case someone sees this later on a mission
to jam mbedTLS into an even tinier RAM footprint.)
2018-06-18 20:51:51 +10:00
Manuel Pégourié-Gonnard c7bc9e122f Fix a few typos 2018-06-18 10:30:30 +02:00
Simon Butcher cbe248a3f5 Merge remote-tracking branch 'public/pr/1727' into development 2018-06-17 17:37:29 +01:00
Simon Butcher 1f91575546 Merge remote-tracking branch 'public/pr/1681' into development 2018-06-17 17:35:54 +01:00
Simon Butcher 2711ad7505 Merge remote-tracking branch 'public/pr/1736' into development 2018-06-17 17:34:55 +01:00
Simon Butcher 600c5e6d20 Compilation warning fixes on 32b platfrom with IAR
Fix compilation warnings with IAR toolchain, on 32 bit platform.
Reported by rahmanih in #683

This is based on work by Ron Eldor in PR #750, some of which was independently
fixed by Azim Khan and already merged in PR #1646.
2018-06-17 17:24:56 +01:00
Simon Butcher 2dbecc04cc Merge remote-tracking branch 'public/pr/1602' into development 2018-06-15 20:15:00 +01:00
Simon Butcher 66a8903f4a Fix for missing len var when XTS config'd and CTR not
The AES XTS self-test was using a variable len, which was declared only when CTR
was enabled. Changed the declaration of len to be conditional on CTR and XTS.
2018-06-15 18:20:29 +01:00
Simon Butcher 5f57f1e3cc Merge remote-tracking branch 'public/pr/1270' into development 2018-06-15 14:17:31 +01:00
Simon Butcher 675590519a Merge remote-tracking branch 'public/pr/1602' into development 2018-06-15 14:13:14 +01:00
Jaeden Amero ff2f493432 config: List cipher modes in alphabetical order
Keeping the cipher modes list in alphabetical order makes it easier to
find things. Move OFB and XTS to their appropriate locations in the
list.
2018-06-14 11:42:27 +01:00
Simon Butcher 6ac1cf6f5f Merge remote-tracking branch 'public/pr/1182' into development 2018-06-14 10:33:29 +01:00
Simon Butcher c1bf1aaee5 Merge remote-tracking branch 'public/pr/1555' into development 2018-06-14 10:24:56 +01:00
Simon Butcher 73a4b80475 Merge remote-tracking branch 'public/pr/1672' into development 2018-06-14 10:24:02 +01:00
Simon Butcher 2ff0e52087 Fix missing preprocessor condition in AES self-test
The AES OFB self-test made use of a variable `offset` but failed to have a
preprocessor condition around it, so unless CTR and CBC were enabled, the
variable would be undeclared.
2018-06-14 09:57:07 +01:00
Philippe Antoine c03059db42 Simplify code in mbedtls_x509_csr_parse 2018-06-14 07:35:11 +02:00
Gilles Peskine 0a8352b4c2 Fix harmless use of uninitialized memory in ssl_parse_encrypted_pms
In ssl_parse_encrypted_pms, some operational failures from
ssl_decrypt_encrypted_pms lead to diff being set to a value that
depended on some uninitialized unsigned char and size_t values. This didn't
affect the behavior of the program (assuming an implementation with no
trap values for size_t) because all that matters is whether diff is 0,
but Valgrind rightfully complained about the use of uninitialized
memory. Behave nicely and initialize the offending memory.
2018-06-13 18:21:25 +02:00
Jaeden Amero 8cfc75f603 aes: xts: Fix style issues with gf128mul 2018-06-13 12:13:58 +01:00
Jaeden Amero 5f0b06aeda aes: xts: Fix description of gf128mul
THe function `mbedtls_gf128mul_x_ble()` doesn't multiply by x, x^4, and
x^8. Update the function description to properly describe what the function
does.
2018-06-13 12:13:58 +01:00
Jaeden Amero c653990ed5 cipher: Add wrappers for AES-XTS
AES-XTS does not support multipart use as it can only operate on an entire
sector at a time.
2018-06-13 12:13:56 +01:00
Jaeden Amero 21d79cf947 aes: Add self test for AES-XTS 2018-06-13 12:05:04 +01:00
Jaeden Amero cd9fc5e541 aes: xts: Rename iv to data_unit
XTS doesn't have an IV, it has a "Data Unit". Rename iv for parity with the
XTS standard.
2018-06-13 12:05:04 +01:00
Jaeden Amero d82cd860b2 aes: xts: Rewrite to avoid use of goto
The flow was a bit hard to follow with the `goto` everywhere. Rewrite the
XTS implementation to avoid the use of `goto`.
2018-06-13 12:05:04 +01:00
Jaeden Amero 0a8b02087a aes: xts: Enforce NIST SP 800-38E data unit size
NIST SP 800-38E requites the data unit size be limited to at most 2^20 AES
blocks in size. Enforce this restriction.
2018-06-13 12:05:04 +01:00
Jaeden Amero 5162b932a2 aes: Use length instead of bits_length in XTS
mbedtls_aes_crypt_xts() currently takes a `bits_length` parameter, unlike
the other block modes. Change the parameter to accept a bytes length
instead, as the `bits_length` parameter is not actually ever used in the
current implementation.
2018-06-13 12:05:04 +01:00
Jaeden Amero 9366feb504 aes: xts: Add new context structure
Add a new context structure for XTS. Adjust the API for XTS to use the new
context structure, including tests suites and the benchmark program. Update
Doxgen documentation accordingly.
2018-06-13 12:05:04 +01:00
Jaeden Amero e9ecf00007 aes: Remove AES-XEX
AES-XEX is a building block for other cryptographic standards and not yet a
standard in and of itself. We'll just provide the standardized AES-XTS
algorithm, and not AES-XEX. The AES-XTS algorithm and interface provided
can be used to perform the AES-XEX algorithm when the length of the input
is a multiple of the AES block size.
2018-06-13 12:03:29 +01:00
Jaeden Amero 010c2cb456 gf128mul: Inline instead of making a new module 2018-06-13 12:03:29 +01:00
Jaeden Amero 97cc3b1354 gf128mul: Remove the jump table
If we're unlucky with memory placement, gf128mul_table_bbe may spread over
two cache lines and this would leak b >> 63 to a cache timing attack.
Instead, take an approach that is less likely to make different memory
loads depending on the value of b >> 63 and is also unlikely to be compiled
to a condition.
2018-06-13 12:03:29 +01:00
Aorimn 5f77801ac3 Implement AES-XTS mode
XTS mode is fully known as "xor-encrypt-xor with ciphertext-stealing".
This is the generalization of the XEX mode.
This implementation is limited to an 8-bits (1 byte) boundary, which
doesn't seem to be what was thought considering some test vectors [1].

This commit comes with tests, extracted from [1], and benchmarks.
Although, benchmarks aren't really nice here, as they work with a buffer
of a multiple of 16 bytes, which isn't a challenge for XTS compared to
XEX.

[1] http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSTestVectors.zip
2018-06-13 12:03:27 +01:00
Aorimn 380162c34c Double perf for AES-XEX
As seen from the first benchmark run, AES-XEX was running pourly (even
slower than AES-CBC). This commit doubles the performances of the
current implementation.
2018-06-13 12:02:30 +01:00
Aorimn 8bb817a4c1 Add AES-XEX to the version features 2018-06-13 12:02:29 +01:00
Aorimn 9bbe3632e4 Rename exported symbols to please check-names.sh
Exported symbols seem to need the "mbedtls_" prefix, which has been
added to be128 and gf128mul_x_ble.
2018-06-13 12:01:50 +01:00
Aorimn 0089d36ae5 Implement AES-XEX mode
XEX mode, known as "xor-encrypt-xor", is the simple case of the XTS
mode, known as "XEX with ciphertext stealing". When the buffers to be
encrypted/decrypted have a length divisible by the length of a standard
AES block (16), XTS is exactly like XEX.
2018-06-13 11:56:03 +01:00
Aorimn b053658f95 Add 2 files for multiplication in GF(128)
Multiplication in GF(128) is required by the AES-XEX mode for computing
X in the XEX formula from
https://en.wikipedia.org/wiki/Disk_encryption_theory#Xor-encrypt-xor_.28XEX.29
2018-06-13 11:56:03 +01:00
Manuel Pégourié-Gonnard 558da9c3fe Make SSL error code more generic
It's undesirable to have users of the SSL layer check for an error code
specific to a lower-level layer, both out of general layering principles, and
also because if we later make another crypto module gain resume capabilities,
we would need to change the contract again (checking for a new module-specific
error code).
2018-06-13 12:02:12 +02:00
Andres Amaya Garcia 1d9375919a Conditionally assign APPLE_BUILD var in makefile 2018-06-13 10:05:43 +01:00
Andres Amaya Garcia c471cd7e0a Autodetect if running on OS X in makefile 2018-06-13 09:28:04 +01:00
Roberto Vargas 7decfe8c1e Convert mbedtls_free and mbedtls_calloc into functions
When MBEDTLS_PLATFORM_MEMORY is defined but MBEDTLS_PLATFORM_FREE_MACRO or
MBEDTLS_PLATFORM_CALLOC_MACRO are not defined then the actual functions
used to allocate and free memory are stored in function pointers.
These pointers are exposed to the caller, and it means that the caller
and the library have to share a data section.

In TF-A, we execute in a very constrained environment, where some images
are executed from ROM and other images are executed from SRAM. The
images that are executed from ROM cannot be modified. The SRAM size
is very small and we are moving libraries to the ROM that can be shared
between the different SRAM images.  These SRAM images could import all the
symbols used in mbedtls, but it would create an undesirable hard binary
dependency between the different images. For this reason, all the library
functions in ROM are accesed using a jump table whose base address is
known, allowing the images to execute with different versions of the ROM.

This commit changes the function pointers to actual functions,
so that the SRAM images only have to use the new exported symbols
(mbedtls_calloc and mbedtls_free) using the jump table. In
our scenario, mbedtls_platform_set_calloc_free is called from
mbedtls_memory_buffer_alloc_init which initializes the function pointers
to the internal buffer_alloc_calloc and buffer_alloc_free functions.

No functional changes to mbedtls_memory_buffer_alloc_init.

Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-06-13 09:17:59 +01:00
Manuel Pégourié-Gonnard da19f4c79f Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted
Summary of merge conflicts:

include/mbedtls/ecdh.h -> documentation style
include/mbedtls/ecdsa.h -> documentation style
include/mbedtls/ecp.h -> alt style, new error codes, documentation style
include/mbedtls/error.h -> new error codes
library/error.c -> new error codes (generated anyway)
library/ecp.c:
    - code of an extracted function was changed
library/ssl_cli.c:
    - code addition on one side near code change on the other side
      (ciphersuite validation)
library/x509_crt.c -> various things
    - top fo file: helper structure added near old zeroize removed
    - documentation of find_parent_in()'s signature: improved on one side,
      added arguments on the other side
    - documentation of find_parent()'s signature: same as above
    - verify_chain(): variables initialised later to give compiler an
      opportunity to warn us if not initialised on a code path
    - find_parent(): funcion structure completely changed, for some reason git
      tried to insert a paragraph of the old structure...
    - merge_flags_with_cb(): data structure changed, one line was fixed with a
      cast to keep MSVC happy, this cast is already in the new version
    - in verify_restratable(): adjacent independent changes (function
      signature on one line, variable type on the next)
programs/ssl/ssl_client2.c:
    - testing for IN_PROGRESS return code near idle() (event-driven):
      don't wait for data in the the socket if ECP_IN_PROGRESS
tests/data_files/Makefile: adjacent independent additions
tests/suites/test_suite_ecdsa.data: adjacent independent additions
tests/suites/test_suite_x509parse.data: adjacent independent additions

* development: (1059 commits)
  Change symlink to hardlink to avoid permission issues
  Fix out-of-tree testing symlinks on Windows
  Updated version number to 2.10.0 for release
  Add a disabled CMAC define in the no-entropy configuration
  Adapt the ARIA test cases for new ECB function
  Fix file permissions for ssl.h
  Add ChangeLog entry for PR#1651
  Fix MicroBlaze register typo.
  Fix typo in doc and copy missing warning
  Fix edit mistake in cipher_wrap.c
  Update CTR doc for the 64-bit block cipher
  Update CTR doc for other 128-bit block ciphers
  Slightly tune ARIA CTR documentation
  Remove double declaration of mbedtls_ssl_list_ciphersuites
  Update CTR documentation
  Use zeroize function from new platform_util
  Move to new header style for ALT implementations
  Add ifdef for selftest in header file
  Fix typo in comments
  Use more appropriate type for local variable
  ...
2018-06-13 09:52:54 +02:00
Andres Amaya Garcia c06c9ae088 Add alias APPLE make var of APPLE_BUILD 2018-06-12 18:29:28 +01:00
Darryl Green b11de306c4 Fix braces in mbedtls_memory_buffer_alloc_status() 2018-06-12 16:56:04 +01:00
Simon Butcher e47d6fd97e Merge remote-tracking branch 'public/pr/1497' into development 2018-06-12 16:53:04 +01:00
Simon Butcher f0d7629771 Merge remote-tracking branch 'public/pr/1593' into development 2018-06-12 16:41:41 +01:00
Simon Butcher ebb6427992 Merge remote-tracking branch 'public/pr/1646' into development 2018-06-12 16:41:04 +01:00
Simon Butcher 263498ac36 Merge remote-tracking branch 'public/pr/1667' into development 2018-06-12 16:40:07 +01:00
irwir 2239a868f7 Clear pk context and other minor changes in *_free() procedures 2018-06-12 18:25:09 +03:00
Simon Butcher 4844bf2b5c Add OFB as additional block mode
Following rebasing on the development branch which introduced the ARIA cipher,
OFB was missing as a block mode from some cipher tables.
2018-06-11 15:21:05 +01:00
Simon Butcher 5db13621ec Clarify documentation for AES OFB
1. Changed reference/link to NIST SP800-38A
 2. Clarified language around AES-OFB usage
2018-06-11 14:03:22 +01:00
Simon Butcher 00131446be Fix style and formatting for OFB feature 2018-06-11 14:03:22 +01:00
Simon Butcher ad4e4938d1 Fix AES-OFB support for errors, tests and self-test
Adds error handling into mbedtls_aes_crypt_ofb for AES errors, a self-test
for the OFB mode using NIST SP 800-38A test vectors and adds a check to
potential return errors in setting the AES encryption key in the OFB test
suite.
2018-06-11 14:03:22 +01:00
Simon Butcher 7487c5b2c8 Add missing OFB entry to null ciphersuite
The OFB entry has been omitted from the the null cipher suite definition,
null_base_info.
2018-06-11 14:03:22 +01:00
Simon Butcher 8c0fd1e881 Add cipher abstraction and test cases for OFB block mode
Adds OFB as additional block mode in the cipher abstraction, and additional
test cases for that block mode.
2018-06-11 14:03:22 +01:00
Simon Butcher 76a5b22973 Add OFB block mode to AES-128/192/256
Adds a new configuration of MBEDTLS_CIPHER_MODE_OFB and OFB mode to AES.
2018-06-11 14:03:22 +01:00
Thomas Fossati 656864b360 Add an HKDF (RFC 5869) implementation 2018-06-11 13:10:14 +01:00
Manuel Pégourié-Gonnard 39b1904b9f Merge branch 'development' into iotssl-2257-chacha-poly-primitives
* development: (97 commits)
  Updated version number to 2.10.0 for release
  Add a disabled CMAC define in the no-entropy configuration
  Adapt the ARIA test cases for new ECB function
  Fix file permissions for ssl.h
  Add ChangeLog entry for PR#1651
  Fix MicroBlaze register typo.
  Fix typo in doc and copy missing warning
  Fix edit mistake in cipher_wrap.c
  Update CTR doc for the 64-bit block cipher
  Update CTR doc for other 128-bit block ciphers
  Slightly tune ARIA CTR documentation
  Remove double declaration of mbedtls_ssl_list_ciphersuites
  Update CTR documentation
  Use zeroize function from new platform_util
  Move to new header style for ALT implementations
  Add ifdef for selftest in header file
  Fix typo in comments
  Use more appropriate type for local variable
  Remove useless parameter from function
  Wipe sensitive info from the stack
  ...
2018-06-07 12:02:55 +02:00
Manuel Pégourié-Gonnard 21a65e0011 Fix usage of inline with for some compilers 2018-06-07 11:54:17 +02:00
Manuel Pégourié-Gonnard 2adb375c50 Add option to avoid 64-bit multiplication
Motivation is similar to NO_UDBL_DIVISION.

The alternative implementation of 64-bit mult is straightforward and aims at
obvious correctness. Also, visual examination of the generate assembly show
that it's quite efficient with clang, armcc5 and arm-clang. However current
GCC generates fairly inefficient code for it.

I tried to rework the code in order to make GCC generate more efficient code.
Unfortunately the only way to do that is to get rid of 64-bit add and handle
the carry manually, but this causes other compilers to generate less efficient
code with branches, which is not acceptable from a side-channel point of view.

So let's keep the obvious code that works for most compilers and hope future
versions of GCC learn to manage registers in a sensible way in that context.

See https://bugs.launchpad.net/gcc-arm-embedded/+bug/1775263
2018-06-07 11:05:33 +02:00
Simon Butcher d5a09f1e68 Updated version number to 2.10.0 for release 2018-06-06 14:52:00 +01:00
Philippe Antoine b5b254300e Fix undefined shifts
- in x509_profile_check_pk_alg
- in x509_profile_check_md_alg
- in x509_profile_check_key

and in ssl_cli.c : unsigned char gets promoted to signed integer
2018-06-06 14:27:12 +02:00
Philippe Antoine 747fd53938 Fixes different off by ones 2018-06-05 16:13:10 +02:00
Gilles Peskine d0e55a4657 ssl_decrypt_buf: remove code for hashes that aren't used in TLS 2018-06-04 14:41:19 +02:00
Manuel Pégourié-Gonnard 94175a50f7 Refresh generated file 2018-06-04 12:42:17 +02:00
Manuel Pégourié-Gonnard 3dc62a0a9b chachapoly: force correct mode for integrated API
Allowing DECRYPT with crypt_and_tag is a risk as people might fail to check
the tag correctly (or at all). So force them to use auth_decrypt() instead.

See also https://github.com/ARMmbed/mbedtls/pull/1668
2018-06-04 12:18:19 +02:00
Manuel Pégourié-Gonnard 26c3b0a4b1 Fix return type of internal function
Fixes incomplete change in f4f01b6b7a
2018-06-04 12:06:23 +02:00
Gilles Peskine 5c38984fa7 Use our habitual INTERNAL_ERROR debug message 2018-06-04 12:02:43 +02:00
Gilles Peskine a7fe25d5a5 Remove tests of #define's that don't exist 2018-06-04 12:01:18 +02:00
Gilles Peskine 1bd9d58b21 Clarify comment about integer division by a variable 2018-06-04 11:58:44 +02:00
Simon Butcher 246cb05a92 Merge remote-tracking branch 'public/pr/1410' into development 2018-06-01 19:25:56 +01:00
Gilles Peskine 02b9329f2b Fix MSan build without MBEDTLS_TIMING_C
When MBEDTLS_TIMING_C was not defined in config.h, but the MemSan
memory sanitizer was activated, entropy_poll.c used memset without
declaring it. Fix this by including string.h unconditionally.
2018-06-01 18:19:59 +02:00
Janos Follath 4c579391b1 CCM*: Remove superfluous braces 2018-05-30 13:58:38 +01:00
Gilles Peskine 20b4408fbd Fix Lucky13 attack protection when using HMAC-SHA-384
As a protection against the Lucky Thirteen attack, the TLS code for
CBC decryption in encrypt-then-MAC mode performs extra MAC
calculations to compensate for variations in message size due to
padding. The amount of extra MAC calculation to perform was based on
the assumption that the bulk of the time is spent in processing
64-byte blocks, which is correct for most supported hashes but not for
SHA-384. Correct the amount of extra work for SHA-384 (and SHA-512
which is currently not used in TLS, and MD2 although no one should
care about that).
2018-05-29 14:06:49 +02:00
Janos Follath 997e85c049 CCM*: Remove nested if 2018-05-29 11:59:22 +01:00
Janos Follath b5734a28d9 CCM*: Add implementation 2018-05-29 11:59:22 +01:00
Azim Khan 45b79cf12b Treat warnings as errors for IAR
Fix IAR compiler warnings

Two warnings have been fixed:
1. code 'if( len <= 0xFFFFFFFF )' gave warning 'pointless integer comparison'.
   This was fixed by wraping the condition in '#if SIZE_MAX > 0xFFFFFFFF'.
2. code 'diff |= A[i] ^ B[i];' gave warning 'the order of volatile accesses is undefined in'.
   This was fixed by read the volatile data in temporary variables before the computation.

