Commit graph

4583 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard 64c1681fbc Use new macros for all TLS/DTLS tests
sed -i -e 's/\([^ ]*transport\) == MBEDTLS_SSL_TRANSPORT_DATAGRAM/MBEDTLS_SSL_TRANSPORT_IS_DTLS( \1 )/' -e 's/\([^ ]*transport\) \(!= MBEDTLS_SSL_TRANSPORT_DATAGRAM\|== MBEDTLS_SSL_TRANSPORT_STREAM\)/MBEDTLS_SSL_TRANSPORT_IS_TLS( \1 )/' library/ssl_*.c

New sizes (see 2nd-previous commit for measuring script):

```

both
   text    data     bss     dec     hex filename
   1820       0       4    1824     720 debug.o (ex library/libmbedtls.a)
      0       0       0       0       0 net_sockets.o (ex library/libmbedtls.a)
    548       0       0     548     224 ssl_cache.o (ex library/libmbedtls.a)
  11155       0     596   11751    2de7 ssl_ciphersuites.o (ex library/libmbedtls.a)
  17156       0       0   17156    4304 ssl_cli.o (ex library/libmbedtls.a)
    460       0       0     460     1cc ssl_cookie.o (ex library/libmbedtls.a)
  17649       0       0   17649    44f1 ssl_srv.o (ex library/libmbedtls.a)
    800       0       0     800     320 ssl_ticket.o (ex library/libmbedtls.a)
  39286      60       0   39346    99b2 ssl_tls.o (ex library/libmbedtls.a)
  88874      60     600   89534   15dbe (TOTALS)

DTLS-only
   text    data     bss     dec     hex filename
   1820       0       4    1824     720 debug.o (ex library/libmbedtls.a)
      0       0       0       0       0 net_sockets.o (ex library/libmbedtls.a)
    548       0       0     548     224 ssl_cache.o (ex library/libmbedtls.a)
  11155       0     596   11751    2de7 ssl_ciphersuites.o (ex library/libmbedtls.a)
  16948       0       0   16948    4234 ssl_cli.o (ex library/libmbedtls.a)
    460       0       0     460     1cc ssl_cookie.o (ex library/libmbedtls.a)
  17437       0       0   17437    441d ssl_srv.o (ex library/libmbedtls.a)
    800       0       0     800     320 ssl_ticket.o (ex library/libmbedtls.a)
  38147      60       0   38207    953f ssl_tls.o (ex library/libmbedtls.a)
  87315      60     600   87975   157a7 (TOTALS)

TLS-only
   text    data     bss     dec     hex filename
   1820       0       4    1824     720 debug.o (ex library/libmbedtls.a)
      0       0       0       0       0 net_sockets.o (ex library/libmbedtls.a)
    548       0       0     548     224 ssl_cache.o (ex library/libmbedtls.a)
  11155       0     596   11751    2de7 ssl_ciphersuites.o (ex library/libmbedtls.a)
  14912       0       0   14912    3a40 ssl_cli.o (ex library/libmbedtls.a)
    460       0       0     460     1cc ssl_cookie.o (ex library/libmbedtls.a)
  15868       0       0   15868    3dfc ssl_srv.o (ex library/libmbedtls.a)
    800       0       0     800     320 ssl_ticket.o (ex library/libmbedtls.a)
  27619      60       0   27679    6c1f ssl_tls.o (ex library/libmbedtls.a)
  73182      60     600   73842   12072 (TOTALS)
```
2019-06-06 13:19:59 +02:00
Manuel Pégourié-Gonnard ff4bd9f405 Use new tools for all cases with TLS-specific code
This commit handles occurrences of case 2 and 3 in the following list:

1. Some DTLS-specific code with no TLS-specific code (most frequent)
2. Some specific code for each protocol
3. Some TLS-specific code with no DTLS-specific code (least frequent)

Case 3 previously had a weird structure in that the TLS-specific code was
always present, but the if structure was conditional on DTLS being enabled.
This is changed by this commit to a more logical structure where both the code
and the test are conditional on TLS being enabled.

Case 2 doesn't require any change in the code structure in general. However,
there is one occurrence where the if/else structure is simplified to assigning
the result of a boolean operation, and one occurrence where I also noticed a
useless use of `ssl_ep_len()` in a TLS-specific branch, that I turned to the
constant 0 as it makes more sense.

Case 1 will be handled in the next commit, as it can easily be handled in an
automated way - only cases 2 and 3 (sometimes) required manual intervention.

The list of occurrences for cases 2 and 3 was established manually by looking
for occurrences of '= MBEDTLS_SSL_TRANSPORT_' in the code and manually
checking if there was a TLS-specific branch.