Explain IAR warning on volatile access

Consistent use of CMAKE_C_COMPILER_ID
2018-05-25 14:54:14 +01:00
Manuel Pégourié-Gonnard f4f01b6b7a Check return values from lower modules
The cast to void was motivated by the assumption that the functions only
return non-zero when passed bad arguments, but that might not be true of
alternative implementation, for example on hardware failure.
2018-05-24 18:50:18 +02:00
Manuel Pégourié-Gonnard 1729789075 Misc style adjustments
- fix some whitespace
- fix most overlong lines
- remove some superfluous parentheses
- s/result/ret/ for consistency with the rest of the library
2018-05-24 18:50:18 +02:00
Manuel Pégourié-Gonnard 98fae6d800 ChaCha20: move working state from ctx to stack
No need to keep it around.
2018-05-24 17:38:31 +02:00
Manuel Pégourié-Gonnard 9620f9b99e Rm mbedtls_ prefix form static functions
- prefix is no necessary for static ids and makes lines longer
- most often omitted (even though we're not fully consistent)
2018-05-24 17:04:02 +02:00
Manuel Pégourié-Gonnard fb78c90138 Use recently-introduced platform_util module 2018-05-24 16:54:57 +02:00
Manuel Pégourié-Gonnard 39f25616b3 Fix edit mistake in cipher_wrap.c
Error was from 08c337d058
2018-05-24 14:06:02 +02:00
Manuel Pégourié-Gonnard 3798b6be6b Add some error codes and merge others
- need HW failure codes too
- re-use relevant poly codes for chachapoly to save on limited space

Values were chosen to leave 3 free slots at the end of the NET odd range.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 32902e6eae cipher: handle ChaCha20 as a stream cipher
That's what it is. So we shouldn't set a block size != 1.

While at it, move call to chachapoly_update() closer to the one for GCM, as
they are similar (AEAD).
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard c0dfcd4bf1 Simplify selftest functions using macros
This reduces clutter, making the functions more readable.

Also, it makes lcov see each line as covered. This is not cheating, as the
lines that were previously seen as not covered are not supposed to be reached
anyway (failing branches of the selftests).

Thanks to this and previous test suite enhancements, lcov now sees chacha20.c
and poly1305.c at 100% line coverage, and for chachapoly.c only two lines are
not covered (error returns from lower-level module that should never happen
except perhaps if an alternative implementation returns an unexpected error).
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 59d2c30eba chachapoly: add test for parameter validation
Also fix two bugs found by the new tests.

Also remove redundant test case dependency declarations while at it.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard a8fa8b8f96 poly1305: add test for parameter validation
Also fix two validation bugs found while adding the tests.

Also handle test dependencies the right way while at it.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 1465602ee1 poly1305: fix bug in starts() and add test for it 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 55c0d096b7 chacha20: fix bug in starts() and add test for it
Previously the streaming API would fail when encrypting multiple messages with
the same key.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard b8bd80aa02 Add FEATURE_NOT_AVAILABLE error codes. 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 5ef92d309a chachapoly: adjust parameter order
This module used (len, pointer) while (pointer, len) is more common in the
rest of the library, in particular it's what's used in the GCM API that
very comparable to it, so switch to (pointer, len) for consistency.

Note that the crypt_and_tag() and auth_decrypt() functions were already using
the same convention as GCM, so this also increases intra-module consistency.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard b1ac5e7842 poly1305: adjust parameter order
This module used (len, pointer) while (pointer, len) is more common in the
rest of the library, in particular it's what's used in the CMAC API that is
very comparable to Poly1305, so switch to (pointer, len) for consistency.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard fe725defae cipher: use new functions from chachapoly 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 346b8d5050 chachapoly: split crypt_and_mac() to match GCM API
In addition to making the APIs of the various AEAD modules more consistent
with each other, it's useful to have an auth_decrypt() function so that we can
safely check the tag ourselves, as the user might otherwise do it in an
insecure way (or even forget to do it altogether).
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 56206c4db1 Remove semi-internal chacha20_keystrem_block()
It's actually easy to implement chachapoly without it, so let's not clutter
the API (and avoid adding a burden to alt implementers).
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 502f189253 ChaCha20: allow in-place en/decryption
All other ciphers so far allow this. In particular, the TLS layer depends on
this, despite what's documented in the Cipher layer, see
https://github.com/ARMmbed/mbedtls/issues/1085
https://github.com/ARMmbed/mbedtls/issues/1087

Also, this can be useful for implementing chachapoly without depending on the
semi-internal function keystream_block(), see next commit.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard dca3a5d884 Rename aead_chacha20_poly1305 to chachapoly
While the old name is explicit and aligned with the RFC, it's also very long,
so with the mbedtls_ prefix prepended we get a 31-char prefix to each
identifier, which quickly conflicts with our 80-column policy.

The new name is shorter, it's what a lot of people use when speaking about
that construction anyway, and hopefully should not introduce confusion at
it seems unlikely that variants other than 20/1305 be standardised in the
foreseeable future.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 4edd51babe Rename poly1305_setkey() to poly1305_starts()
For consistency with the existing CMAC and HMAC APIs
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard b7e99006f9 Avoid using %zu in selftest functions
This is a C99 feature and unfortunately we can't rely on it yet considering
the set of toolchain (versions) we want to support.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 95d0bdbd84 Adapt the _ALT style to our new standard
- in .h files: only put the context declaration inside the #ifdef _ALT
  (this was changed in 2.9.0, ie after the original PR)
- in .c file: only leave selftest out of _ALT: even though some function are
  trivial to build from other parts, alt implementors might want to go another
way about them (for efficiency or other reasons)
2018-05-24 13:37:31 +02:00
Daniel King e6e7968c3a Minor style and formatting fixes.
This change corrects some minor style violations, mostly for spacing
around parentheses.
2018-05-24 13:37:31 +02:00
Daniel King b6897f67a4 Correct signedness of printf specifier in self tests 2018-05-24 13:37:31 +02:00
Daniel King 16b04ce641 Fix unused function warning under certain configurations.
I refactored some code into the function mbedtls_constant_time_memcmp
in commit 7aad291 but this function is only used by GCM and
AEAD_ChaCha20_Poly1305 to check the tags. So this function is now
only enabled if either of these two ciphers is enabled.
2018-05-24 13:37:31 +02:00
Daniel King dedf4a3e7b Adjust verbose self-test output to match other ciphers. 2018-05-24 13:37:31 +02:00
Daniel King 8fe4701abe Add ChaCha20+Poly1305 to the Cipher module 2018-05-24 13:37:31 +02:00
Daniel King a310c5e42b Allow some parameters to be NULL if the length is 0.
This change permits users of the ChaCha20/Poly1305 algorithms
(and the AEAD construction thereof) to pass NULL pointers for
data that they do not need, and avoids the need to provide a valid
buffer for data that is not used.
2018-05-24 13:37:31 +02:00
Daniel King b8025c5826 Implement AEAD-ChaCha20-Poly1305.
This implementation is based off the description in RFC 7539.

The ChaCha20 code is also updated to provide a means of generating
keystream blocks with arbitrary counter values. This is used to
generated the one-time Poly1305 key in the AEAD construction.
2018-05-24 13:37:31 +02:00
Daniel King adc32c0b50 Add Poly1305 authenticator algorithm (RFC 7539)
Test vectors are included from RFC 7539.

Poly1305 is also added to the benchmark program.
2018-05-24 13:37:31 +02:00
Daniel King bd92062269 Add ChaCha20 to the Cipher module 2018-05-24 13:37:31 +02:00
Daniel King 34b822ce7b Initial implementation of ChaCha20 2018-05-24 13:37:31 +02:00
Simon Butcher 2f3a581567 Merge remote-tracking branch 'public/pr/1178' into development 2018-05-23 16:15:13 +01:00
Andres Amaya Garcia 0e98e88a22 Silence no symbols warn on apple & Makefile 2018-05-23 09:19:54 +01:00
TabascoEye 7f3ef2780c silence "no symbols" warnings on apple clang
fixes #1252
2018-05-23 09:18:49 +01:00
Manuel Pégourié-Gonnard 7124fb63be Use zeroize function from new platform_util 2018-05-22 16:05:33 +02:00
Manuel Pégourié-Gonnard a3712beb9b Merge branch 'development' into iotssl-1941-aria-ciphersuites
* development: (504 commits)
  Fix minor code style issues
  Add the uodate to the soversion to the ChangeLog
  Fix the ChangeLog for clarity, english and credit
  Update version to 2.9.0
  ecp: Fix binary compatibility with group ID
  Changelog entry
  Change accepted ciphersuite versions when parsing server hello
  Remove preprocessor directives around platform_util.h include
  Fix style for mbedtls_mpi_zeroize()
  Improve mbedtls_platform_zeroize() docs
  mbedtls_zeroize -> mbedtls_platform_zeroize in docs
  Reword config.h docs for MBEDTLS_PLATFORM_ZEROIZE_ALT
  Organize CMakeLists targets in alphabetical order
  Organize output objs in alfabetical order in Makefile
  Regenerate errors after ecp.h updates
  Update ecp.h
  Change variable bytes_written to header_bytes in record decompression
  Update ecp.h
  Update ecp.h
  Update ecp.h
  ...
2018-05-22 15:58:50 +02:00
Manuel Pégourié-Gonnard 2df4bfe803 Fix typo in comments 2018-05-22 13:39:01 +02:00
Manuel Pégourié-Gonnard 565e4e0fb2 Use more appropriate type for local variable 2018-05-22 13:30:28 +02:00
Manuel Pégourié-Gonnard 08c337d058 Remove useless parameter from function 2018-05-22 13:18:01 +02:00
Manuel Pégourié-Gonnard 89924ddc7e Wipe sensitive info from the stack 2018-05-22 13:07:07 +02:00
Manuel Pégourié-Gonnard 12e2fbdf29 Style adjustments 2018-05-22 13:01:09 +02:00
Manuel Pégourié-Gonnard d418b0dcba Fix typo in comment 2018-05-22 12:56:11 +02:00
tdoe 020c823f62 fixed segmentation fault 2018-05-18 13:09:12 +02:00
tdoe c150f0d050 fixed missing initializer 2018-05-18 12:12:45 +02:00
Jaeden Amero 23f954dff9 Fix string downcast to PrintableString as issued in #1033 2018-05-18 11:49:49 +02:00
Darryl Green 11999bb72e Fix minor code style issues 2018-05-15 09:21:57 +01:00
Philippe Antoine 6087f200bf Fix memory leak in mbedtls_x509_csr_parse 2018-05-09 07:54:12 +02:00
Jaeden Amero a331e0f0af Merge remote-tracking branch 'upstream-restricted/pr/421' into development-proposed 2018-05-04 14:39:24 +01:00
Gilles Peskine 1febfef561 Rename mbedtls_ssl_async_{get,set}_data for clarity
Rename to mbedtls_ssl_get_async_operation_data and
mbedtls_ssl_set_async_operation_data so that they're about
"async operation data" and not about some not-obvious "data".
2018-04-30 11:54:39 +02:00
Jaeden Amero 7d7bad6b1f Update version to 2.9.0
Bump SOVERSION for parity with 2.7.2 and 2.7.3.
2018-04-30 09:58:33 +01:00
Gilles Peskine 8f97af7ea3 Don't pass the async config data to async callbacks
The config data is in the SSL config, so callbacks can retrieve it
from there, with the new function mbedtls_ssl_conf_get_async_config_data.
2018-04-26 11:46:10 +02:00
Gilles Peskine e141638868 Finish writing an unfinished comment 2018-04-26 10:23:34 +02:00
Jaeden Amero c64a300027 Merge remote-tracking branch 'upstream-restricted/pr/471' into development-restricted-proposed
Remove trailing whitespace in ChangeLog.
2018-04-26 09:06:33 +01:00
Jaeden Amero bd05dfd49f Merge branch 'development-proposed' into development-restricted-proposed
Resolve conflicts in ChangeLog
2018-04-26 09:03:03 +01:00
Gilles Peskine 0fd90dd713 ssl_prepare_server_key_exchange: clarify where the signature is written 2018-04-26 10:00:40 +02:00
Gilles Peskine 22e695fc5a Be more precise about when a variable is unused 2018-04-26 10:00:40 +02:00
Gilles Peskine ad28bf0e58 Documentation improvements 2018-04-26 10:00:40 +02:00
Gilles Peskine 168dae8567 Comment formatting and whitespace fixes 2018-04-26 10:00:40 +02:00
Gilles Peskine df13d5c7a6 Pass the SSL context to async callbacks
When a handshake step starts an asynchronous operation, the
application needs to know which SSL connection the operation is for,
so that when the operation completes, the application can wake that
connection up. Therefore the async start callbacks need to take the
SSL context as an argument. It isn't enough to let them set a cookie
in the SSL connection, the application needs to be able to find the
right SSL connection later.

Also pass the SSL context to the other callbacks for consistency. Add
a new field to the handshake that the application can use to store a
per-connection context. This new field replaces the former
context (operation_ctx) that was created by the start function and
passed to the resume function.

Add a boolean flag to the handshake structure to track whether an
asynchronous operation is in progress. This is more robust than
relying on the application to set a non-null application context.
2018-04-26 10:00:40 +02:00
Gilles Peskine 9b562d5c36 mbedtls_ssl_handshake_free: take the SSL context as argument
Change the signature of mbedtls_ssl_handshake_free again. Now take the
whole SSL context as argument and not just the configuration and the
handshake substructure.

This is in preparation for changing the asynchronous cancel callback
to take the SSL context as an argument.
2018-04-26 10:00:40 +02:00
Gilles Peskine 2e33337570 Fix invalid data being accepted in RSA-decryption-based ciphersuites
In the refactoring of ssl_parse_encrypted_pms, I advertently broke the
case when decryption signalled an error, with the variable ret getting
overwritten before calculating diff. Move the calculation of diff
immediately after getting the return code to make the connection more
obvious. Also move the calculation of mask immediately after the
calculation of diff, which doesn't change the behavior, because I find
the code clearer that way.
2018-04-26 10:00:39 +02:00
Gilles Peskine b74a1c73b1 Rename MBEDTLS_SSL_ASYNC_PRIVATE_C to MBEDTLS_SSL_ASYNC_PRIVATE
This is an optional feature, not a module of its own, so don't call it
MBEDTLS_xxx_C and put it in the appropriate section of config.h.
2018-04-26 10:00:39 +02:00
Gilles Peskine f112725487 Style and grammar fixes 2018-04-26 10:00:39 +02:00
Gilles Peskine b44692f126 Merge branch 'mbedtls_ssl_get_key_exchange_md_ssl_tls-return_hashlen' into tls_async_server-2.9
Conflict resolution:
* ChangeLog: put the new entry from my branch in the proper place.
* include/mbedtls/error.h: counted high-level module error codes again.
* include/mbedtls/ssl.h: picked different numeric codes for the
  concurrently added errors; made the new error a full sentence per
  current standards.
* library/error.c: ran scripts/generate_errors.pl.
* library/ssl_srv.c:
    * ssl_prepare_server_key_exchange "DHE key exchanges": the conflict
      was due to style corrections in development
      (4cb1f4d49c) which I merged with
      my refactoring.
    * ssl_prepare_server_key_exchange "For key exchanges involving the
      server signing", first case, variable declarations: merged line
      by line:
        * dig_signed_len: added in async
        * signature_len: removed in async
        * hashlen: type changed to size_t in development
        * hash: size changed to MBEDTLS_MD_MAX_SIZE in async
        * ret: added in async
    * ssl_prepare_server_key_exchange "For key exchanges involving the
      server signing", first cae comment: the conflict was due to style
      corrections in development (4cb1f4d49c)
      which I merged with my comment changes made as part of refactoring
      the function.
    * ssl_prepare_server_key_exchange "Compute the hash to be signed" if
      `md_alg != MBEDTLS_MD_NONE`: conflict between
      ebd652fe2d
      "ssl_write_server_key_exchange: calculate hashlen explicitly" and
      46f5a3e9b4 "Check return codes from
      MD in ssl code". I took the code from commit
      ca1d742904 made on top of development
      which makes mbedtls_ssl_get_key_exchange_md_ssl_tls return the
      hash length.
* programs/ssl/ssl_server2.c: multiple conflicts between the introduction
  of MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS and new auxiliary functions and
  definitions for async support, and the introduction of idle().
    * definitions before main: concurrent additions, kept both.
    * main, just after `handshake:`: in the loop around
      mbedtls_ssl_handshake(), merge the addition of support for
      MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS and SSL_ASYNC_INJECT_ERROR_CANCEL
      with the addition of the idle() call.
    * main, if `opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM`: take the
      code from development and add a check for
      MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS.
    * main, loop around mbedtls_ssl_read() in the datagram case:
      take the code from development and add a check for
      MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; revert to a do...while loop.
    * main, loop around mbedtls_ssl_write() in the datagram case:
      take the code from development and add a check for
      MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; revert to a do...while loop.
2018-04-26 10:00:27 +02:00
Jaeden Amero 84a1107818 Merge remote-tracking branch 'upstream-public/pr/1592' into development-proposed 2018-04-25 14:22:12 +01:00
Andrzej Kurek 03bac448db Change accepted ciphersuite versions when parsing server hello
Accept only ciphersuites for version chosen by the server
2018-04-25 05:06:07 -04:00
Jaeden Amero 8945343a51 Merge branch 'development-proposed' into development-restricted-proposed
Resolve merge conflict in ecp.h, where `mbedtls_ecp_keypair` was moved.
2018-04-24 17:16:34 +01:00
Andres Amaya Garcia 8491406803 Remove preprocessor directives around platform_util.h include 2018-04-24 08:40:46 -05:00
Andres Amaya Garcia 6698d2fc5c Fix style for mbedtls_mpi_zeroize() 2018-04-24 08:39:07 -05:00
Andres Amaya Garcia bc7bdbf5c8 Organize CMakeLists targets in alphabetical order 2018-04-24 08:29:20 -05:00
Andres Amaya Garcia 21b376b56c Organize output objs in alfabetical order in Makefile 2018-04-24 08:28:26 -05:00
Jaeden Amero 1afdec1812 Merge remote-tracking branch 'upstream-public/pr/1578' into development-proposed 2018-04-24 14:19:41 +01:00
Jaeden Amero 3dd8abd037 Regenerate errors after ecp.h updates
The error descriptions were updated in ecp.h (PR #1578), so also update
the strings in error.c.
2018-04-24 14:13:15 +01:00
Andrzej Kurek a9ceef8e03 Change variable bytes_written to header_bytes in record decompression
The name is changed to better reflect the input, decompression case
2018-04-24 06:34:17 -04:00
Gilles Peskine ca1d742904 mbedtls_ssl_get_key_exchange_md_tls1_2: return hashlen
In mbedtls_ssl_get_key_exchange_md_tls1_2, add an output parameter for
the hash length. The code that calls this function can currently do
without it, but it will need the hash length in the future, when
adding support for a third-party callback to calculate the signature
of the hash.
2018-04-24 11:53:22 +02:00
Gilles Peskine 2c6078ed3b SSL asynchronous decryption (server side)
Support SSL asynchronous private operation for the case of a
decryption operation on a server.
2018-04-24 09:36:36 +02:00
Gilles Peskine bcd98a5306 ssl_parse_encrypted_pms refactor: prepare, decrypt, return
Reorganize ssl_parse_encrypted_pms so that it first prepares the
ciphertext to decrypt, then decrypts it, then returns either the
decrypted premaster secret or random data in an appropriate manner.

This is in preparation for allowing the private key operation to be
offloaded to an external cryptographic module which can operate
asynchronously. The refactored code no longer calculates state before
the decryption that needs to be saved until after the decryption,
which allows the decryption to be started and later resumed.
2018-04-24 09:36:36 +02:00
Gilles Peskine 422ccabe29 ssl_parse_encrypted_pms refactor: prepare for remote private key
Use the public key to extract metadata rather than the public key.
Don't abort early if there is no private key.

This is in preparation for allowing the private key operation to be
offloaded to an external cryptographic module.
2018-04-24 09:36:36 +02:00
Gilles Peskine f9f15ae5a1 ssl_write_server_key_exchange refactor: don't use p at all
Use ssl->out_msglen as the cursor in ssl->out_msg throughout, rather
than switching a between pointer and an offset.
2018-04-24 09:36:36 +02:00
Gilles Peskine d3eb0619a6 ssl_write_server_key_exchange refactor: minor cleanup
Clean up some debug messages and improve some comments.
2018-04-24 09:36:36 +02:00
Gilles Peskine ebd30ae205 ssl_write_server_key_exchange refactor: ssl_resume_server_key_exchange
Continue clarifying the control flow. This gets rid of the last goto
introduced by the initial code for asynchronous signature support.
2018-04-24 09:36:36 +02:00
Gilles Peskine d04d292b64 Get rid of useless handshake field out_async_start
The location where the signature goes is now tracked via
ssl->out_msglen, which makes ssl->handshake->out_async_start redundant.
2018-04-24 09:36:36 +02:00
Gilles Peskine 7ab013a08a ssl_write_server_key_exchange refactor: move signature_len out
Move the writing of signature_len out of
ssl_prepare_server_key_exchange. This simplifies the control flow (one
less goto).
2018-04-24 09:36:36 +02:00
Gilles Peskine 1004c19ed0 ssl_write_server_key_exchange refactor: don't use p in the signing phase
This is in preparation of further splitting ssl_write_server_key_exchange
into several functions.
2018-04-24 09:36:36 +02:00
Gilles Peskine 184a3faa8a ssl_write_server_key_exchange refactor: create ssl_prepare_server_key_exchange
This is in the process of splitting ssl_write_server_key_exchange
into several functions.
2018-04-24 09:36:36 +02:00
Gilles Peskine 3ce9b900d2 ssl_write_server_key_exchange refactor: remove dig_signed_len
Simplify the redundant varaible dig_signed_len away.

This is in preparation for splitting ssl_write_server_key_exchange
into several functions.
2018-04-24 09:36:36 +02:00
Gilles Peskine 4bf9a28d1d SSL asynchronous signature: first implementation
Implement SSL asynchronous private operation for the case of a
signature operation in a server.

This is a first implementation. It is functional, but the code is not
clean, with heavy reliance on goto.
2018-04-24 09:36:06 +02:00
Gilles Peskine ebd652fe2d ssl_write_server_key_exchange: calculate hashlen explicitly
The pk layer can infer the hash length from the hash type. Calculate
it explicitly here anyway because it's needed for debugging purposes,
and it's needed for the upcoming feature allowing the signature
operation to be offloaded to an external cryptographic processor, as
the offloading code will need to know what length hash to copy.
2018-04-24 09:34:38 +02:00
Gilles Peskine e1efdf912f ssl_write_server_key_exchange: don't hard-code max hash size 2018-04-24 09:32:29 +02:00
Gilles Peskine e198df53a0 ssl_pick_cert: use the public key for can_do
This is in preparation for support of external private key operations,
where there is no private key object.
2018-04-24 09:32:29 +02:00
Gilles Peskine 8bf79f6dc6 SSL asynchronous private key operation callbacks: interface
New compile-time option MBEDTLS_SSL_ASYNC_PRIVATE_C, enabling
callbacks to replace private key operations. These callbacks allow the
SSL stack to make an asynchronous call to an external cryptographic
module instead of calling the cryptography layer inside the library.
The call is asynchronous in that it may return the new status code
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, in which case the SSL stack returns
and can be later called where it left off.

This commit introduces the configuration option. Later commits will
implement the feature proper.
2018-04-24 09:32:28 +02:00
Gilles Peskine 59e83d96db Add conf parameter to mbedtls_ssl_handshake_free
This function is declared in ssl_internal.h, so this is not a public
API change.

This is in preparation for mbedtls_ssl_handshake_free needing to call
methods from the config structure.
2018-04-24 09:32:28 +02:00
Gilles Peskine fe1c0937d7 ssl_write_server_key_exchange refactor: remove redundant variable n
Remove redundant variable n, which counts in parallel to p. Having
both adds the burden of keeping them in synch for no benefit.
2018-04-24 09:32:28 +02:00
Gilles Peskine 81d4e899a4 Don't rely on private key metadata in SSL
In SSL, don't use mbedtls_pk_ec or mbedtls_pk_rsa on a private
signature or decryption key (as opposed to a public key or a key used
for DH/ECDH). Extract the data (it's the same data) from the public
key object instead. This way the code works even if the private key is
opaque or if there is no private key object at all.

Specifically, with an EC key, when checking whether the curve in a
server key matches the handshake parameters, rely only on the offered
certificate and not on the metadata of the private key.
2018-04-24 09:26:03 +02:00
Mohammad Azim Khan 1d3b508b82 Same ciphersuite validation in server and client hello 2018-04-20 18:54:18 +01:00
Andrzej Kurek 5462e02874 ssl_tls: Fix invalid buffer sizes during compression / decompression
Adjust information passed to zlib to include already written data.
2018-04-20 07:58:53 -04:00
Gilles Peskine f2b76cd45c Merge remote-tracking branch 'upstream-restricted/pr/461' into development-restricted-proposed 2018-04-19 17:41:39 +02:00
Manuel Pégourié-Gonnard 64f5adf9f9 Merge remote-tracking branch 'public/pr/1380' into development-proposed
* public/pr/1380:
  Update ChangeLog for #1380
  Generate RSA keys according to FIPS 186-4
  Generate primes according to FIPS 186-4
  Avoid small private exponents during RSA key generation
2018-04-18 16:13:52 +02:00
Mohammad Azim Khan e5b5bd7a40 Allocate a unique err code for MBEDTLS_ERR_AES_BAD_INPUT_DATA 2018-04-17 23:29:47 +01:00
Mohammad Azim Khan 3f7f8170d6 Check invalid nc_off
Uninitialized nc_off value >0xf passed by the caller can cause array out-of-bound.
2018-04-17 23:18:40 +01:00
Andres Amaya Garcia 3ea559ea6c Fix alignment in makefile 2018-04-17 10:17:22 -05:00
Andres Amaya Garcia 1f6301b3c8 Rename mbedtls_zeroize to mbedtls_platform_zeroize 2018-04-17 10:00:21 -05:00
Andres Amaya Garcia 904e1efb8c Make utils module part of the platform 2018-04-17 10:00:11 -05:00
Andres Amaya Garcia 757cd72edf Update license headers year and branding 2018-04-17 09:21:49 -05:00
Andres Amaya Garcia 1e8ea5fa68 Improve docs for mbedtls_zeroize() and add refs 2018-04-17 09:21:49 -05:00
Andres Amaya Garcia 0bd4237c2a Fix formatting in utils.c file comment 2018-04-17 09:19:05 -05:00
Andres Amaya Garcia ecd1891c51 Change mbedtls_zeroize() to prevent optimizations
Change mbedtls_zeroize() implementation to use memset() instead of a
custom implementation for performance reasons. Furthermore, we would
also like to prevent as much as we can compiler optimisations that
remove zeroization code.

The implementation of mbedtls_zeroize() now uses a volatile function
pointer to memset() as suggested by Colin Percival at:

http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html
2018-04-17 09:19:05 -05:00
Andres Amaya Garcia b1262a3bdb Allow compile-time alternate to mbedtls_zeroize()
Add a new macro MBEDTLS_UTILS_ZEROIZE that allows users to configure
mbedtls_zeroize() to an alternative definition when defined. If the
macro is not defined, then mbed TLS will use the default definition of
the function.
2018-04-17 09:19:05 -05:00
Andres Amaya Garcia e32df087fb Remove individual copies of mbedtls_zeroize()
This commit removes all the static occurrencies of the function
mbedtls_zeroize() in each of the individual .c modules. Instead the
function has been moved to utils.h that is included in each of the
modules.
2018-04-17 09:19:05 -05:00
Andres Amaya Garcia 614d9c0667 Add a utils.h file that contains common functions
The new header contains common information across various mbed TLS
modules and avoids code duplication. To start, utils.h currently only
contains the mbedtls_zeroize() function.
2018-04-17 09:17:38 -05:00
Augustin Cavalier 60bc47dd87 library: Port to Haiku. 2018-04-11 20:27:32 -04:00
Jethro Beekman c645bfe176 Generate RSA keys according to FIPS 186-4
The specification requires that P and Q are not too close. The specification
also requires that you generate a P and stick with it, generating new Qs until
you have found a pair that works. In practice, it turns out that sometimes a
particular P results in it being very unlikely a Q can be found matching all
the constraints. So we keep the original behavior where a new P and Q are
generated every round.
2018-04-11 08:38:37 -07:00
Jethro Beekman 666892792d Generate primes according to FIPS 186-4
The specification requires that numbers are the raw entropy (except for odd/
even) and at least 2^(nbits-0.5). If not, new random bits need to be used for
the next number. Similarly, if the number is not prime new random bits need to
be used.
2018-04-11 08:38:37 -07:00
Jethro Beekman 97f95c9ef3 Avoid small private exponents during RSA key generation
Attacks against RSA exist for small D. [Wiener] established this for
D < N^0.25. [Boneh] suggests the bound should be N^0.5.

Multiple possible values of D might exist for the same set of E, P, Q. The
attack works when there exists any possible D that is small. To make sure that
the generated key is not susceptible to attack, we need to make sure we have
found the smallest possible D, and then check that D is big enough. The
Carmichael function λ of p*q is lcm(p-1, q-1), so we can apply Carmichael's
theorem to show that D = d mod λ(n) is the smallest.

[Wiener] Michael J. Wiener, "Cryptanalysis of Short RSA Secret Exponents"
[Boneh] Dan Boneh and Glenn Durfee, "Cryptanalysis of RSA with Private Key d Less than N^0.292"
2018-04-11 08:38:37 -07:00
Manuel Pégourié-Gonnard 4ca9a45756 Merge remote-tracking branch 'public/pr/1560' into development-proposed
* public/pr/1560:
  Warn if using a memory sanitizer on AESNI
2018-04-11 13:06:30 +02:00
Brendan Shanks 8339c8f5bd x509.c: Remove unused includes
Remove unused includes guarded by MBEDTLS_FS_IO, which doesn't appear
anywhere else in the file.
2018-04-06 16:47:43 -07:00
Fabio Alessandrelli df60856702 Only redefine _WIN32_WINNT macro when < 0x0501 2018-04-06 18:07:53 +02:00
Krzysztof Stachowiak fe60132305 Move a buffer size test before the first relevant read 2018-04-05 16:53:35 +02:00
Gilles Peskine 5053efde33 Warn if using a memory sanitizer on AESNI
Clang-Msan is known to report spurious errors when MBEDTLS_AESNI_C is
enabled, due to the use of assembly code. The error reports don't
mention AES, so they can be difficult to trace back to the use of
AES-NI. Warn about this potential problem at compile time.
2018-04-05 15:37:38 +02:00
Gilles Peskine ec4733b645 Make the memset call prior to FD_ZERO conditional to needing it
Zeroing out an fd_set before calling FD_ZERO on it is in principle
useless, but without it some memory sanitizers think the fd_set is
still uninitialized after FD_ZERO (e.g. clang-msan/Glibc/x86_64 where
FD_ZERO is implemented in assembly). Make the zeroing conditional on
using a memory sanitizer.
2018-04-05 14:55:47 +02:00
Krzysztof Stachowiak 94d49978eb Improve comments style 2018-04-05 14:48:55 +02:00
Krzysztof Stachowiak cd09fc812d Remove a redundant test 2018-04-05 14:48:18 +02:00
Krzysztof Stachowiak 73b183c3bb Add buffer size check before cert_type_len read 2018-04-05 10:20:09 +02:00
Gilles Peskine 80aa3b8d65 Merge branch 'pr_946' into development-proposed 2018-04-04 10:33:45 +02:00
Gilles Peskine 73db8380ca Merge remote-tracking branch 'upstream-public/pr/1547' into development-proposed 2018-04-04 09:19:12 +02:00
Gilles Peskine be2371c3d9 Merge branch 'pr_348' into development-proposed 2018-04-04 09:18:27 +02:00
Gilles Peskine a09453f495 Merge branch 'pr_1395' into development-proposed 2018-04-04 09:14:12 +02:00
Gilles Peskine 1fae860f0f Merge remote-tracking branch 'upstream-public/pr/1543' into development-proposed 2018-04-04 09:03:25 +02:00
Hanno Becker f4e5b7e87d Additionally initialize fd_set's via memset in mbedtls_net_poll
The initialization via FD_SET is not seen by memory sanitizers if
FD_SET is implemented through assembly. Additionally zeroizing the
respective fd_set's before calling FD_SET contents the sanitizers
and comes at a negligible computational overhead.
2018-04-03 16:28:09 +01:00
mohammad1603 19d392b258 Fix compatibility problem in the printed message
Replace %zu with %lu and add cast for the printed value.
2018-04-02 07:35:50 -07:00
Gilles Peskine 90a8b5219f Merge branch 'pr_1480' into development-proposed 2018-04-01 12:44:06 +02:00
Gilles Peskine 0ed632f445 Merge remote-tracking branch 'upstream-public/pr/1499' into development-proposed 2018-04-01 12:41:22 +02:00
Gilles Peskine 695d557dcf Merge branch 'pr_1180' into development-proposed 2018-04-01 12:26:36 +02:00
Gilles Peskine 039fd12834 Robustness fix in mbedtls_ssl_derive_keys
In mbedtls_ssl_derive_keys, don't call mbedtls_md_hmac_starts in
ciphersuites that don't use HMAC. This doesn't change the behavior of
the code, but avoids relying on an uncaught error when attempting to
start an HMAC operation that hadn't been initialized.
2018-03-31 22:53:49 +02:00
Gilles Peskine cc78ac46e7 Update error.c 2018-03-30 18:52:10 +02:00
Gilles Peskine 5114d3e4e1 Clarify the use of MBEDTLS_ERR_PK_SIG_LEN_MISMATCH
Clarify what MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH and
MBEDTLS_ERR_PK_SIG_LEN_MISMATCH mean. Add comments to highlight that
this indicates that a valid signature is present, unlike other error
codes. See
https://github.com/ARMmbed/mbedtls/pull/1149#discussion_r178130705
2018-03-30 18:43:16 +02:00
Nicholas Wilson 08f3ef1861 Basic support for Curve448, similar to the current level of support for Curve25519 2018-03-29 14:29:06 +01:00
Jaeden Amero 2ad47e3bcc Merge remote-tracking branch 'upstream-public/pr/1528' into development-proposed 2018-03-29 11:00:50 +01:00
Jaeden Amero 78a03ec230 Merge remote-tracking branch 'upstream-public/pr/1379' into development-proposed 2018-03-29 10:57:57 +01:00
mohammad1603 52aecb9a7f Check whether INT_MAX larger than SIZE_MAX scenario
Check whether INT_MAX larger than SIZE_MAX scenario
2018-03-28 23:41:40 -07:00
Jaeden Amero 90226be779 Merge remote-tracking branch 'upstream-public/pr/1467' into development-proposed 2018-03-28 15:35:22 +01:00
Jaeden Amero 2843d21d99 Merge remote-tracking branch 'upstream-public/pr/1523' into development-proposed 2018-03-28 15:32:13 +01:00
Hanno Becker 2bd57578af Merge branch 'development' into iotssl-1204 2018-03-28 14:52:35 +01:00
Jaeden Amero 5ec118352e Merge remote-tracking branch 'upstream-public/pr/1474' into development-proposed 2018-03-28 14:22:29 +01:00
Jaeden Amero 552b9cc5ba Merge remote-tracking branch 'upstream-public/pr/1477' into development-proposed 2018-03-28 13:42:32 +01:00
Jaeden Amero 8645e90825 Merge remote-tracking branch 'upstream-restricted/pr/363' into development-proposed 2018-03-28 11:54:28 +01:00
Manuel Pégourié-Gonnard 18b78435dc Fix a typo in a comment 2018-03-28 11:14:06 +02:00
Nicholas Wilson 54fc34ea68 Include order of Curve25519 base point in curve data 2018-03-28 11:08:30 +02:00
Andres Amaya Garcia af9a486b01 Fix coding style in pkcs5.c preprocessor directives 2018-03-27 20:53:12 +01:00
Marcos Del Sol Vives 8a0dfacb58 Compile PBES2 in PKCS5 only if ASN1 is enabled 2018-03-27 20:15:33 +01:00
Andy Leiserson 79e7789d44 return plaintext data faster on unpadded decryption 2018-03-27 10:55:24 -07:00
Jaeden Amero fba16f782c Merge remote-tracking branch 'upstream-public/pr/572' into development-proposed 2018-03-27 16:42:20 +01:00
Andres Amaya Garcia ceed91b72c Allow overriding ar param prefix in library/Makefile 2018-03-25 23:48:39 +01:00
Andres Amaya Garcia 873f15d70d Make DLEXT var configurable in library/Makefile 2018-03-25 23:47:15 +01:00
Jaeden Amero f65379bc40 Merge remote-tracking branch 'upstream-restricted/pr/382' into development 2018-03-23 11:14:17 +00:00
Gilles Peskine 15ad579895 Merge tag 'mbedtls-2.8.0' into iotssl-1381-x509-verify-refactor-restricted
Conflict resolution:

* ChangeLog
* tests/data_files/Makefile: concurrent additions, order irrelevant
* tests/data_files/test-ca.opensslconf: concurrent additions, order irrelevant
* tests/scripts/all.sh: one comment change conflicted with a code
  addition. In addition some of the additions in the
  iotssl-1381-x509-verify-refactor-restricted branch need support for
  keep-going mode, this will be added in a subsequent commit.
2018-03-23 02:16:22 +01:00
Jethro Beekman d2df936e67 Fix parsing of PKCS#8 encoded Elliptic Curve keys.
The relevant ASN.1 definitions for a PKCS#8 encoded Elliptic Curve key are:

PrivateKeyInfo ::= SEQUENCE {
  version                   Version,
  privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
  privateKey                PrivateKey,
  attributes           [0]  IMPLICIT Attributes OPTIONAL
}

AlgorithmIdentifier  ::=  SEQUENCE  {
  algorithm   OBJECT IDENTIFIER,
  parameters  ANY DEFINED BY algorithm OPTIONAL
}

ECParameters ::= CHOICE {
  namedCurve         OBJECT IDENTIFIER
  -- implicitCurve   NULL
  -- specifiedCurve  SpecifiedECDomain
}

ECPrivateKey ::= SEQUENCE {
  version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
  privateKey     OCTET STRING,
  parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
  publicKey  [1] BIT STRING OPTIONAL
}

Because of the two optional fields, there are 4 possible variants that need to
be parsed: no optional fields, only parameters, only public key, and both
optional fields. Previously mbedTLS was unable to parse keys with "only
parameters". Also, only "only public key" was tested. There was a test for "no
optional fields", but it was labelled incorrectly as SEC.1 and not run because
of a great renaming mixup.
2018-03-22 18:01:18 -07:00
Gilles Peskine a7b34c7810 Merge remote-tracking branch 'upstream-public/pr/1406' into development-proposed 2018-03-22 21:52:48 +01:00
Gilles Peskine f15a8beacf Merge remote-tracking branch 'upstream-public/pr/1256' into development-proposed 2018-03-22 21:51:53 +01:00
Gilles Peskine 0818540ff7 Merge branch 'pr_726' into development-proposed 2018-03-22 21:50:48 +01:00
Gilles Peskine 5bdb671404 Merge branch 'pr_403' into development-proposed 2018-03-22 21:34:15 +01:00
mohammad1603 b878805919 Verify that f_send and f_recv send and receive the expected length
Verify that f_send and f_recv send and receive the expected length
2018-03-22 02:58:23 -07:00
Gilles Peskine 4e4be7cf62 Optimize unnecessary zeorizing in mbedtls_mpi_copy
Based on a contribution by Alexey Skalozub
(https://github.com/ARMmbed/mbedtls/pull/405).
2018-03-21 16:29:03 +01:00
Gergely Budai 13f7fb372e Do not define and initialize global mutexes on configurations that do not use them. 2018-03-21 15:01:55 +00:00
Azim Khan 27e8a120b2 Assign NULL after freeing psk and psk_identity 2018-03-21 14:24:11 +00:00
junyeonLEE 316b162ac3 Separate psk and psk_identity buffers free
Sometimes, psk_identity buffer can't released because psk buffer is NULL.
So, separate it.
2018-03-21 14:15:28 +00:00
Mitsuhiro Nakamura 5ff2ee51e9 Fix dylib linking 2018-03-21 11:10:59 +00:00
Krzysztof Stachowiak bc231cc9b0 Add a missing buffer size check 2018-03-20 14:09:53 +01:00
Krzysztof Stachowiak bc145f7978 Correct buffer size check
Further in the code the next field from the binary buffer is read. The
check contained an off by one error.
2018-03-20 11:19:50 +01:00
Gilles Peskine ea7dbbe0de Replace MBEDTLS_EINTR by IS_EINTR
check-names.sh reserves the prefix MBEDTLS_ for macros defined in
config.h so this name (or check-names.sh) had to change.