New sizes (see previous commit for the measuring script):

```

both
   text    data     bss     dec     hex filename
   1820       0       4    1824     720 debug.o (ex library/libmbedtls.a)
      0       0       0       0       0 net_sockets.o (ex library/libmbedtls.a)
    548       0       0     548     224 ssl_cache.o (ex library/libmbedtls.a)
  11155       0     596   11751    2de7 ssl_ciphersuites.o (ex library/libmbedtls.a)
  17156       0       0   17156    4304 ssl_cli.o (ex library/libmbedtls.a)
    460       0       0     460     1cc ssl_cookie.o (ex library/libmbedtls.a)
  17649       0       0   17649    44f1 ssl_srv.o (ex library/libmbedtls.a)
    800       0       0     800     320 ssl_ticket.o (ex library/libmbedtls.a)
  39286      60       0   39346    99b2 ssl_tls.o (ex library/libmbedtls.a)
  88874      60     600   89534   15dbe (TOTALS)

DTLS-only
   text    data     bss     dec     hex filename
   1820       0       4    1824     720 debug.o (ex library/libmbedtls.a)
      0       0       0       0       0 net_sockets.o (ex library/libmbedtls.a)
    548       0       0     548     224 ssl_cache.o (ex library/libmbedtls.a)
  11155       0     596   11751    2de7 ssl_ciphersuites.o (ex library/libmbedtls.a)
  17068       0       0   17068    42ac ssl_cli.o (ex library/libmbedtls.a)
    460       0       0     460     1cc ssl_cookie.o (ex library/libmbedtls.a)
  17553       0       0   17553    4491 ssl_srv.o (ex library/libmbedtls.a)
    800       0       0     800     320 ssl_ticket.o (ex library/libmbedtls.a)
  38499      60       0   38559    969f ssl_tls.o (ex library/libmbedtls.a)
  87903      60     600   88563   159f3 (TOTALS)

TLS-only
   text    data     bss     dec     hex filename
   1820       0       4    1824     720 debug.o (ex library/libmbedtls.a)
      0       0       0       0       0 net_sockets.o (ex library/libmbedtls.a)
    548       0       0     548     224 ssl_cache.o (ex library/libmbedtls.a)
  11155       0     596   11751    2de7 ssl_ciphersuites.o (ex library/libmbedtls.a)
  14912       0       0   14912    3a40 ssl_cli.o (ex library/libmbedtls.a)
    460       0       0     460     1cc ssl_cookie.o (ex library/libmbedtls.a)
  15868       0       0   15868    3dfc ssl_srv.o (ex library/libmbedtls.a)
    800       0       0     800     320 ssl_ticket.o (ex library/libmbedtls.a)
  27619      60       0   27679    6c1f ssl_tls.o (ex library/libmbedtls.a)
  73182      60     600   73842   12072 (TOTALS)
```
2019-06-06 13:18:19 +02:00
Manuel Pégourié-Gonnard 25838b795f Introduce tools for transport-specific code
And use those tools in a few places. For now the purpose is just to validate
those tools before using them in all occurrences of transport-specific code.

The effect of these changes was measured with the following script:

```
set -eu

build() {
    printf "\n$1\n"
    CC=arm-none-eabi-gcc CFLAGS='-Werror -Os -march=armv6-m -mthumb' \
        AR=arm-none-eabi-ar LD=arm-none-eabi-ld make clean lib >/dev/null
    arm-none-eabi-size -t library/libmbedtls.a
}

git checkout -- include/mbedtls/config.h
scripts/config.pl unset MBEDTLS_NET_C
scripts/config.pl unset MBEDTLS_TIMING_C
scripts/config.pl unset MBEDTLS_FS_IO
scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY
build "both"

scripts/config.pl unset MBEDTLS_SSL_PROTO_TLS
build "DTLS-only"

scripts/config.pl set MBEDTLS_SSL_PROTO_TLS
scripts/config.pl unset MBEDTLS_SSL_PROTO_DTLS
scripts/config.pl unset MBEDTLS_SSL_DTLS_HELLO_VERIFY
scripts/config.pl unset MBEDTLS_SSL_DTLS_ANTI_REPLAY
scripts/config.pl unset MBEDTLS_SSL_DTLS_BADMAC_LIMIT
scripts/config.pl unset MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
build "TLS-only"

git checkout -- include/mbedtls/config.h
```