This is also more flexible because it allows for platforms that don't have
an EINTR equivalent or have multiple such values.
2018-03-19 17:10:31 +01:00
Hanno Becker c9f4d6d448 Correct error.c 2018-03-19 09:23:13 +00:00
Jaeden Amero 8be0e6db41 Update version to 2.8.0 2018-03-16 16:25:12 +00:00
Hanno Becker ef52796537 Fix missing return statement ssl_server2 idling
Also, introduce MBEDTLS_EINTR locally in net_sockets.c
for the platform-dependent return code macro used by
the `select` call to indicate that the poll was interrupted
by a signal handler: On Unix, the corresponding macro is EINTR,
while on Windows, it's WSAEINTR.
2018-03-15 15:52:31 +00:00
Hanno Becker 80e06d77d9 Use WSAEINTR instead of EINTR on Windows 2018-03-15 14:41:55 +00:00
Hanno Becker 9ac640326b Don't exit mbedtls_net_poll on interruption of select
If the select UNIX system call is interrupted by a signal handler,
it is not automatically restarted but returns EINTR. This commit
modifies the use of select in mbedtls_net_poll from net_sockets.c
to retry the select call in this case.
2018-03-15 12:19:31 +00:00
Jaeden Amero 79a5e72719 Merge remote-tracking branch 'upstream-restricted/pr/463' into development-restricted-proposed 2018-03-15 08:25:05 +00:00
Jaeden Amero 24b2d6fb6d Merge remote-tracking branch 'upstream-restricted/pr/459' into development-restricted-proposed 2018-03-15 08:24:44 +00:00
Jaeden Amero ce183d994c Merge remote-tracking branch 'upstream-public/pr/1448' into development-proposed 2018-03-15 08:23:53 +00:00
Jaeden Amero d1fedc55d7 Merge remote-tracking branch 'upstream-public/pr/1440' into development-proposed 2018-03-15 08:23:35 +00:00
Jaeden Amero 95ad522ecc Merge remote-tracking branch 'upstream-public/pr/1439' into development-proposed 2018-03-15 08:23:10 +00:00
Manuel Pégourié-Gonnard fd3e4fbae7 x509: CRL: reject unsupported critical extensions 2018-03-14 09:15:02 +01:00
Gilles Peskine 5f1932817c Merge remote-tracking branch 'upstream-restricted/pr/398' into development-restricted-proposed 2018-03-13 17:18:06 +01:00
Gilles Peskine 553a06f08a Merge remote-tracking branch 'upstream-restricted/pr/351' into development-restricted-proposed
Move the added ChangeLog entry to the bottom so that the list remains
in merge order.
2018-03-13 17:15:34 +01:00
Manuel Pégourié-Gonnard 1ba8a3fc55 Yet another dependency issue (PKCS1_V15)
Found by running:

CC=clang cmake -D CMAKE_BUILD_TYPE="Check"
tests/scripts/depend-pkalgs.pl

(Also tested with same command but CC=gcc)

Another PR will address improving all.sh and/or the depend-xxx.pl scripts
themselves to catch this kind of thing.
2018-03-13 13:42:38 +01:00
Krzysztof Stachowiak 5224a7544c Prevent arithmetic overflow on bounds check 2018-03-13 11:31:38 +01:00
Krzysztof Stachowiak 740b218386 Add bounds check before length read 2018-03-13 11:31:14 +01:00
Krzysztof Stachowiak 027f84c69f Prevent arithmetic overflow on bounds check 2018-03-13 11:29:24 +01:00
Krzysztof Stachowiak a1098f81c2 Add bounds check before signature length read 2018-03-13 11:28:49 +01:00
Gilles Peskine f3ada4adb0 Merge branch 'pr_679' into development-proposed 2018-03-13 00:13:29 +01:00
Gilles Peskine d5f7d24e84 Merge branch 'pr_1064' into development-proposed 2018-03-13 00:08:05 +01:00
Gilles Peskine a31d8206b1 Merge remote-tracking branch 'upstream-public/pr/778' into development-proposed 2018-03-12 23:45:08 +01:00
Gilles Peskine 19c3862d0c Merge remote-tracking branch 'upstream-public/pr/1079' into development-proposed 2018-03-11 00:45:10 +01:00
Gilles Peskine b4c571e603 Merge remote-tracking branch 'upstream-public/pr/1296' into HEAD 2018-03-11 00:44:14 +01:00
Manuel Pégourié-Gonnard e57d7438b0 Improve documentation of some internal functions 2018-03-07 10:00:57 +01:00
Sanne Wouda 7b2e85dd7c Use both applicable error codes and a proper coding style 2018-03-06 23:28:46 +01:00
Sanne Wouda b2b29d5259 Add end-of-buffer check to prevent heap-buffer-overflow
Dereference of *p should not happen when it points past the end of the
buffer.

Internal reference: IOTSSL-1663
2018-03-06 23:28:46 +01:00
Hanno Becker a3389ebb09 Merge branch 'development-restricted' into iotssl-1306-rsa-is-vulnerable-to-bellcore-glitch-attack 2018-03-06 11:55:21 +00:00
Manuel Pégourié-Gonnard 05c00ed8b2 Fix some more MSVC size_t -> int warnings 2018-03-06 11:48:50 +01:00
Manuel Pégourié-Gonnard f5bb78183a Fix MSVC warnings
library\x509_crt.c(2137): warning C4267: 'function' : conversion from 'size_t' to 'int', possible loss of data
library\x509_crt.c(2265): warning C4267: 'function' : conversion from 'size_t' to 'int', possible loss of data
2018-03-05 12:48:53 +01:00
Manuel Pégourié-Gonnard 05e464dff7 Merge branch 'development' into iotssl-1381-x509-verify-refactor-restricted
* development: (557 commits)
  Add attribution for #1351 report
  Adapt version_features.c
  Note incompatibility of truncated HMAC extension in ChangeLog
  Add LinkLibraryDependencies to VS2010 app template
  Add ChangeLog entry for PR #1382
  MD: Make deprecated functions not inline
  Add ChangeLog entry for PR #1384
  Have Visual Studio handle linking to mbedTLS.lib internally
  Mention in ChangeLog that this fixes #1351
  Add issue number to ChangeLog
  Note in the changelog that this fixes an interoperability issue.
  Style fix in ChangeLog
  Add ChangeLog entries for PR #1168 and #1362
  Add ChangeLog entry for PR #1165
  ctr_drbg: Typo fix in the file description comment.
  dhm: Fix typo in RFC 5114 constants
  tests_suite_pkparse: new PKCS8-v2 keys with PRF != SHA1
  data_files/pkcs8-v2: add keys generated with PRF != SHA1
  tests/pkcs5/pbkdf2_hmac: extend array to accommodate longer results
  tests/pkcs5/pbkdf2_hmac: add unit tests for additional SHA algorithms
  ...
2018-03-05 11:55:38 +01:00
Gilles Peskine df761d5a6b Fix build with gcc -O -Wall
Fix warnings from gcc -O -Wall about `ret` used uninitialized in
CMAC selftest auxiliary functions. The variable was indeed
uninitialized if the function was called with num_tests=0 (which
never happens).
2018-03-01 22:18:14 +01:00
Manuel Pégourié-Gonnard 366e1b0464 aria: fix comment on aria_a function
The new version of the comment has been generated by the following python3
script, when the first constant is copy-pasted from RFC 5794 2.4.3.

 #!/usr/bin/python3

RFC_A = """
      y0  = x3 ^ x4 ^ x6 ^ x8  ^ x9  ^ x13 ^ x14,
      y1  = x2 ^ x5 ^ x7 ^ x8  ^ x9  ^ x12 ^ x15,
      y2  = x1 ^ x4 ^ x6 ^ x10 ^ x11 ^ x12 ^ x15,
      y3  = x0 ^ x5 ^ x7 ^ x10 ^ x11 ^ x13 ^ x14,
      y4  = x0 ^ x2 ^ x5 ^ x8  ^ x11 ^ x14 ^ x15,
      y5  = x1 ^ x3 ^ x4 ^ x9  ^ x10 ^ x14 ^ x15,
      y6  = x0 ^ x2 ^ x7 ^ x9  ^ x10 ^ x12 ^ x13,
      y7  = x1 ^ x3 ^ x6 ^ x8  ^ x11 ^ x12 ^ x13,
      y8  = x0 ^ x1 ^ x4 ^ x7  ^ x10 ^ x13 ^ x15,
      y9  = x0 ^ x1 ^ x5 ^ x6  ^ x11 ^ x12 ^ x14,
      y10 = x2 ^ x3 ^ x5 ^ x6  ^ x8  ^ x13 ^ x15,
      y11 = x2 ^ x3 ^ x4 ^ x7  ^ x9  ^ x12 ^ x14,
      y12 = x1 ^ x2 ^ x6 ^ x7  ^ x9  ^ x11 ^ x12,
      y13 = x0 ^ x3 ^ x6 ^ x7  ^ x8  ^ x10 ^ x13,
      y14 = x0 ^ x3 ^ x4 ^ x5  ^ x9  ^ x11 ^ x14,
      y15 = x1 ^ x2 ^ x4 ^ x5  ^ x8  ^ x10 ^ x15.
"""

matrix = []
for l in RFC_A.split('\n')[1:-1]:
    rhs = l.split('=')[1][:-1]
    row = tuple(hex(int(t[2:]))[2:] for t in rhs.split('^'))
    matrix.append(row)

out = {}
out['a'] = tuple(''.join(w) for w in zip(*(matrix[0:4])))
out['b'] = tuple(''.join(w) for w in zip(*(matrix[4:8])))
out['c'] = tuple(''.join(w) for w in zip(*(matrix[8:12])))
out['d'] = tuple(''.join(w) for w in zip(*(matrix[12:])))

out2 = {}
for o, r in out.items():
    row = list(r)
    for i in range(len(r) - 1):
        w1 = row[i]
        if len(set(w1)) == 2:
            w2 = row[i+1]
            nw1 = nw2 = ''
            for j in range(len(w1)):
                if w1[j] in nw1:
                    nw1 += w2[j]
                    nw2 += w1[j]
                else:
                    nw1 += w1[j]
                    nw2 += w2[j]
            row[i] = nw1
            row[i+1] = nw2

    out2[o] = row

for o in 'abcd':
    print(o,   '=', ' + '.join(out[o]))
    print(' ', '=', ' + '.join(out2[o]))
2018-03-01 14:48:10 +01:00
Manuel Pégourié-Gonnard 21662148f7 aria: improve compiler compat by using __asm
gcc --std=c99 doesn't like the shorter "asm" (this broke all.sh)
2018-03-01 11:28:51 +01:00
Manuel Pégourié-Gonnard 2078725feb aria: check arm arch version for asm
rev and rev16 are only supported from v6 (all profiles) and up.

arm-none-eabi-gcc picks a lower architecture version by default, which means
before this commit it would fail to build (assembler error) unless you
manually specified -march=armv6-m -mthumb or similar, which broke all.sh.

Source for version-checking macros:
- GCC/Clang: use the -E -dM - </dev/null trick
- armcc5: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0472k/chr1359125007083.html
- armclang 6: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0774g/chr1383660321827.html

Tested with the following script:

 #!/bin/sh

set -eu

ARMCLANG="env ARM_TOOL_VARIANT=ult $ARMC6_BIN_DIR/armclang"

build() {
    echo "$@"
    "$@" -Iinclude -c library/aria.c

}

build arm-none-eabi-gcc
build arm-none-eabi-gcc -march=armv5

build clang --target=arm-none-eabi
build clang --target=arm-none-eabi -march=armv5

build armcc
build armcc --gnu
build armcc --cpu=5T
build armcc --cpu=5T --gnu

build $ARMCLANG --target=arm-arm-none-eabi

check_asm() {
    rm -f aria.o
    build "$@"
    arm-none-eabi-objdump -d aria.o | grep rev16
}

check_asm arm-none-eabi-gcc -march=armv6-m -mthumb
check_asm arm-none-eabi-gcc -march=armv7-m -mthumb
check_asm arm-none-eabi-gcc -march=armv8-m.base -mthumb

check_asm arm-none-eabi-gcc -march=armv7-a -mthumb
check_asm arm-none-eabi-gcc -march=armv8-a -mthumb
check_asm arm-none-eabi-gcc -march=armv7-a -marm
check_asm arm-none-eabi-gcc -march=armv8-a -marm

check_asm clang --target=arm-none-eabi -march=armv6-m
check_asm clang --target=arm-none-eabi -march=armv7-a
check_asm clang --target=arm-none-eabi -march=armv7-m
check_asm clang --target=arm-none-eabi -march=armv7-r
check_asm clang --target=arm-none-eabi -march=armv8-a

check_asm armcc -O0 --cpu=6-M
check_asm armcc -O0 --cpu=7-M
check_asm armcc -O0 --cpu=6
check_asm armcc -O0 --cpu=7-A

check_asm $ARMCLANG --target=arm-arm-none-eabi -march=armv6-m
check_asm $ARMCLANG --target=arm-arm-none-eabi -march=armv7-a
check_asm $ARMCLANG --target=arm-arm-none-eabi -march=armv7-m
check_asm $ARMCLANG --target=arm-arm-none-eabi -march=armv7-r
check_asm $ARMCLANG --target=arm-arm-none-eabi -march=armv8-a
check_asm $ARMCLANG --target=arm-arm-none-eabi -march=armv8-m.base
2018-03-01 11:28:51 +01:00
Manuel Pégourié-Gonnard 7fc08795c1 aria: more whitespace fixes 2018-03-01 09:33:20 +01:00
Manuel Pégourié-Gonnard 5ad88b6d0d aria: define constants for block size and max rounds 2018-03-01 09:25:31 +01:00
Manuel Pégourié-Gonnard 3c80009615 aria: add error codes for hw implementations 2018-03-01 09:25:05 +01:00
Manuel Pégourié-Gonnard f3a46a9b4f aria: fix some typos in comments 2018-03-01 09:25:05 +01:00
Manuel Pégourié-Gonnard c0bb66f47e aria: improve compiler inline compatibility 2018-03-01 09:25:05 +01:00
mohammad1603 5bd15cbfa0 Avoid wraparound for ssl->in_left
Add check to avoid wraparound for ssl->in_left
2018-02-28 04:30:59 -08:00
Manuel Pégourié-Gonnard 4231e7f46f Fix some whitespace and other style issues
In addition to whitespace:
- wrapped a few long lines
- added parenthesis to return statements
2018-02-28 11:34:01 +01:00
Manuel Pégourié-Gonnard 377b2b624d aria: optimize byte perms on Arm
Use specific instructions for moving bytes around in a word. This speeds
things up, and as a side-effect, slightly lowers code size.

ARIA_P3 and ARIA_P1 are now 1 single-cycle instruction each (those
instructions are available in all architecture versions starting from v6-M).
Note: ARIA_P3 was already translated to a single instruction by Clang 3.8 and
armclang 6.5, but not arm-gcc 5.4 nor armcc 5.06.

ARIA_P2 is already efficiently translated to the minimal number of
instruction (1 in ARM mode, 2 in thumb mode) by all tested compilers

Manually compiled and inspected generated code with the following compilers:
arm-gcc 5.4, clang 3.8, armcc 5.06 (with and without --gnu), armclang 6.5.

Size reduction (arm-none-eabi-gcc -march=armv6-m -mthumb -Os): 5288 -> 5044 B

Effect on executing time of self-tests on a few boards:
FRDM-K64F   (Cortex-M4):    444 ->  385 us (-13%)
LPC1768     (Cortex-M3):    488 ->  432 us (-11%)
FRDM-KL64Z  (Cortex-M0):   1429 -> 1134 us (-20%)

Measured using a config.h with no cipher mode and the following program with
aria.c and aria.h copy-pasted to the online compiler:

 #include "mbed.h"
 #include "aria.h"

int main() {
    Timer t;
    t.start();
    int ret = mbedtls_aria_self_test(0);
    t.stop();
    printf("ret = %d; time = %d us\n", ret, t.read_us());
}
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard fb0e4f0d1a aria: optimise byte perms on Intel
(A similar commit for Arm follows.)

Use specific instructions for moving bytes around in a word. This speeds
things up, and as a side-effect, slightly lowers code size.

ARIA_P3 (aka reverse byte order) is now 1 instruction on x86, which speeds up
key schedule. (Clang 3.8 finds this but GCC 5.4 doesn't.)

I couldn't find an Intel equivalent of ARM's ret16 (aka ARIA_P1), so I made it
two instructions, which is still much better than the code generated with
the previous mask-shift-or definition, and speeds up en/decryption. (Neither
Clang 3.8 nor GCC 5.4 find this.)

Before:
O	aria.o	ins
s	7976	43,865
2	10520	37,631
3	13040	28,146

After:
O	aria.o	ins
s	7768	33,497
2	9816	28,268
3	11432	20,829

For measurement method, see previous commit:
"aria: turn macro into static inline function"
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard cac5008b17 aria: define P3 macro
This will allow to replace it with an optimised implementation later
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard f205a012b8 aria: comment implementation of A transform
The line-by-line comments were generated using the following Python 3 script:

 #!/usr/bin/python3

class Atom:
    def __init__(self, val):
        self.v = val

    def __str__(self):
        return self.v

    def p1(self):
        v = self.v
        return Atom(v[1] + v[0] + v[3] + v[2])

    def p2(self):
        v = self.v
        return Atom(v[2] + v[3] + v[0] + v[1])

    def __xor__(self, other):
        return Sum(self.tuple() + other.tuple())

    def tuple(self):
        return (self,)

class Sum:
    def __init__(self, terms):
        self.t = terms
        assert(type(terms) == tuple)
        for t in terms:
            assert(type(t) == Atom)

    def __str__(self):
        return '+'.join(sorted((str(t) for t in self.t),
                        key=lambda v: int(v, 16)))

    def p1(self):
        return Sum(tuple(t.p1() for t in self.t))

    def p2(self):
        return Sum(tuple(t.p2() for t in self.t))

    def tuple(self):
        return self.t

    def __xor__(self, other):
        return Sum(self.t + other.tuple())

class LoggingDict(dict):
    def __setitem__(self, key, val):
        print(key, '=', val)
        dict.__setitem__(self, key, val)

    def set(self, key, val):
        dict.__setitem__(self, key, val)

env = LoggingDict()

env.set('ra', Atom('0123'))
env.set('rb', Atom('4567'))
env.set('rc', Atom('89ab'))
env.set('rd', Atom('cdef'))
env.set('ARIA_P1', lambda x: x.p1())
env.set('ARIA_P2', lambda x: x.p2())

code = """
ta  =   rb;
rb  =   ra;
ra  =   ARIA_P2( ta );
tb  =   ARIA_P2( rd );
rd  =   ARIA_P1( rc );
rc  =   ARIA_P1( tb );
ta  ^=  rd;
tc  =   ARIA_P2( rb );
ta  =   ARIA_P1( ta ) ^ tc ^ rc;
tb  ^=  ARIA_P2( rd );
tc  ^=  ARIA_P1( ra );
rb  ^=  ta ^ tb;
tb  =   ARIA_P2( tb ) ^ ta;
ra  ^=  ARIA_P1( tb );
ta  =   ARIA_P2( ta );
rd  ^=  ARIA_P1( ta ) ^ tc;
tc  =   ARIA_P2( tc );
rc  ^=  ARIA_P1( tc ) ^ ta;
"""

exec(code, env)
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard 35ad891aee aria: internal names closer to standard document 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard 64744f88b6 aria: define SLA() as sl(a())
This decreases the size with -Os by nearly 1k while
not hurting performance too much with -O2 and -O3

Before:
O	aria.o	ins
s	8784	41,408
2	11112	37,001
3	13096	27,438

After:
O	aria.o	ins
s	7976	43,865
2	10520	37,631
3	13040	28,146

(See previous commit for measurement details.)
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard 8c76a9489e aria: turn macro into static inline function
Besides documenting types better and so on, this give the compiler more room
to optimise either for size or performance.

Here are some before/after measurements of:
- size of aria.o in bytes (less is better)
- instruction count for the selftest function (less is better)
with various -O flags.

Before:
O	aria.o	ins
s	10896	37,256
2	11176	37,199
3	12248	27,752

After:
O	aria.o	ins
s	8784	41,408
2	11112	37,001
3	13096	27,438

The new version allows the compiler to reach smaller size with -Os while
maintaining (actually slightly improving) performance with -O2 and -O3.

Measurements were done on x86_64 (but since this is mainly about inlining
code, this should transpose well to other platforms) using the following
helper program and script, after disabling CBC, CFB and CTR in config.h, in
order to focus on the core functions.

==> st.c <==
 #include "mbedtls/aria.h"

int main( void ) {
    return mbedtls_aria_self_test( 0 );
}

==> p.sh <==
 #!/bin/sh

set -eu

ccount () {
    (
    valgrind --tool=callgrind --dump-line=no --callgrind-out-file=/dev/null --collect-atstart=no --toggle-collect=main $1
    ) 2>&1 | sed -n -e 's/.*refs: *\([0-9,]*\)/\1/p'
}

printf "O\taria.o\tins\n"
for O in s 2 3; do
    GCC="gcc -Wall -Wextra -Werror -Iinclude"

    $GCC -O$O -c library/aria.c
    $GCC -O1 st.c aria.o -o st
   ./st

    SIZE=$( du -b aria.o | cut -f1 )
    INS=$( ccount ./st )

    printf "$O\t$SIZE\t$INS\n"
done
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard a41ecdabed aria: closer to usual comment style
We're not absolutely consistent in the rest of the library, but we tend to use
C99-style comments less often.

Change to use C89-style comments everywhere except for end-of-line comments
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard 56453937a1 aria: use mbedtls_zeroize() 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard c76ceb677b aria: move conditional outside of loop 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard 9cc89248fe aria: use unsigned type for bit count 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard e1ad7491c5 aria: clean up interface of internal macros 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard a6d639e553 aria: improve some comments & internal names 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard af37f0f68f Add remaining ARIA suites to priority list
Those suites were defined in ciphersuite_definitions[] but not included in
ciphersuite_preference[] which meant they couldn't be negotiated unless
explicitly added by the user. Add them so that they're usable by default like
any other suite.
2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen c06e1014e1 ARIA ciphersuites for TLS 1.2 2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen 07478d6f30 something to do with whitespaces 2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen 0fb47fe71f MBEDTLS_ARIA_ALT added as a feature 2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen 6ba68d4a3b ARIA init and free 2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen 3c0b53b2b0 ARIA build integration 2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen 259fa60f6c ARIA test vectors for CBC CFB CTR modes 2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen 41efbaabc9 ARIA cipher implementation 2018-02-27 12:39:12 +01:00
ILUXONCHIK 060fe37496 fix typo in pem.c 2018-02-25 20:59:09 +00:00
Gilles Peskine b7f6086ba3 Merge branch 'prr_424' into development-proposed 2018-02-22 16:15:01 +01:00
Hanno Becker e80cd463ef Adapt version_features.c 2018-02-22 15:02:47 +00:00
mohammad1603 4bbaeb4ffa Add guard to out_left to avoid negative values
return error when f_send return a value greater than out_left
2018-02-22 05:04:48 -08:00
Jaeden Amero 041039f81e MD: Make deprecated functions not inline
In 2.7.0, we replaced a number of MD functions with deprecated inline
versions. This causes ABI compatibility issues, as the functions are no
longer guaranteed to be callable when built into a shared library.
Instead, deprecate the functions without also inlining them, to help
maintain ABI backwards compatibility.
2018-02-22 10:24:30 +00:00
Gilles Peskine 8db3efbc76 Add missing MBEDTLS_DEPRECATED_REMOVED guards
Add missing MBEDTLS_DEPRECATED_REMOVED guards around the definitions
of mbedtls_aes_decrypt and mbedtls_aes_encrypt.
This fixes the build under -Wmissing-prototypes -Werror.

Fixes #1388
2018-02-21 19:16:20 +01:00
Gilles Peskine d76d8bc9a5 Merge branch 'pr_1352' into development-proposed 2018-02-20 16:42:08 +01:00
Gilles Peskine e6844ccf2b Merge branch 'pr_1135' into development-proposed 2018-02-14 17:20:42 +01:00
Gilles Peskine 42a97ac693 Merge branch 'pr_1219' into development-proposed 2018-02-14 16:17:21 +01:00
Paul Sokolovsky 8d6d8c84b1 ctr_drbg: Typo fix in the file description comment.
Signed-off-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>
2018-02-10 11:11:41 +02:00
Antonio Quartulli 12ccef2761
pkcs5v2: add support for additional hmacSHA algorithms
Currently only SHA1 is supported as PRF algorithm for PBKDF2
(PKCS#5 v2.0).
This means that keys encrypted and authenticated using
another algorithm of the SHA family cannot be decrypted.

This deficiency has become particularly incumbent now that
PKIs created with OpenSSL1.1 are encrypting keys using
hmacSHA256 by default (OpenSSL1.0 used PKCS#5 v1.0 by default
and even if v2 was forced, it would still use hmacSHA1).

Enable support for all the digest algorithms of the SHA
family for PKCS#5 v2.0.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-08 17:18:15 +08:00
Ron Eldor 9566ff7913 Fix minor issues raised in PR review
1. Style issues fixes - remove redundant spacing.
2. Remove depency of `MBEDTLS_RSA_C` in `pk_parse_public_keyfile_rsa()`
tests, as the function itself is dependent on it.
2018-02-07 18:59:41 +02:00
Ron Eldor 85e1dcff6a Fix handshake failure in suite B
Fix handshake failure where PK key is translated as `MBEDTLS_ECKEY`
instead of `MBEDTLS_ECDSA`
2018-02-06 15:59:38 +02:00
Jaeden Amero 3b438d33c1 Update version to 2.7.0 2018-02-02 18:09:45 +00:00
Jaeden Amero 9564e97460 Merge branch 'development' into development-restricted 2018-01-30 17:04:47 +00:00
Rose Zadik 2f8163d3cd Improve CTR-DRBG documentation
- Rephrase file/function/parameter/enum/define/error descriptions into full
  and clear sentences.
- Make sure to adhere to the Arm writing guidelines.
- Fix missing/incorrect Doxygen tags.
- Standardize terminology used within the file.
- Add full standard name in file description.

GitHub PR: #1316
2018-01-30 16:22:05 +00:00
Rose Zadik 042e97fa75 Improve RSA documentation
- Rephrase file/function/parameter/enum/define/error descriptions into full
  and clear sentences.
- Make sure to adhere to the Arm writing guidelines.
- Fix missing/incorrect Doxygen tags.
- Standardize terminology used within the file.
- Rephrase the descriptions of all md_alg and hashlen parameters.

GitHub PR: #1327
2018-01-30 16:22:05 +00:00
Rose Zadik 41ad082484 Improve DHM documentation
- Rephrase file/function/parameter/enum/define/error descriptions into full
  and clear sentences.
- Make sure to adhere to the Arm writing guidelines.
- Fix missing/incorrect Doxygen tags.
- Standardize terminology used within the file.
- Standardize defines documentation

GitHub PR: #1323
2018-01-30 16:22:05 +00:00
Rose Zadik 9ba6b621de Improve cipher documentation
- Rephrase function/parameter/enum/define/error descriptions into full and
  clear sentences.
- Make sure to adhere to the Arm writing guidelines.
- Fix missing/incorrect Doxygen tags.
- Standardize terminology used within the file.

GitHub PR: #1306
2018-01-30 16:22:04 +00:00
Rose Zadik eecdbea30f Improve CCM documentation
- Rephrase function/parameter/enum/define/error descriptions into full and
  clear sentences.
- Make sure to adhering to the Arm writing guidelines.
- Fix missing/incorrect Doxygen tags.
- Standardize terminology used within the file.
- Fix iv_len values per the standard.

GitHub PR: #1305
2018-01-30 16:22:04 +00:00
Rose Zadik 7f44127c71 Improve AES documentation
- Separate "\file" blocks from copyright, so that Doxygen doesn't repeat
  the copyright information in all the Detailed Descriptions.
- Improve phrasing and clarity of functions, parameters, defines and enums.

GitHub PR: #1292
2018-01-30 16:22:04 +00:00
Jaeden Amero 26342e54f5 Merge branch 'development' into development-restricted 2018-01-29 12:49:52 +00:00
Jaeden Amero 3b8fbaab87 Merge remote-tracking branch 'upstream-public/pr/1328' into development 2018-01-29 12:49:46 +00:00
Manuel Pégourié-Gonnard 5405962954 Fix alarm(0) failure on mingw32
A new test for mbedtls_timing_alarm(0) was introduced in PR 1136, which also
fixed it on Unix. Apparently test results on MinGW were not checked at that
point, so we missed that this new test was also failing on this platform.
2018-01-29 10:24:50 +01:00
Jaeden Amero 2acbf17b97 Merge branch 'development' into development-restricted 2018-01-26 20:57:38 +00:00
Jaeden Amero 751aa510c0 Merge remote-tracking branch 'upstream-public/pr/1303' into development 2018-01-26 20:48:55 +00:00
Jaeden Amero 784de59ccd Merge remote-tracking branch 'upstream-restricted/pr/410' into development-restricted
- Resolve ChangeLog conflicts
- Update Doxygen warning block in dhm.h to render correctly
- Prefix the exported identifier deprecated_constant_t with mbedtls_
2018-01-26 18:43:04 +00:00
Gilles Peskine 7ecab3df4c Error codes for hardware accelerator failures
Add MBEDTLS_ERR_XXX_HW_ACCEL_FAILED error codes for all cryptography
modules where the software implementation can be replaced by a hardware
implementation.

This does not include the individual message digest modules since they
currently have no way to return error codes.

This does include the higher-level md, cipher and pk modules since
alternative implementations and even algorithms can be plugged in at
runtime.
2018-01-26 17:56:38 +01:00
Jaeden Amero a03587b848 Merge branch 'development' into development-restricted 2018-01-26 12:48:04 +00:00
Dvir Markovich 1b36499062 Improve CTR_DRBG error handling and cleanup
Check AES return values and return error when needed. Propagate the
underlying AES return code.

Perform more memory cleanup.
2018-01-26 11:40:31 +00:00
Jaeden Amero 66954e1c1f Merge branch 'development' into development-restricted 2018-01-25 17:28:31 +00:00
Jaeden Amero 005239e3ed Merge remote-tracking branch 'upstream-public/pr/1294' into development 2018-01-25 14:47:39 +00:00
Jaeden Amero 65ba60a975 Merge branch 'development' into development-restricted 2018-01-25 10:09:03 +00:00
Jaeden Amero cef0c5a2c8 Merge remote-tracking branch 'upstream-public/pr/1304' into development 2018-01-25 10:07:39 +00:00
Jaeden Amero 3c082ce293 Merge branch 'development' into development-restricted 2018-01-24 15:17:15 +00:00
Jaeden Amero fbeed6e2a5 Merge remote-tracking branch 'upstream-public/pr/1236' into development 2018-01-24 10:43:39 +00:00
Hanno Becker 616d1ca605 Add support for alternative ECJPAKE implementation
This commit allows users to provide alternative implementations of the
ECJPAKE interface through the configuration option MBEDTLS_ECJPAKE_ALT.
When set, the user must add `ecjpake_alt.h` declaring the same
interface as `ecjpake.h`, as well as add some compilation unit which
implements the functionality. This is in line with the preexisting
support for alternative implementations of other modules.
2018-01-24 10:36:22 +00:00
Andres Amaya Garcia e9124b943d Ensure that mbedtls_pk_parse_key() does not allocate 0 bytes 2018-01-23 20:03:52 +00:00
Andres Amaya Garcia c9d6226d2c Change formatting of allocation check in x509_crl 2018-01-23 19:37:44 +00:00
Andres Amaya Garcia cb5123fa86 Ensure memcpy is not called with NULL and 0 args in x509 module 2018-01-23 19:37:44 +00:00
Andres Amaya Garcia f1ee63562a Style fixes in pem, x509_crl and buf_alloc 2018-01-23 19:37:44 +00:00
Andres AG 9cf1f96a7b Fix corner case uses of memory_buffer_alloc.c
The corner cases fixed include:
    * Allocating a buffer of size 0. With this change, the allocator now
      returns a NULL pointer in this case. Note that changes in pem.c and
      x509_crl.c were required to fix tests that did not work under this
      assumption.
    * Initialising the allocator with less memory than required for headers.
    * Fix header chain checks for uninitialised allocator.
2018-01-23 19:37:44 +00:00
Gilles Peskine 342d928e8d Fix proprocessor directives for MBEDTLS_RIPEMD160_ALT 2018-01-23 18:21:21 +01:00
Gilles Peskine a381fe84ce Add HW_FAILED error codes for message digest modules
New error codes to report failures from alternative implementations of
MD2, MD4, MD5, RIPEMD160, SHA-1, SHA-256, SHA-512.
2018-01-23 18:16:11 +01:00
Gilles Peskine 41b40e6463 Merge remote-tracking branch 'upstream-restricted/pr/441' into development-restricted 2018-01-23 00:59:51 +01:00
Gilles Peskine aaaa98cd60 Merge branch 'development-proposed' into development-restricted 2018-01-23 00:59:17 +01:00
Gilles Peskine ff812804fb Merge branch 'pr_1239' into development-proposed 2018-01-23 00:58:13 +01:00
Gilles Peskine 50346e9f22 Merge remote-tracking branch 'upstream-public/pr/1150' into development-proposed 2018-01-23 00:56:48 +01:00
Ron Eldor 5e9f14d4d9 Set correct minimal versions in default conf
Set `MBEDTLS_SSL_MIN_MAJOR_VERSION` and `MBEDTLS_SSL_MIN_MINOR_VERSION`
instead of `MBEDTLS_SSL_MAJOR_VERSION_3` and `MBEDTLS_SSL_MINOR_VERSION_1`
2018-01-22 22:06:44 +01:00
Gilles Peskine 9e4f77c606 New MD API: rename functions from _ext to _ret
The _ext suffix suggests "new arguments", but the new functions have
the same arguments. Use _ret instead, to convey that the difference is
that the new functions return a value.
2018-01-22 11:54:42 +01:00
Gilles Peskine d91f2a26cb Merge branch 'development' into iotssl-1251-2.7
Conflict resolution:

* ChangeLog: put the new entries in their rightful place.
* library/x509write_crt.c: the change in development was whitespace
  only, so use the one from the iotssl-1251 feature branch.
2018-01-19 11:25:10 +01:00
Gilles Peskine d40c22ba20 Merge branch 'development' into development-restricted 2018-01-17 08:03:33 +01:00
Hanno Becker 87ae197f3e Add explicit uint truncation casts
This commit adds some explicit downcasts from `size_t` to `uint8_t` in
the RSASSA signature encoding function `rsa_rsassa_pkcs1_v15_encode`.
The truncation is safe as it has been checked beforehand that the
respective values are in the range of a `uint8_t`.
2018-01-15 15:27:56 +00:00
Hanno Becker 71b0060af7 Merge branch 'development' into iotssl-247 2018-01-15 11:31:34 +00:00
Jaeden Amero 31f3f0b87b Merge branch 'development' into development-restricted 2018-01-10 13:17:02 +00:00
Hanno Becker d4d60579e4 Address issues found by coverity
1) `mbedtls_rsa_import_raw` used an uninitialized return
   value when it was called without any input parameters.
   While not sensible, this is allowed and should be a
   succeeding no-op.

2) The MPI test for prime generation missed a return value
   check for a call to `mbedtls_mpi_shift_r`. This is neither
   critical nor new but should be fixed.

3) Both the RSA keygeneration example program and the
   RSA test suites contained code initializing an RSA context
   after a potentially failing call to CTR DRBG initialization,
   leaving the corresponding RSA context free call in the
   cleanup section of the respective function orphaned.
   While this defect existed before, Coverity picked up on
   it again because of newly introduced MPI's that were
   also wrongly initialized only after the call to CTR DRBG
   init. The commit fixes both the old and the new issue
   by moving the initializtion of both the RSA context and
   all MPI's prior to the first potentially failing call.
2018-01-10 07:30:47 +00:00
nirekh01 d569ecfc2c Add some corrections based on code review
-Add the DHM_ALT in an alphabetical order
-Close correctly the 'extern "C" { ...'
2018-01-09 16:43:21 +00:00
Jaeden Amero f342cb791b Merge branch 'development' into development-restricted 2018-01-09 13:16:37 +00:00
Manuel Pégourié-Gonnard 239987fd31 Fix heap-buffer overread in ALPN ext parsing 2018-01-09 13:48:38 +01:00
Jaeden Amero 0bc9e30435 Merge remote-tracking branch 'upstream-public/pr/1060' into development 2018-01-09 12:20:54 +00:00
Jaeden Amero 7de0b8aae7 Merge remote-tracking branch 'upstream-public/pr/1046' into development 2018-01-09 11:31:55 +00:00
Jaeden Amero 35285cca67 Merge remote-tracking branch 'upstream-public/pr/1027' into development 2018-01-09 10:42:03 +00:00
Johannes H 4e5d23fad7 corrected a typo in a comment 2018-01-06 09:46:57 +01:00
Hanno Becker 3d8c90711b Compute outgoing MAC in temporary buffer for MAC-then-Encrypt
A previous commit changed the record encryption function
`ssl_encrypt_buf` to compute the MAC in a temporary buffer
and copying the relevant part of it (which is strictly smaller
if the truncated HMAC extension is used) to the outgoing message
buffer. However, the change was only made in case Encrypt-Then-MAC
was enabled, but not in case of MAC-Then-Encrypt. While this
doesn't constitute a problem, for the sake of uniformity this
commit changes `ssl_encrypt_buf` to compute the MAC in a temporary
buffer in this case, too.
2018-01-05 16:24:22 +00:00
Hanno Becker 3a760a1857 Add size check for RSA modulus to mbedtls_rsa_complete
The function `mbedtls_rsa_complete` is supposed to guarantee that
RSA operations will complete without failure. In contrast, it does
not ensure consistency of parameters, which is the task of the
checking functions `rsa_check_pubkey` and `rsa_check_privkey`.

Previously, the maximum allowed size of the RSA modulus was checked
in `mbedtls_rsa_check_pubkey`. However, exceeding this size would lead
to failure of some RSA operations, hence this check belongs to
`mbedtls_rsa_complete` rather than `mbedtls_rsa_check_pubkey`.
This commit moves it accordingly.
2018-01-05 08:14:49 +00:00
Hanno Becker 895c5ab88e Preserve old behavior by checking public key in RSA parsing function
The function `pk_get_rsapubkey` originally performed some basic
sanity checks (e.g. on the size of public exponent) on the parsed
RSA public key by a call to `mbedtls_rsa_check_pubkey`.
This check was dropped because it is not possible to thoroughly
check full parameter sanity (i.e. that (-)^E is a bijection on Z/NZ).

Still, for the sake of not silently changing existing behavior,
this commit puts back the call to `mbedtls_rsa_check_pubkey`.
2018-01-05 08:08:09 +00:00
Hanno Becker 88683b2c6d Correct all.sh and config.h after merge commit
- Adapt the change in all.sh to the new keep-going mode
- Restore alphabetical order of configuration flags for
  alternative implementations in config.h and rebuild
  library/version_features.c
2018-01-04 18:48:32 +00:00
Hanno Becker 8bc74d6f2f Merge branch 'development' into iotssl-1619 2018-01-03 10:24:02 +00:00
Hanno Becker 4952e7a8d6 Add explicit type cast to avoid truncation warning
`mbedtls_rsa_deduce_primes` implicitly casts the result of a call to
`mbedtls_mpi_lsb` to a `uint16_t`. This is safe because of the size
of MPI's used in the library, but still may have compilers complain
about it. This commit makes the cast explicit.
2018-01-03 09:27:40 +00:00
Gilles Peskine 07d1078cdc Merge branch 'development' into development-restricted 2018-01-02 17:45:08 +01:00
Gilles Peskine 17196cd3be Merge remote-tracking branch 'upstream-public/pr/964' into development 2018-01-02 16:24:29 +01:00
Gilles Peskine 197a6d454b Merge remote-tracking branch 'upstream-public/pr/1097' into development 2018-01-02 16:09:15 +01:00
Gilles Peskine 3fcc045c23 Merge remote-tracking branch 'upstream-public/pr/866' into development
Conflict resolution: additions in the same places as
upstream-public/pr/865, both adding into lexicographically sorted
lists, resolved by taking the additions in lexicographic order.
2018-01-02 15:55:55 +01:00
Gilles Peskine 7c483b6765 Merge remote-tracking branch 'upstream-public/pr/865' into development 2018-01-02 15:35:18 +01:00
nirekh01 08ba530bff Remove some extra lines
Remove some extra lines as was requested in code review
2017-12-28 16:21:38 +00:00
Manuel Pégourié-Gonnard eb2a6ab518 Merge branch 'development' into development-restricted
* development:
  Timing self test: shorten redundant tests
  Timing self test: increased duration
  Timing self test: increased tolerance
  Timing unit tests: more protection against infinite loops
  Unit test for mbedtls_timing_hardclock
  New timing unit tests
  selftest: allow excluding a subset of the tests
  selftest: allow running a subset of the tests
  selftest: refactor to separate the list of tests from the logic
  Timing self test: print some diagnosis information
  mbedtls_timing_get_timer: don't use uninitialized memory
  timing interface documentation: minor clarifications
  Timing: fix mbedtls_set_alarm(0) on Unix/POSIX
2017-12-26 10:42:50 +01:00
Manuel Pégourié-Gonnard ae3925c774 Merge remote-tracking branch 'public/pr/1136' into development
* public/pr/1136:
  Timing self test: shorten redundant tests
  Timing self test: increased duration
  Timing self test: increased tolerance
  Timing unit tests: more protection against infinite loops
  Unit test for mbedtls_timing_hardclock
  New timing unit tests
  selftest: allow excluding a subset of the tests
  selftest: allow running a subset of the tests
  selftest: refactor to separate the list of tests from the logic
  Timing self test: print some diagnosis information
  mbedtls_timing_get_timer: don't use uninitialized memory
  timing interface documentation: minor clarifications
  Timing: fix mbedtls_set_alarm(0) on Unix/POSIX
2017-12-26 10:42:20 +01:00
nirekh01 49762fa21f Add 'MBEDTLS_DHM_ALT' #DEFINE to library/config.h
Add 'MBEDTLS_DHM_ALT' #DEFINE to library/config.h to support alternate DHM
2017-12-25 06:46:48 +00:00
Reuven Levin 1f35ca9471 Added alternated Diffie-Hellman module.
1. Add modified files dhm.c and dhm.h
2017-12-25 06:42:59 +00:00
Micha Kraus ba8316f790 fix bug in get_one_and_zeros_padding()
add test case (“0000000082”) which fails with the old implementation.
2017-12-23 23:40:08 +01:00
Hanno Becker 32297e8314 Merge branch 'development' into iotssl-1619 2017-12-22 10:24:32 +00:00
Ron Eldor 621080d7c6 Fix compilation issue weh self test defined
1. Surround the generate keys with
`#if ! defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)`
to resolve build issue when `MBEDTLS_SELF_TEST` is defined for
alternative CMAC as well
2. Update ChangeLog
2017-12-21 10:57:43 +02:00
Gilles Peskine ada3ee8b9d Timing self test: shorten redundant tests
We don't need to test multiple delays in a self-test.
Save 5s of busy-wait.
2017-12-20 22:31:17 +01:00
Gilles Peskine 8873bcc4de Timing self test: increased duration
Increase the duration of the self test, otherwise it tends to fail on
a busy machine even with the recently upped tolerance. But run the
loop only once, it's enough for a simple smoke test.
2017-12-20 21:57:48 +01:00
Gilles Peskine 0f59b130a9 Timing self test: increased tolerance
mbedtls_timing_self_test fails annoyingly often when running on a busy
machine such as can be expected of a continous integration system.
Increase the tolerances in the delay test, to reduce the chance of
failures that are only due to missing a deadline on a busy machine.
2017-12-20 21:57:48 +01:00
Gilles Peskine 0827d5c07d Timing self test: print some diagnosis information
Print some not-very-nice-looking but helpful diagnosis information if
the timing selftest fails. Since the failures tend to be due to heavy
system load that's hard to reproduce, this information is necessary to
understand what's going on.
2017-12-20 19:22:30 +01:00
Gilles Peskine d92f0aa3be mbedtls_timing_get_timer: don't use uninitialized memory
mbedtls_timing_get_timer with reset=1 is called both to initialize a
timer object and to reset an already-initialized object. In an
initial call, the content of the data structure is indeterminate, so
the code should not read from it. This could crash if signed overflows
trap, for example.

As a consequence, on reset, we can't return the previously elapsed
time as was previously done on Windows. Return 0 as was done on Unix.
2017-12-20 18:53:52 +01:00
Gilles Peskine a0af95f052 Timing: fix mbedtls_set_alarm(0) on Unix/POSIX
The POSIX/Unix implementation of mbedtls_set_alarm did not set the
mbedtls_timing_alarmed flag when called with 0, which was inconsistent
with what the documentation implied and with the Windows behavior.
2017-12-20 18:50:03 +01:00
Manuel Pégourié-Gonnard a268da9478 Fix undefined function in platform.c
The bug was introduced in 79a2e7ef06 and is not present in the default
configuration, which let it go unnoticed so far.
2017-12-20 12:52:49 +01:00
Gilles Peskine 82d607eb9e Merge remote-tracking branch 'upstream-restricted/pr/433' into development-restricted 2017-12-19 19:20:27 +01:00
Manuel Pégourié-Gonnard 4813f15ce5 Merge branch 'development' into development-restricted
* development:
  Address PR review comments
  Fix crash when calling `mbedtls_ssl_cache_free` twice
2017-12-19 11:39:35 +01:00
Manuel Pégourié-Gonnard 705c52f5ec Merge remote-tracking branch 'public/pr/1145' into development
* public/pr/1145:
  Address PR review comments
  Fix crash when calling `mbedtls_ssl_cache_free` twice
2017-12-19 11:37:36 +01:00
Manuel Pégourié-Gonnard d04c623ed6 Merge remote-tracking branch 'restricted/pr/403' into development-restricted
* restricted/pr/403:
  Correct record header size in case of TLS
  Don't allocate space for DTLS header if DTLS is disabled
  Improve debugging output
  Adapt ChangeLog
  Add run-time check for handshake message size in ssl_write_record
  Add run-time check for record content size in ssl_encrypt_buf
  Add compile-time checks for size of record content and payload
2017-12-19 11:31:20 +01:00
Manuel Pégourié-Gonnard 1827368b01 Merge branch 'development' into development-restricted
* development:
  Don't split error code description across multiple lines
  Register new error code in error.h
  Move deprecation to separate section in ChangeLog
  Extend scope of ERR_RSA_UNSUPPORTED_OPERATION error code
  Adapt RSA test suite
  Adapt ChangeLog
  Deprecate usage of RSA primitives with wrong key type
2017-12-19 11:28:36 +01:00
Manuel Pégourié-Gonnard 4712119687 Merge remote-tracking branch 'restricted/pr/397' into development
* restricted/pr/397:
  Don't split error code description across multiple lines
  Register new error code in error.h
  Move deprecation to separate section in ChangeLog
  Extend scope of ERR_RSA_UNSUPPORTED_OPERATION error code
  Adapt RSA test suite
  Adapt ChangeLog
  Deprecate usage of RSA primitives with wrong key type
2017-12-19 11:27:22 +01:00
Manuel Pégourié-Gonnard b053efb295 Fix magic constant in previous commit 2017-12-19 10:03:46 +01:00
Manuel Pégourié-Gonnard 464147cadc Fix SSLv3 MAC computation
In a previous PR (Fix heap corruption in implementation of truncated HMAC
extension #425) the place where MAC is computed was changed from the end of
the SSL I/O buffer to a local buffer (then (part of) the content of the local
buffer is either copied to the output buffer of compare to the input buffer).

Unfortunately, this change was made only for TLS 1.0 and later, leaving SSL
3.0 in an inconsistent state due to ssl_mac() still writing to the old,
hard-coded location, which, for MAC verification, resulted in later comparing
the end of the input buffer (containing the computed MAC) to the local buffer
(uninitialised), most likely resulting in MAC verification failure, hence no
interop (even with ourselves).

This commit completes the move to using a local buffer by using this strategy
for SSL 3.0 too. Fortunately ssl_mac() was static so it's not a problem to
change its signature.
2017-12-18 18:04:59 +01:00
Manuel Pégourié-Gonnard 6774fa6e87 Merge branch 'development' into development-restricted
* development:
  Add --no-yotta option to all.sh
  Fix build without MBEDTLS_FS_IO
2017-12-18 11:43:35 +01:00
Manuel Pégourié-Gonnard 535553e7d8 Merge remote-tracking branch 'public/pr/1184' into development
* public/pr/1184:
  Add --no-yotta option to all.sh
  Fix build without MBEDTLS_FS_IO
2017-12-18 11:42:30 +01:00
Hanno Becker 1434a365a6 Don't split error code description across multiple lines 2017-12-13 11:24:49 +00:00
Gilles Peskine 880c6e74a1 Merge branch 'development' into development-restricted 2017-12-04 18:00:26 +00:00
Gilles Peskine ff01e009e6 Merge branch 'pr_1043' into development 2017-12-01 23:42:17 +01:00
Gilles Peskine e3783da0b2 Merge remote-tracking branch 'upstream-public/pr/1172' into development 2017-12-01 22:36:21 +01:00
Gilles Peskine 02e28fe0fd Merge remote-tracking branch 'upstream-restricted/pr/425' into development-restricted 2017-12-01 17:58:12 +01:00
Gilles Peskine 832f349f93 Fix build without MBEDTLS_FS_IO
Fix missing definition of mbedtls_zeroize when MBEDTLS_FS_IO is
disabled in the configuration.

Introduced by e7707228b4
    Merge remote-tracking branch 'upstream-public/pr/1062' into development
2017-11-30 12:03:27 +01:00
Gilles Peskine 0960f0663e Merge branch 'development' into development-restricted 2017-11-29 21:07:55 +01:00
Gilles Peskine 0884f4811b Merge remote-tracking branch 'upstream-public/pr/1141' into development 2017-11-29 20:50:59 +01:00
Gilles Peskine 183de312f9 Merge remote-tracking branch 'upstream-public/pr/895' into development 2017-11-29 20:49:21 +01:00
Hanno Becker 1df4923eb1 Remove compile-time deprecation warning for TRUNCATED_HMAC_COMPAT 2017-11-29 16:55:56 +00:00
Gilles Peskine 7fb29b17c7 Merge branch 'development' into development-restricted 2017-11-28 18:46:09 +01:00
Gilles Peskine 4daffe236a Merge branch 'pr_1025' into development
Merge PR #1025 + ChangeLog entry
2017-11-28 18:23:53 +01:00
Gilles Peskine ea8d697fa2 Merge remote-tracking branch 'upstream-public/pr/1089' into development
Resolve trivial conflict due to additions in the same place in
tests/data_files/Makefile; minor comment/whitespace presentation
improvements.
2017-11-28 17:32:32 +01:00
Gilles Peskine f2421210a5 Merge remote-tracking branch 'upstream-public/pr/828' into development 2017-11-28 17:22:37 +01:00
Gilles Peskine 9c3573a962 Merge remote-tracking branch 'upstream-public/pr/988' into development 2017-11-28 17:08:03 +01:00
Gilles Peskine 41e974178f Merge remote-tracking branch 'upstream-restricted/pr/419' into development-restricted
Resolved simple conflicts caused by the independent addition of
calls to mbedtls_zeroize with sometimes whitespace or comment
differences.
2017-11-28 16:16:27 +01:00
Gilles Peskine 9c8ac0ce2c Merge remote-tracking branch 'upstream-restricted/pr/404' into development-restricted 2017-11-28 15:50:02 +01:00
Hanno Becker 6e5dd79a43 Fix compilation warning on MSVC
MSVC complains about the negation in `(uint32_t) -1u`. This commit fixes this by
using `(uint32_t) -1` instead.
2017-11-28 14:34:04 +00:00
Gilles Peskine 7ca6d1fdd4 Merge remote-tracking branch 'upstream-restricted/pr/399' into development-restricted 2017-11-28 14:17:53 +01:00
Gilles Peskine c753f5daf4 Merge remote-tracking branch 'upstream-restricted/pr/369' into development-restricted 2017-11-28 14:16:47 +01:00
Hanno Becker 63073aa3d3 Don't require P,Q in rsa_private in case of non-blinded non-CRT
For non-CRT, P and Q are only used for the purpose of blinding the exponent.
2017-11-27 15:33:18 +00:00
Gilles Peskine 2507267cd4 Merge branch 'development' into development-restricted 2017-11-24 16:05:49 +01:00
Gilles Peskine e7707228b4 Merge remote-tracking branch 'upstream-public/pr/1062' into development 2017-11-24 15:35:50 +01:00
Gilles Peskine 7635cde35c Merge branch 'development' into development-restricted 2017-11-23 20:06:04 +01:00
Gilles Peskine 68306ed31f Merge remote-tracking branch 'upstream-public/pr/1094' into development 2017-11-23 20:02:46 +01:00
Gilles Peskine 1a2640c025 Merge branch 'iotssl-1368-unsafe-bounds-check-psk-identity-merge' into development-restricted 2017-11-23 18:58:30 +01:00
Manuel Pégourié-Gonnard bfa8df4c7e Merge remote-tracking branch 'restricted/pr/416' into development-restricted
* restricted/pr/416:
  RSA PSS: remove redundant check; changelog
  RSA PSS: fix first byte check for keys of size 8N+1
  RSA PSS: fix minimum length check for keys of size 8N+1
  RSA: Fix another buffer overflow in PSS signature verification
  RSA: Fix buffer overflow in PSS signature verification
2017-11-23 12:10:01 +01:00
Hanno Becker 4c2ac7ef58 Deprecate MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT 2017-11-21 18:28:35 +00:00
Hanno Becker 563423fb21 Improve documentation of MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT option
Explain more clearly when this option should be used and which versions of Mbed
TLS build on the non-compliant implementation.
2017-11-21 17:20:17 +00:00
Hanno Becker e89353a6b4 Add fallback to non-compliant truncated HMAC for compatibiltiy
In case truncated HMAC must be used but the Mbed TLS peer hasn't been updated
yet, one can use the compile-time option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT to
temporarily fall back to the old, non-compliant implementation of the truncated
HMAC extension.
2017-11-20 16:50:43 +00:00
Hanno Becker 81c7b18351 Don't truncate MAC key when truncated HMAC is negotiated
The truncated HMAC extension as described in
https://tools.ietf.org/html/rfc6066.html#section-7 specifies that when truncated
HMAC is used, only the HMAC output should be truncated, while the HMAC key
generation stays unmodified. This commit fixes Mbed TLS's behavior of also
truncating the key, potentially leading to compatibility issues with peers
running other stacks than Mbed TLS.

Details:
The keys for the MAC are pieces of the keyblock that's generated from the
master secret in `mbedtls_ssl_derive_keys` through the PRF, their size being
specified as the size of the digest used for the MAC, regardless of whether
truncated HMAC is enabled or not.

             /----- MD size ------\ /------- MD size ----\
Keyblock    +----------------------+----------------------+------------------+---
now         |     MAC enc key      |      MAC dec key     |     Enc key      |  ...
(correct)   +----------------------+----------------------+------------------+---

In the previous code, when truncated HMAC was enabled, the HMAC keys
were truncated to 10 bytes:

             /-10 bytes-\  /-10 bytes-\
Keyblock    +-------------+-------------+------------------+---
previously  | MAC enc key | MAC dec key |     Enc key      |  ...
(wrong)     +-------------+-------------+------------------+---

The reason for this was that a single variable `transform->maclen` was used for
both the keysize and the size of the final MAC, and its value was reduced from
the MD size to 10 bytes in case truncated HMAC was negotiated.

This commit fixes this by introducing a temporary variable `mac_key_len` which
permanently holds the MD size irrespective of the presence of truncated HMAC,
and using this temporary to obtain the MAC key chunks from the keyblock.
2017-11-20 16:25:50 +00:00
Hanno Becker 992b6872f3 Fix heap corruption in ssl_decrypt_buf
Previously, MAC validation for an incoming record proceeded as follows:

1) Make a copy of the MAC contained in the record;
2) Compute the expected MAC in place, overwriting the presented one;
3) Compare both.

This resulted in a record buffer overflow if truncated MAC was used, as in this
case the record buffer only reserved 10 bytes for the MAC, but the MAC
computation routine in 2) always wrote a full digest.

For specially crafted records, this could be used to perform a controlled write of
up to 6 bytes past the boundary of the heap buffer holding the record, thereby
corrupting the heap structures and potentially leading to a crash or remote code
execution.

This commit fixes this by making the following change:
1) Compute the expected MAC in a temporary buffer that has the size of the
   underlying message digest.
2) Compare to this to the MAC contained in the record, potentially
   restricting to the first 10 bytes if truncated HMAC is used.

A similar fix is applied to the encryption routine `ssl_encrypt_buf`.
2017-11-20 08:52:25 +00:00
Darryl Green c64a48bec7 Add checks for private parameter in mbedtls_ecdsa_sign() 2017-11-17 17:09:17 +00:00
Manuel Pégourié-Gonnard 888fedea06 Merge branch 'development' into development-restricted
* development: (30 commits)
  update README file (#1144)
  Fix typo in asn1.h
  Improve leap year test names in x509parse.data
  Correctly handle leap year in x509_date_is_valid()
  Renegotiation: Add tests for SigAlg ext parsing
  Parse Signature Algorithm ext when renegotiating
  Minor style fix
  config.pl get: be better behaved
  config.pl get: don't rewrite config.h; detect write errors
  Fixed "config.pl get" for options with no value
  Fix typo and bracketing in macro args
  Ensure failed test_suite output is sent to stdout
  Remove use of GNU sed features from ssl-opt.sh
  Fix typos in ssl-opt.sh comments
  Add ssl-opt.sh test to check gmt_unix_time is good
  Extend ssl-opt.h so that run_test takes function
  Always print gmt_unix_time in TLS client
  Restored note about using minimum functionality in makefiles
  Note in README that GNU make is required
  Fix changelog for ssl_server2.c usage fix
  ...
2017-11-14 08:24:22 +01:00
Hanno Becker 05c4fc8608 Correct typo in debugging message 2017-11-09 14:34:06 +00:00
Andres Amaya Garcia 849bc65bbf Fix x509_get_subject_alt_name to drop invalid tag
Fix the x509_get_subject_alt_name() function to not accept invalid
tags. The problem was that the ASN.1 class for tags consists of two
bits. Simply doing bit-wise and of the CONTEXT_SPECIFIC macro with the
input tag has the potential of accepting tag values 0x10 (private)
which would indicate that the certificate has an incorrect format.
2017-11-07 19:34:35 +00:00
Ron Eldor 22360825ae Address PR review comments
set `cache->chain` to NULL,
instead of setting the whole structure to zero.
2017-10-29 17:53:52 +02:00
Manuel Pégourié-Gonnard 3f81691d29 Revert to old behaviour of profile_check_key()
Was never documented to check for key alg compatibility, so should not start
doing so. Just stop relying on the pk_alg argument instead.
2017-10-26 10:24:16 +02:00
Manuel Pégourié-Gonnard 19773ff835 Avoid comparing size between RSA and EC keys 2017-10-24 10:51:26 +02:00
Hanno Becker e41158ba10 Add comment on the meaning of ssl->in_offt == NULL 2017-10-23 13:30:32 +01:00
Hanno Becker e72489de11 Remove internal references and use milder wording for some comments 2017-10-23 13:23:50 +01:00
Hanno Becker a6fb089efc Don't split debug messages 2017-10-23 13:17:48 +01:00
Hanno Becker 27b34d5bad Wrong identifier used to check Encrypt-then-MAC flag
This commit fixes a comparison of ssl_session->encrypt_then_mac against the
ETM-unrelated constant MBEDTLS_SSL_EXTENDED_MS_DISABLED. Instead,
MBEDTLS_SSL_ETM_DISABLED should be used.

The typo is has no functional effect since both constants have the same value 0.
2017-10-20 14:24:51 +01:00
Gilles Peskine 91048a3aac RSA PSS: remove redundant check; changelog
Remove a check introduced in the previous buffer overflow fix with keys of
size 8N+1 which the subsequent fix for buffer start calculations made
redundant.

Added a changelog entry for the buffer start calculation fix.
2017-10-19 17:46:14 +02:00
Gilles Peskine b00b0da452 RSA PSS: fix first byte check for keys of size 8N+1
For a key of size 8N+1, check that the first byte after applying the
public key operation is 0 (it could have been 1 instead). The code was
incorrectly doing a no-op check instead, which led to invalid
signatures being accepted. Not a security flaw, since you would need the
private key to craft such an invalid signature, but a bug nonetheless.
2017-10-19 15:23:49 +02:00
Gilles Peskine 139108af94 RSA PSS: fix minimum length check for keys of size 8N+1
The check introduced by the previous security fix was off by one. It
fixed the buffer overflow but was not compliant with the definition of
PSS which technically led to accepting some invalid signatures (but
not signatures made without the private key).
2017-10-18 19:03:42 +02:00
Manuel Pégourié-Gonnard 08c36635cb Avoid possible miscast of PK key
I don't think this can cause a crash as the member accessed is in the
beginning of the context, so wouldn't be outside of valid memory if the actual
context was RSA.

Also, the mismatch will be caught later when checking signature, so the cert
chain will be rejected anyway.
2017-10-18 14:57:11 +02:00
Manuel Pégourié-Gonnard 900fba616f Fix check_wildcard() calling convention
We shouldn't return a surprising value in case there is no wildcard and then
rely on the caller to ensure that this doesn't happen
2017-10-18 14:40:13 +02:00
Manuel Pégourié-Gonnard 08eacecc62 Fix some style issues and comment typos 2017-10-18 14:40:11 +02:00
Hanno Becker 888071184c Zeroize stack before returning from mpi_fill_random 2017-10-18 12:41:30 +01:00
Gilles Peskine 6a54b0240d RSA: Fix another buffer overflow in PSS signature verification
Fix buffer overflow in RSA-PSS signature verification when the masking
operation results in an all-zero buffer. This could happen at any key size.
2017-10-17 19:12:36 +02:00
Gilles Peskine 28a0c72795 RSA: Fix buffer overflow in PSS signature verification
Fix buffer overflow in RSA-PSS signature verification when the hash is
too large for the key size. Found by Seth Terashima, Qualcomm.

Added a non-regression test and a positive test with the smallest
permitted key size for a SHA-512 hash.
2017-10-17 19:01:38 +02:00
Ron Eldor e1a9a4a826 Fix crash when calling mbedtls_ssl_cache_free twice
Set `cache` to zero at the end of `mbedtls_ssl_cache_free` #1104
2017-10-17 18:15:41 +03:00
Hanno Becker 7c8cb9c28b Fix information leak in ecp_gen_keypair_base
The function mbedtls_ecp_gen_keypair_base did not wipe the stack buffer used to
hold the private exponent before returning. This commit fixes this by not using
a stack buffer in the first place but instead calling mpi_fill_random directly
to acquire the necessary random MPI.
2017-10-17 15:19:38 +01:00
Hanno Becker 073c199224 Make mpi_read_binary time constant
This commit modifies mpi_read_binary to always allocate the minimum number of
limbs required to hold the entire buffer provided to the function, regardless of
its content. Previously, leading zero bytes in the input data were detected and
used to reduce memory footprint and time, but this non-constant behavior turned
out to be non-tolerable for the cryptographic applications this function is used
for.
2017-10-17 15:17:27 +01:00
Ron Eldor 3f2da84bca Resolve PR review comments
1) Fix style comments
2) Fix typo in Makefile
3) Remove the `MBEDTLS_MD5_C` dependency from test data file,
as the used keys are not encrypted
2017-10-17 15:53:32 +03:00
Hanno Becker 40f8b51221 Add comments on the use of the renego SCSV and the renego ext 2017-10-17 11:03:50 +01:00
Hanno Becker 21df7f90d2 Fix handling of HS msgs in mbedtls_ssl_read if renegotiation unused
Previously, if `MBEDTLS_SSL_RENEGOTIATION` was disabled, incoming handshake
messages in `mbedtls_ssl_read` (expecting application data) lead to the
connection being closed. This commit fixes this, restricting the
`MBEDTLS_SSL_RENEGOTIATION`-guard to the code-paths responsible for accepting
renegotiation requests and aborting renegotiation attempts after too many
unexpected records have been received.
2017-10-17 11:03:26 +01:00
Hanno Becker b4ff0aafd9 Swap branches accepting/refusing renegotiation in in ssl_read 2017-10-17 11:03:04 +01:00
Hanno Becker 580869dae8 Handle RSA_EXPORT_UNSUPPORTED error code in strerror 2017-10-17 10:34:04 +01:00
Hanno Becker f8c028a2fb Minor corrections 2017-10-17 09:20:57 +01:00
Hanno Becker 4055a3a16f Shorten prime array in mbedtls_rsa_deduce_primes 2017-10-17 09:15:26 +01:00
Hanno Becker c36aab69b5 Swap D,E parameters in mbedtls_rsa_deduce_primes 2017-10-17 09:15:06 +01:00
Ron Eldor 5472d43ffb Fix issues when MBEDTLS_PEM_PARSE_C not defined
1) Fix compilatoin issues when `MBEDTLS_PEM_PARSE_C` not defined
2) remove dependency for `MBEDTLS_PEM_PARSE_C` in DER tests
2017-10-17 09:50:39 +03:00
Ron Eldor 40b14a894b change order of parsing public key
First parse PEM, and if fails, parse DER. Use some convention as
in parsing the private key (`mbedtls_pk_parse_key`)
2017-10-17 09:40:33 +03:00
Ron Eldor 84df1aeeaf use internal pk_get_rsapubkey function
1) use `pk_get_rsapubkey` function instead of `pk_parse_key_pkcs1_der`
2) revert changes in `pk_parse_key_pkcs1_der`
2017-10-16 17:14:46 +03:00
Ron Eldor b006518289 Resolve PR review comments
1) use `pk_get_rsapubkey` instead of reimplementing the parsing
2) rename the key files, according to their type and key size
3) comment in the data_files/Makefile hoe the keys were generated
4) Fix issue of failure parsing pkcs#1 DER format parsing, missed in previous commit
2017-10-16 12:40:27 +03:00
Andres Amaya Garcia 735b37eeef Correctly handle leap year in x509_date_is_valid()
This patch ensures that invalid dates on leap years with 100 or 400
years intervals are handled correctly.
2017-10-12 23:21:37 +01:00
Ron Eldor 73a381772b Parse Signature Algorithm ext when renegotiating
Signature algorithm extension was skipped when renegotiation was in
progress, causing the signature algorithm not to be known when
renegotiating, and failing the handshake. Fix removes the renegotiation
step check before parsing the extension.
2017-10-12 23:21:37 +01:00
Andres Amaya Garcia bd9d42c236 Fix typo and bracketing in macro args 2017-10-12 23:21:37 +01:00
Andres Amaya Garcia 106637fc2d Correctly handle leap year in x509_date_is_valid()
This patch ensures that invalid dates on leap years with 100 or 400
years intervals are handled correctly.
2017-10-12 19:54:46 +01:00
Ron Eldor 3226d36d61 Fix typo in configuration
Change duplicate of MBEDTLS_ECDH_GEN_PUBLIC_ALT to
MBEDTLS_ECDH_COMPUTE_SHARED_ALT
2017-10-12 14:17:48 +03:00
Hanno Becker ebd2c024dc Don't require P,Q in rsa_private if neither CRT nor blinding used 2017-10-12 10:57:39 +01:00
Hanno Becker efa14e8b0c Reduce number of MPI's used in pk_parse_key_pkcs1_der
As the optional RSA parameters DP, DQ and QP are effectively discarded (they are only considered for their length to
ensure that the key fills the entire buffer), it is not necessary to read them into separate MPI's.
2017-10-11 19:45:19 +01:00
Hanno Becker b82a5b554c Fix typos and mixup related to RSA_NO_CRT 2017-10-11 19:12:00 +01:00
Hanno Becker 5d42b53e51 Enhance documentation and performance of mbedtls_rsa_deduce_primes 2017-10-11 16:36:00 +01:00
Hanno Becker 7643d4e30c Fix number of loop iterations in mbedtls_deduce_primes
The number of loop iterations per candidate in `mbedtls_deduce_primes` was off
by one. This commit corrects this and removes a toy non-example from the RSA
test suite, as it seems difficult to have the function fail on small values of N
even if D,E are corrupted.
2017-10-11 16:32:49 +01:00
Hanno Becker 14a00c0578 Add early detection of bad parameters in mbedtls_deduce_primes 2017-10-11 12:58:23 +01:00
Ron Eldor 8dd73e62d2 Parse Signature Algorithm ext when renegotiating
Signature algorithm extension was skipped when renegotiation was in
progress, causing the signature algorithm not to be known when
renegotiating, and failing the handshake. Fix removes the renegotiation
step check before parsing the extension.
2017-10-11 12:49:00 +01:00
Hanno Becker a565f54c4c Introduce new files rsa_internal.[ch] for RSA helper functions
This commit splits off the RSA helper functions into separate headers and
compilation units to have a clearer separation of the public RSA interface,
intended to be used by end-users, and the helper functions which are publicly
provided only for the benefit of designers of alternative RSA implementations.
2017-10-11 11:00:19 +01:00
Hanno Becker 705fc68d72 Unify sanity checks for RSA private and public keys 2017-10-10 18:01:25 +01:00
Hanno Becker e867489ff6 Remove outdated comments from mbedtls_rsa_complete 2017-10-10 17:56:14 +01:00
Ron Eldor a84c1cb355 Address PR cpomments reviews
1) move the change into Features from Changes, in the changLog
2) Change the feature alternative configuration MBEDTLS_ECDH_ALT
definition to function alternative defintions
MBEDTLS_ECDH_COMPUTE_SHARED_ALT and MBEDTLS_ECDH_GEN_PUBLIC_ALT
2017-10-10 19:04:27 +03:00
Hanno Becker 7f25f850ac Adapt uses of mbedtls_rsa_complete to removed PRNG argument 2017-10-10 16:56:22 +01:00
Hanno Becker f9e184b9df Remove PRNG argument from mbedtls_rsa_complete 2017-10-10 16:55:41 +01:00
Ron Eldor 314adb6baa Address PR review comments
1) update ChangLog to have new feature in Features instead of Changes
2) Change MBEDTLS_ECDSA_ALT to function specific alternative definitions:
MBEDTLS_ECDSA_SIGN_ALT, MBEDTLS_ECDSA_VERIFY_ALT and MBEDTLS_ECDSA_GENKEY_ALT
2017-10-10 18:49:02 +03:00
Hanno Becker 68b4d58bd8 Remove PRNG argument from mbedtls_rsa_deduce_moduli
It is not necessary to pass a CSPRNG to `mbedtls_rsa_deduce_moduli`, as there
exist well-working static strategies, and even if a PRNG is preferred, a
non-secure one would be sufficient.

Further, the implementation is changed to use a static strategy for the choice
of candidates which according to some benchmarks even performs better than the
previous one using random candidate choices.
2017-10-10 16:39:10 +01:00
Hanno Becker c76c619dd0 Reconcile resending of previous flights
This commit reconciles the code path responsible for resending the
final DTLS handshake flight with the path for handling resending of
the other flights.
2017-10-10 16:04:49 +01:00
Hanno Becker 90333dab85 Replace wrong usage of WANT_READ by CONTINUE_PROCESSING 2017-10-10 16:04:48 +01:00
Hanno Becker 8ec8102c9a Split WANT_READ in two error codes
This commit restricts WANT_READ to indicate that no data is available on the
underlying transport. To signal the need for further processing - which was
previously also handled through this error code - a new internal error code
MBEDTLS_ERR_SSL_CONTINUE_PROCESSING is introduced.
2017-10-10 16:04:48 +01:00
Hanno Becker 4cb1f4d49c Style corrections 2017-10-10 16:04:48 +01:00
Hanno Becker 52c6dc64c6 Correct length check for DTLS records from old epochs.
DTLS records from previous epochs were incorrectly checked against the
current epoch transform's minimal content length, leading to the
rejection of entire datagrams. This commit fixed that and adapts two
test cases accordingly.

Internal reference: IOTSSL-1417
2017-10-10 16:04:32 +01:00
Hanno Becker 8b170a0a0b Enhance and extend checking of message processing state
-  Enhances the documentation of mbedtls_ssl_get_bytes_avail (return
   the number of bytes left in the current application data record, if
   there is any).
-  Introduces a new public function mbedtls_ssl_check_pending for
   checking whether any data in the internal buffers still needs to be
   processed. This is necessary for users implementing event-driven IO
   to decide when they can safely idle until they receive further
   events from the underlying transport.
2017-10-10 16:04:32 +01:00
Hanno Becker e09ca3d9b6 Add polling function for network contexts
This commit adds a function `mbedtls_net_poll` to the network module
allowing to check if a network context is available for read or write.
2017-10-10 16:03:18 +01:00
Hanno Becker e65ce7862a Enhance debugging output in ssl_tls.c
Give a note on the debugging output on the following occasions:
(1) The timer expires in mbedtls_ssl_fetch_input
(2) There's more than one records within a single datagram
2017-10-10 16:02:36 +01:00
Ron Eldor d0c56de934 Add support for public keys encoded with PKCS#1
1) Add support for public keys encoded with PKCS#1
2) Add tests for PKCS#1 PEM and DER, and PKCS#8 DER
2017-10-10 17:12:07 +03:00
Andres Amaya Garcia 86968c6dd1 Fix typo and bracketing in macro args 2017-10-07 18:29:03 +01:00
Andres Amaya Garcia 6bce9cb5ac Always print gmt_unix_time in TLS client
Change ssl_parse_server_hello() so that the parsed first four random
bytes from the ServerHello message are printed by the TLS client as
a Unix timestamp regardless of whether MBEDTLS_DEBUG_C is defined. The
debug message will only be printed if debug_level is 3 or higher.

Unconditionally enabling the debug print enabled testing of this value.
2017-10-06 11:59:13 +01:00
Hanno Becker 1a9a51c7cf Enhance documentation of ssl_write_hostname_ext, adapt ChangeLog.
Add a reference to the relevant RFC, adapt ChangeLog.
2017-10-06 11:58:50 +01:00
Hanno Becker 947194e7cf Make mbedtls_ssl_set_hostname safe to be called multiple times
Zeroize and free previously set hostnames before overwriting
them. Also, allow clearance of hostname by providing NULL parameter.
2017-10-06 11:58:50 +01:00
Andres Amaya Garcia 074c58f08b Always print gmt_unix_time in TLS client
Change ssl_parse_server_hello() so that the parsed first four random
bytes from the ServerHello message are printed by the TLS client as
a Unix timestamp regardless of whether MBEDTLS_DEBUG_C is defined. The
debug message will only be printed if debug_level is 3 or higher.

Unconditionally enabling the debug print enabled testing of this value.
2017-10-06 11:55:32 +01:00
Hanno Becker bc389d1d3c Extend scope of ERR_RSA_UNSUPPORTED_OPERATION error code 2017-10-05 11:49:53 +01:00
Hanno Becker 3cdc711972 Deprecate usage of RSA primitives with wrong key type
Further, state explicitly that wrong key types need not be supported by alternative RSA implementations, and that those
may instead return the newly introduced error code MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
2017-10-05 10:28:21 +01:00
Hanno Becker a90658f248 Add ssl_conf_dh_param_bin superseding ssl_conf_dh_param 2017-10-04 15:29:08 +01:00
Hanno Becker 470a8c4d87 Deprecate mbedtls_ssl_conf_dh_param 2017-10-04 15:28:46 +01:00
Hanno Becker 184f675256 Improve debugging output 2017-10-04 13:47:33 +01:00
Hanno Becker a6dd90de30 Add error string for failure code in mbedtls_dhm_set_group 2017-10-04 13:17:52 +01:00
Hanno Becker ab74056037 Make use of mbedtls_dhm_set_group when generating DHM params 2017-10-04 13:17:52 +01:00
Hanno Becker 8880e75dcb Add new function mbedtls_dhm_set_group to DHM Group 2017-10-04 13:17:52 +01:00
Hanno Becker 00d0a6834a Adapt code setting default DHM parameters 2017-10-04 13:17:49 +01:00
Hanno Becker e2fcfa84ea Stick to the use of constant-macros
This commit returns to using constant macros instead of global variables for the DHM group constants. Further, macros
providing the binary encoding of the primes from RFC 3526 and RFC 7919 are added. The hex-string macros are deprecated.
2017-10-04 13:12:15 +01:00
Hanno Becker 0f65e0ca03 Rename rsa_deduce_moduli to rsa_deduce_primes 2017-10-03 14:40:44 +01:00
Hanno Becker 8ba6ce4f4f Rename rsa_deduce_private to rsa_deduce_private_exponent 2017-10-03 14:40:43 +01:00
Hanno Becker 45a0ef32d9 Correct memory leak in mbedtls_rsa_validate_crt 2017-10-03 14:32:56 +01:00
Hanno Becker e58d38c66f Minor improvements 2017-10-03 07:59:29 +01:00
Hanno Becker 2b2f898cbd Streamline code-path in rsa_rsassa_pkcs1_v15_encode 2017-10-03 07:59:29 +01:00
Hanno Becker 64a8c0acd6 Verify PKCS1 v1.5 signature without parsing
This commit modifies the PKCS1 v1.5 signature verification function `mbedtls_rsa_rsassa_pkcs1_v15_verify` to prepare the
expected PKCS1-v1.5-encoded hash using the function also used by the signing routine `mbedtls_rsa_rsassa_pkcs1_v15_sign`
and comparing it to the provided byte-string afterwards. This comes at the benefits of (1) avoiding any error-prone
parsing, (2) removing the dependency of the RSA module on the ASN.1 parsing module, and (3) reducing code size.
2017-10-03 07:58:00 +01:00
Hanno Becker fdf38030de Outsource code for generating PKCS1 v1.5 encoding
This commit moves the code preparing PKCS1 v1.5 encoded hashes from `mbedtls_rsa_rsassa_pkcs1_v15_sign` to a separate
non-public function `rsa_rsassa_pkcs1_v15_encode`. This code-path will then be re-used by the signature verification function
`mbetls_rsa_rsassa_pkcs1_v15_verify` in a later commit.
2017-10-03 07:58:00 +01:00
Hanno Becker 171a8f1c95 Move constant time memcmp for signature verification
This commit replaces the ad-hoc code for constant-time double-checking the PKCS1 v1.5 RSA signature by an invocation of
`mbedtls_safer_memcmp`.
2017-10-03 07:58:00 +01:00
Hanno Becker 2dec5e8b00 Correct outdated comment 2017-10-03 07:49:52 +01:00
Hanno Becker 4e1be398f6 Remove FORCE_VERIFICATION and FORCE_BLINDING 2017-10-02 16:02:55 +01:00
Hanno Becker de6c1644cc Add brackets around arguments of internal macro DHM_MPI_EXPORT 2017-10-02 15:03:15 +01:00
Hanno Becker b5beaa8995 Check that 1 < D, E < N in mbedtls_rsa_validate_params 2017-10-02 13:20:20 +01:00
Hanno Becker c6fc878eda Remove mbedtls_rsa_check_crt
This is no longer needed after the decision to not exhaustively validate private key material.
2017-10-02 13:20:15 +01:00
Hanno Becker 98838b04af Minor improvements 2017-10-02 13:17:01 +01:00
Hanno Becker 7471631dde Make input arguments to mbedtls_rsa_import_raw constant
Original intention was to be allowed to perform in-place operations like changing the byte-order before importing
parameters into an HSM. Now a copy is needed in this case, but there's no more danger of a user expecting the arguments
to be left untouched.
2017-10-02 13:17:01 +01:00
Hanno Becker bdefff1dde Change signature of mbedtls_rsa_deduce_private
Make input arguments constant and adapt the implementation to use a temporary instead of in-place operations.
2017-10-02 09:59:48 +01:00
Hanno Becker ba5b755f1a Change signature and semantics of mbedtls_rsa_deduce_moduli
Input arguments are marked as constant. Further, no double-checking is performed when a factorization of the modulus has
been found.
2017-10-02 09:55:49 +01:00
Hanno Becker 2f38a43d3a Enhance documentation of ssl_write_hostname_ext, adapt ChangeLog.
Add a reference to the relevant RFC, adapt ChangeLog.
2017-09-30 23:35:21 +01:00
Hanno Becker 39f5d359f5 Make mbedtls_ssl_set_hostname safe to be called multiple times
Zeroize and free previously set hostnames before overwriting
them. Also, allow clearance of hostname by providing NULL parameter.
2017-09-30 23:35:02 +01:00
Hanno Becker b4274210a4 Improve documentation in pkparse.c
State explicitly that `pk_parse_pkcs8_undencrypted_der` and `pk_parse_key_pkcs8_encrypted_der` are not responsible for
zeroizing and freeing the provided key buffer.
2017-09-29 19:18:51 +01:00
Hanno Becker f04111f5c5 Fix typo 2017-09-29 19:18:42 +01:00
Hanno Becker 56bae95e1d Improve style and documentation, fix typo 2017-09-29 15:43:49 +01:00
Hanno Becker 2fdffe0da0 Check exactly for the RSA context fields required in rsa_private
Previously, the code was also checking for the presence of D for RSA-CRT, which
is not needed in this case.
2017-09-29 15:28:49 +01:00
Hanno Becker bead71752e Correct typo in rsa.c 2017-09-29 12:41:06 +01:00
Hanno Becker ba1ba11a98 Check that length is properly set in mbedtls_rsa_check_pubkey 2017-09-29 11:54:05 +01:00
Hanno Becker 2f8f06aa25 Don't always recompute context length in mbedtls_rsa_get_len
This commit changes the implementation of `mbedtls_rsa_get_len` to return
`ctx->len` instead of always re-computing the modulus' byte-size via
`mbedtls_mpi_size`.
2017-09-29 11:54:05 +01:00
Hanno Becker 2cca6f3290 Always deduce N from P, Q in mbedtls_rsa_complete
Previously, a parameter set of (-, P, Q, -, E) was completed, but (-, P, Q, D,
E) wasn't - this is odd.
2017-09-29 11:54:05 +01:00
Hanno Becker a6f5539413 Adapt version_features.c to new config options 2017-09-28 13:10:46 +01:00
Hanno Becker e71ad12cd5 Minor code-improvements in dhm.c 2017-09-28 11:06:31 +01:00
Hanno Becker 2c9f027e32 Don't require P,Q if CRT is not used
Previously, verification used P,Q regardless of whether CRT was used in the
computation, but this has changed in the meantime.
2017-09-28 11:04:13 +01:00
Hanno Becker 8d1dd1b5b9 Fix bug in mbedtls_mpi_exp_mod
Calling `mbedtls_mpi_exp_mod` with a freshly initialized exponent MPI `N`,
i.e. `N.p == NULL`, would lead to a null-pointer dereference.
2017-09-28 11:02:24 +01:00
Hanno Becker 4c72b000cb Add const-qualifiers to prime constants 2017-09-27 16:06:37 +01:00
Hanno Becker 8c8b0ab877 Change default Diffie-Hellman parameters from RFC 5114 to RFC 7919
The origin of the primes in RFC 5114 is undocumented and their use therefore
constitutes a security risk.
2017-09-27 12:43:57 +01:00
Hanno Becker b2bad800e4 Introduce Diffie-Hellman parameters from RFC 7919 2017-09-27 12:43:55 +01:00
Hanno Becker 0e6dc84f3e Deprecate Diffie-Hellman groups from RFC 5114
Also, change the way the standardized Diffie-Hellman groups are provided from
macro-based string-literals to global variables.
2017-09-27 11:48:02 +01:00
Ron Eldor 2981a0a740 Address Andres PR comments
Address Andres' comments in the PR
2017-09-24 15:41:09 +03:00
Jaeden Amero 1526330931 Allow alternate implementation of GCM
Provide the ability to use an alternative implementation of GCM in place
of the library-provided implementation.
2017-09-22 17:42:44 +01:00
Hanno Becker d8a6f7cfbe Clarify code-paths in x509write_csr and x509write_crt 2017-09-22 16:05:43 +01:00
Hanno Becker a20e33ad59 Use X509 CRT version macros for version checks in x509write_crt_der 2017-09-22 15:40:01 +01:00
Janos Follath 1ad1c6d4e1 Fix typo 2017-09-21 12:05:30 +01:00
Janos Follath aa325d7b7f DHM: Fix dhm_check_range() always returning 0
Although the variable ret was initialised to an error, the
MBEDTLS_MPI_CHK macro was overwriting it. Therefore it ended up being
0 whenewer the bignum computation was successfull and stayed 0
independently of the actual check.
2017-09-21 12:04:41 +01:00
Florin 0b7b83fd91 Fixed SIGSEGV problem when writing with ssl_write_real a buffer that is over MBEDTLS_SSL_MAX_CONTENT_LEN bytes
Signed-off-by: Florin <petriuc.florin@gmail.com>
2017-09-18 16:11:42 +01:00
Hanno Becker 2b187c4d5f Correct typo 2017-09-18 16:11:42 +01:00
Ron Eldor 4a2fb4c6be Addres review comments
Resolves comments raised in the review
2017-09-18 13:43:05 +03:00
Ron Eldor 147d142948 Add log and fix stle issues
Address Andres comments of PR
2017-09-18 13:05:53 +03:00
Ron Eldor 714785dcc2 Write correct number of ciphersuites in log
Change location of log, to fit the correct number of used ciphersuites
2017-09-18 13:05:48 +03:00
Hanno Becker 9648f8b59c Add run-time check for handshake message size in ssl_write_record 2017-09-18 10:56:15 +01:00
Hanno Becker d33f1ca34c Add run-time check for record content size in ssl_encrypt_buf 2017-09-18 10:56:14 +01:00
Andres Amaya Garcia 01692531c6 Document code silently discarding invalid records 2017-09-14 20:20:31 +01:00
Andres Amaya Garcia 2fad94b193 Dont send alert on invalid DTLS record type
Do not send fatal alerts when receiving a record with an invalid header
while running DTLS as this is not compliant behaviour.
2017-09-14 20:18:37 +01:00
Hanno Becker d4a872ee67 Rename internal MBEDTLS_ENTROPY_HAVE_STRONG to ENTROPY_HAVE_STRONG
This commit renames the test-only flag MBEDTLS_ENTROPY_HAVE_STRONG to ENTROPY_HAVE_STRONG to make it more transparent
that it's an internal flag, and also to content the testscript tests/scripts/check-names.pl which previously complained
about the macro occurring in a comment in `entropy.c` without being defined in a library file.
2017-09-14 08:04:13 +01:00
Hanno Becker 45037ceac5 Add check for presence of relevant parameters in mbedtls_rsa_private
If CRT is used, check for the presence N, P, Q, D, E, DP, DQ and QP. If CRT is
not used, check for N, P, Q, D, E only.
2017-09-14 08:02:14 +01:00
Hanno Becker 81535d0011 Minor style and typo corrections 2017-09-14 07:51:54 +01:00
Hanno Becker 476986547b Omit version from X.509 v1 certificates
The version field in an X.509 certificate is optional and defaults to v1, so it
may be omitted in this case.
2017-09-14 07:51:54 +01:00
Hanno Becker d7f3520360 Don't add extensions for X.509 non-v3 certificates
This commit removes extension-writing code for X.509 non-v3 certificates from
mbedtls_x509write_crt_der. Previously, even if no extensions were present an
empty sequence would have been added.
2017-09-14 07:51:54 +01:00
Hanno Becker fc77144802 Fix extraction of signature-type from PK context instance 2017-09-14 07:51:54 +01:00
Hanno Becker 9be1926b69 Correct parsing checks in mbedtls_pk_parse_key
Two code-paths in `mbedtls_pk_parse_key` returned success on a failure in `mbedtls_pk_setup`.
2017-09-08 12:39:44 +01:00
Hanno Becker 66a0f83d58 Remove unreachable branches in pkparse.c 2017-09-08 12:39:21 +01:00
Hanno Becker b8d1657148 Mention in-place decryption in pk_parse_key_pkcs8_encrypted_der
Also fixes a typo.
2017-09-07 15:29:01 +01:00
Hanno Becker 2aa80a706f Remove unnecessary cast 2017-09-07 15:28:45 +01:00
Hanno Becker a988a2702a Emit deprecation warning if MBEDTLS_RSA_FORCE_BLINDING is not set 2017-09-07 13:11:33 +01:00
Manuel Pégourié-Gonnard a4dd783909 Fix some typos in comments 2017-09-07 11:11:39 +02:00
Ron Eldor bc18eb3b92 Fix compilation error with Mingw32
Fix compilation error on Mingw32 when `_TRUNCATE` is defined. Use
`_TRUNCATE` only if `__MINGW32__` not defined. Fix suggested by
Thomas Glanzmann and Nick Wilson on issue #355
2017-09-06 17:51:14 +03:00
Ron Eldor 65112b15e6 Adress Hannos's comments
Remove zeroizing buffer, as it was done already in PR #369
Check that buffer is not null by `!= NULL` statement
2017-09-06 17:09:41 +03:00
Ron Eldor 9d84b4c102 update after Andres comments
Update after Andres coments:
1. zeroize the buffer in `mbedtls_pem_read_buffer()` before freeing it
2. use `mbedtls_zeroize()` instead of `memset()`
2017-09-05 17:17:31 +03:00
Ron Eldor 31162e4423 Set PEM buffer to zero before freeing it
Set PEM buffer to zero before freeing it, to avoid private keys
being leaked to memory after releasing it.
2017-09-05 15:34:35 +03:00
Ron Eldor 7268ca9500 remove redundant include
Remove redunadnat include for platform.h which was acciddently pushed,
for debugging purposes
2017-09-05 14:29:20 +03:00
Hanno Becker 9c6cb38ba8 Fix typo in pkparse.c 2017-09-05 10:08:01 +01:00
Manuel Pégourié-Gonnard 4b6e210d00 Merge branch 'mbedtls-2.6' into iotssl-1381-x509-verify-refactor-restricted
* mbedtls-2.6: (27 commits)
  Update version number to 2.6.0
  Fix language in Changelog for clarity
  Improve documentation of PKCS1 decryption functions
  Fix style and missing item in ChangeLog
  Add credit to Changelog to fix for #666
  Fix naked call to time() with platform call
  Fix ChangeLog for duplication after merge
  Rename time and index parameter to avoid name conflict.
  Correct comment
  Adapt ChangeLog
  Reliably zeroize sensitive data in AES sample application
  Reliably zeroize sensitive data in Crypt-and-Hash sample application
  Fix potential integer overflow parsing DER CRT
  Fix potential integer overflow parsing DER CRL
  Move the git scripts to correct path
  Update after @sbutcher-arm comments
  Fix slash direction for linux path
  Add note for the git_hoos README file
  Pre push hook script
  Check return code of mbedtls_mpi_fill_random
  ...
2017-08-31 10:09:43 +02:00
Manuel Pégourié-Gonnard bb216bd940 Fix MSVC 64-bit warnings
"conversion from size_t to int, possible loss of data"
2017-08-28 13:25:55 +02:00
Manuel Pégourié-Gonnard 196d1338ba Fix uninitialised variable in some configs 2017-08-28 13:14:27 +02:00
Hanno Becker fab3569963 Use in-place decryption in pk_parse_pkcs8_encrypted_der
The stack buffer used to hold the decrypted key in pk_parse_pkcs8_encrypted_der
was statically sized to 2048 bytes, which is not enough for DER encoded 4096bit
RSA keys.

This commit resolves the problem by performing the key-decryption in-place,
circumventing the introduction of another stack or heap copy of the key.

There are two situations where pk_parse_pkcs8_encrypted_der is invoked:
1. When processing a PEM-encoded encrypted key in mbedtls_pk_parse_key.
   This does not need adaption since the PEM context used to hold the decoded
   key is already constructed and owned by mbedtls_pk_parse_key.
2. When processing a DER-encoded encrypted key in mbedtls_pk_parse_key.
   In this case, mbedtls_pk_parse_key calls pk_parse_pkcs8_encrypted_der with
   the buffer provided by the user, which is declared const. The commit
   therefore adds a small code paths making a copy of the keybuffer before
   calling pk_parse_pkcs8_encrypted_der.
2017-08-25 13:57:21 +01:00
Hanno Becker 771d30edac Add missing calls to mbedtls_pem_free in mbedtls_pk_parse 2017-08-25 13:57:21 +01:00
Hanno Becker cc209ca56d Remove signature verification from rsa_rsassa_pkcs1_v15_sign
This verification path is redundant now that verification is uniformly done in
rsa_private.
2017-08-25 11:52:29 +01:00
Hanno Becker 43f94721ab Add quick-check for presence of relevant parameters in rsa_private 2017-08-25 11:52:27 +01:00
Hanno Becker c6075cc5ac Don't use CRT for signature verification
If CRT is not used, the helper fields CRT are not assumed to be present in the
RSA context structure, so do the verification directly in this case. If CRT is
used, verification could be done using CRT, but we're sticking to ordinary
verification for uniformity.
2017-08-25 11:45:35 +01:00
Hanno Becker b269a8584a Change mbedtls_rsa_check_privkey to use new helper functions 2017-08-25 08:35:09 +01:00
Hanno Becker d9431a7817 Minor comments improvement 2017-08-25 08:35:09 +01:00
Hanno Becker d363799a9d Add mbedtls_rsa_validate_crt
This commit adds the function mbedtls_rsa_validate_crt for validating a set of CRT parameters. The function
mbedtls_rsa_check_crt is simplified accordingly.
2017-08-25 08:35:09 +01:00
Hanno Becker d56d83a7f3 Remove double-checking code from rsa_deduce_moduli and rsa_complete 2017-08-25 08:35:08 +01:00
Hanno Becker 750e8b4596 Rename rsa_check_params->rsa_validate_params and change error codes 2017-08-25 08:34:55 +01:00
Manuel Pégourié-Gonnard fd87e354f6 Improve comments on parity trick 2017-08-24 14:21:19 +02:00
Manuel Pégourié-Gonnard 95aedfea33 Remove redundant test on curve type
If rsm != NULL then the curve type has to be Short Weierstrass, as we don't
implement restartable Montgomery now. If and when we do, then it's better to
check for the subcontext only, and not for the curve type.
2017-08-24 13:47:04 +02:00
Manuel Pégourié-Gonnard 11556e2846 Clarify initialization of T in mul_comb()
Exactly one of three ways will be used, so make that clear by using an
if 1 else if 2 else 3 structure.

While at it, don't initialize variables at declaration, just to make extra
sure they're properly initialized afterwards in all code paths.
2017-08-24 13:42:34 +02:00
Manuel Pégourié-Gonnard 0b23f167ba SSL: rework restart state handling
As done by previous commits for ECC and ECDSA:
- use explicit state assignments rather than increment
- always place the state update right before the operation label

This will make it easier to add restart support for other operations later if
desired.

SSL-specific changes:
- remove useless states: when the last restartable operation on a message is
  complete, ssl->state is incremented already, so we don't need any additional
state update: ecrs_state is only meant to complement ssl->state
- rename remaining states consistently as <message>_<operation>
- move some labels closer to the actual operation when possible (no assignment
  to variables used after the label between its previous and current position)
2017-08-24 12:08:33 +02:00
Manuel Pégourié-Gonnard 6348181da9 Explicit state assignments in ecdsa too 2017-08-24 11:16:01 +02:00
Manuel Pégourié-Gonnard 4ed1dab474 ECP: move state changes closer to operations
Systematically assign state just before the next operation that may return,
rather that just after the previous one. This makes things more local. (For
example, previously precompute_comb() has to handle a state reset for
mul_comb_core(), a kind of coupling that's best avoided.)

Note that this change doesn't move the location of state updates relative
to any potential return point, which is all that matters.
2017-08-24 11:02:04 +02:00
Manuel Pégourié-Gonnard c9efa00871 ECP: Use explicit state assignments
Incrementing the state is error-prone as we can end up doing it too many times
(loops) or not enough (skipped branches), or just make programming mistakes
(eg. the state was incremented twice at the end, so it ended up with a value
not in the enum...)

This is the first step of the rework, the next one will rationalize where the
state assignments are done.
2017-08-24 10:25:06 +02:00
Hanno Becker fb81c0ec2e Guard primality checks in RSA module by MBEDTLS_GENPRIME
Primality testing is guarded by the configuration flag MBEDTLS_GENPRIME and used in the new RSA helper functions. This
commit adds a corresponding preprocessor directive.
2017-08-24 06:55:11 +01:00
Manuel Pégourié-Gonnard db4a8eb992 Use ECP_RS_ENTER/LEAVE() macros, as in ECDSA 2017-08-23 18:20:17 +02:00
Manuel Pégourié-Gonnard b948f7dc20 Don't bother to free NULL subcontexts 2017-08-23 18:20:17 +02:00
Manuel Pégourié-Gonnard bfa1972b4f Remove redundant checks, save a few muls
ecp_mul() already checks for this, and this check is not going away, so no
need to do it twice (didn't even result in better error reporting)
2017-08-23 18:20:17 +02:00
Manuel Pégourié-Gonnard 28d162829b Avoid unnecessary xxx_copy() calls
The call would anyway check for pointer equality and return early, but it
doesn't hurt to save a function call, and also this follows more uniformly the
pattern that those two lines go together:

    #if defined(MBEDTLS_ECP_RESTARTBLE)
    if( rs_ctx != NULL && ...
2017-08-23 18:20:17 +02:00
Manuel Pégourié-Gonnard 5bd38b1144 Replace memset() calls with xxx_init() calls
And follow calloc() calls with xxx_init() too
2017-08-23 18:20:17 +02:00
Manuel Pégourié-Gonnard 92cceb29bd Make some names more consistent 2017-08-23 18:20:17 +02:00
Manuel Pégourié-Gonnard ebac5d3797 Fix some whitespace & style issues 2017-08-23 18:20:17 +02:00
Hanno Becker ab3773123c Add support for alternative RSA implementations
Alternative RSA implementations can be provided by defining MBEDTLS_RSA_ALT in
config.h, defining an mbedtls_rsa_context struct in a new file rsa_alt.h and
re-implementing the RSA interface specified in rsa.h.

Through the previous reworkings, the adherence to the interface is the only
implementation obligation - in particular, implementors are free to use a
different layout for the RSA context structure.
2017-08-23 16:24:51 +01:00
Hanno Becker 6345dd33b9 Adapt rsa_check_privkey to deal with NO_CRT option 2017-08-23 16:17:28 +01:00
Hanno Becker bee3aaeb50 Adapt rsa_gen_key to deal with RSA_NO_CRT option 2017-08-23 16:17:28 +01:00
Hanno Becker dc95c890ad Adapt rsa_deduce_crt to deal with RSA_NO_CRT option 2017-08-23 16:17:28 +01:00
Hanno Becker 33c30a0c7e Adapt rsa_copy and rsa_free to deal with RSA_NO_CRT option 2017-08-23 16:17:28 +01:00
Hanno Becker 23344b5fcc Adapt rsa_complete to deal with RSA_NO_CRT option 2017-08-23 16:17:28 +01:00
Hanno Becker 83aad1fa86 Adapt gen_key example program to new RSA interface 2017-08-23 16:17:27 +01:00
Hanno Becker d71dc159a6 Adapt PK test suite to use new interface 2017-08-23 16:17:27 +01:00
Hanno Becker 15f81fa21c Adapt pkwrite.c to new RSA interface 2017-08-23 16:17:27 +01:00
Hanno Becker d58c5b2d16 Adapt pkparse.c to new RSA interface 2017-08-23 16:17:24 +01:00
Hanno Becker 6a1e7e5f4c Adapt pk_wrap.c to new RSA interface
This commit replaces direct manipulation of RSA context structure fields by
calls to the extended RSA interface in pk_wrap.c.
2017-08-23 15:07:40 +01:00
Hanno Becker 3a701161ff Adapt RSA selftest to new RSA interface
This commit replaces direct manipulation of structure fields in the RSA selftest
by calls to the extended interface.
2017-08-23 15:07:40 +01:00
Hanno Becker 8fd5548241 Minor formatting changes 2017-08-23 14:47:25 +01:00
Hanno Becker 617c1aeb18 Implement new RSA interface functions 2017-08-23 14:47:22 +01:00
Hanno Becker e2e8b8da1d Implement RSA helper functions 2017-08-23 14:44:33 +01:00
Manuel Pégourié-Gonnard 7037e222ea Improve comments and doc for ECP 2017-08-23 14:30:36 +02:00
Manuel Pégourié-Gonnard daf049144e Rework state saving for verify_chain()
Child was almost redundant as it's already saved in ver_chain, except it was
multiplexed to also indicate whether an operation is in progress. This commit
removes it and introduces an explicit state variable instead.

This state can be useful later if we start returning IN_PROGRESS at other
points than find_parent() (for example when checking CRL).

Note that the state goes none -> find_parent and stays there until the context
is free(), as it's only on the first call that nothing was in progress.
2017-08-23 12:32:19 +02:00
Manuel Pégourié-Gonnard a968843429 Improve some comments in verify_chain() 2017-08-23 11:37:22 +02:00
Manuel Pégourié-Gonnard 3627a8b2f6 Clarify state handling in find_parent(_in)() 2017-08-23 11:20:48 +02:00
Manuel Pégourié-Gonnard 83e923ba2b Better initialisation of ver_chain
Use dedicated function for consistency, and initialise flags to -1 as this is
the safe value.
2017-08-23 10:55:41 +02:00
Manuel Pégourié-Gonnard d55f776cb7 Skip context allocation if restart disabled 2017-08-18 17:40:15 +02:00
Manuel Pégourié-Gonnard aaa9814879 Uniformize ifdefs to ECDSA_C+ECP_RESTARTABLE
Some parts were already implicitly using this as the two ifdefs were nested,
and some others didn't, which resulted in compile errors in some configs. This
fixes those errors and saves a bit of code+RAM that was previously wasted when
ECP_RESTARTABLE was defined but ECDSA_C wasn't
2017-08-18 17:30:37 +02:00
Manuel Pégourié-Gonnard fe6877034d Keep PK layer context in the PK layer
Previously we kept the ecdsa context created by the PK layer for ECDSA
operations on ECKEY in the ecdsa_restart_ctx structure, which was wrong, and
caused by the fact that we didn't have a proper handling of restart
sub-contexts in the PK layer.
2017-08-18 17:04:07 +02:00