The output of the script is as follows:

```
both
   text    data     bss     dec     hex filename
   1820       0       4    1824     720 debug.o (ex library/libmbedtls.a)
      0       0       0       0       0 net_sockets.o (ex library/libmbedtls.a)
    548       0       0     548     224 ssl_cache.o (ex library/libmbedtls.a)
  11155       0     596   11751    2de7 ssl_ciphersuites.o (ex library/libmbedtls.a)
  17160       0       0   17160    4308 ssl_cli.o (ex library/libmbedtls.a)
    460       0       0     460     1cc ssl_cookie.o (ex library/libmbedtls.a)
  17637       0       0   17637    44e5 ssl_srv.o (ex library/libmbedtls.a)
    800       0       0     800     320 ssl_ticket.o (ex library/libmbedtls.a)
  39322      60       0   39382    99d6 ssl_tls.o (ex library/libmbedtls.a)
  88902      60     600   89562   15dda (TOTALS)

DTLS-only
   text    data     bss     dec     hex filename
   1820       0       4    1824     720 debug.o (ex library/libmbedtls.a)
      0       0       0       0       0 net_sockets.o (ex library/libmbedtls.a)
    548       0       0     548     224 ssl_cache.o (ex library/libmbedtls.a)
  11155       0     596   11751    2de7 ssl_ciphersuites.o (ex library/libmbedtls.a)
  17072       0       0   17072    42b0 ssl_cli.o (ex library/libmbedtls.a)
    460       0       0     460     1cc ssl_cookie.o (ex library/libmbedtls.a)
  17565       0       0   17565    449d ssl_srv.o (ex library/libmbedtls.a)
    800       0       0     800     320 ssl_ticket.o (ex library/libmbedtls.a)
  38953      60       0   39013    9865 ssl_tls.o (ex library/libmbedtls.a)
  88373      60     600   89033   15bc9 (TOTALS)

TLS-only
   text    data     bss     dec     hex filename
   1820       0       4    1824     720 debug.o (ex library/libmbedtls.a)
      0       0       0       0       0 net_sockets.o (ex library/libmbedtls.a)
    548       0       0     548     224 ssl_cache.o (ex library/libmbedtls.a)
  11155       0     596   11751    2de7 ssl_ciphersuites.o (ex library/libmbedtls.a)
  14916       0       0   14916    3a44 ssl_cli.o (ex library/libmbedtls.a)
    460       0       0     460     1cc ssl_cookie.o (ex library/libmbedtls.a)
  15852       0       0   15852    3dec ssl_srv.o (ex library/libmbedtls.a)
    800       0       0     800     320 ssl_ticket.o (ex library/libmbedtls.a)
  27623      60       0   27683    6c23 ssl_tls.o (ex library/libmbedtls.a)
  73174      60     600   73834   1206a (TOTALS)
```

It can be seen that a DTLS-only build is now starting to be a bit smaller than
a dual-mode build, which is the purpose of the new build option.
2019-06-06 13:02:14 +02:00
Manuel Pégourié-Gonnard e744eab3b1 Adapt defaults and programs documentation 2019-06-06 13:02:14 +02:00
Manuel Pégourié-Gonnard a771160799 Introduce new config.h flag for TLS
For now the option has no effect.

Adapted existing example config files. The fact that I needed to do this
highlights that this is a slightly incompatible change: existing users need to
update their existing custom configs (if standalone as opposed to based on the
default config) in order to still get the same behaviour.

The alternative would be to have a negative config option (eg NO_TLS or
DTLS_ONLY) but this doesn't fit as nicely with the existing options, so
hopefully the minor incompatibility is acceptable.

I don't think it's worth adding a new component to all.sh:
- builds with both DTLS and TLS are done in the default (and full) config
- TLS-only builds are done with eg config-suite-b.h in test-ref-configs
- a DTLS-only build is done with config-thread.h in test-ref-configs
- builds with none of them (and SSL_TLS_C enabled) are forbidden
2019-06-06 12:59:48 +02:00
Hanno Becker 68b856d0ac Fix style issue and wording 2019-06-05 14:25:28 +01:00
Hanno Becker fe87027512 Fix memory leak 2019-06-05 14:25:28 +01:00
Hanno Becker fd39919aa3 Improve formatting of ssl_parse_certificate_chain() 2019-06-05 14:25:28 +01:00
Hanno Becker 285ff0c362 Add compile-time guards around helper routine 2019-06-05 14:25:28 +01:00
Hanno Becker 33c3dc8591 Don't store the peer CRT chain twice during renegotiation
Context: During a handshake, the SSL/TLS handshake logic constructs
an instance of ::mbedtls_ssl_session representing the SSL session
being established. This structure contains information such as the
session's master secret, the peer certificate, or the session ticket
issues by the server (if applicable).
During a renegotiation, the new session is constructed aside the existing
one and destroys and replaces the latter only when the renegotiation is
complete. While conceptually clear, this means that during the renegotiation,
large pieces of information such as the peer's CRT or the session ticket
exist twice in memory, even though the original versions are removed
eventually.

This commit removes the simultaneous presence of two peer CRT chains
in memory during renegotiation, in the following way:
- Unlike in the case of SessionTickets handled in the previous commit,
  we cannot simply free the peer's CRT chain from the previous handshake
  before parsing the new one, as we need to verify that the peer's end-CRT
  hasn't changed to mitigate the 'Triple Handshake Attack'.
- Instead, we perform a binary comparison of the original peer end-CRT
  with the one presented during renegotiation, and if it succeeds, we
  avoid re-parsing CRT by moving the corresponding CRT pointer from the
  old to the new session structure.
- The remaining CRTs in the peer's chain are not affected by the triple
  handshake attack protection, and for them we may employ the canonical
  approach of freeing them before parsing the remainder of the new chain.

Note that this commit intends to not change any observable behavior
of the stack. In particular:
- The peer's CRT chain is still verified during renegotiation.
- The tail of the peer's CRT chain may change during renegotiation.
2019-06-05 14:25:28 +01:00
Hanno Becker 3d699e43ea SSL/TLS client: Remove old session ticket on renegotiation
Context: During a handshake, the SSL/TLS handshake logic constructs
an instance of ::mbedtls_ssl_session representing the SSL session
being established. This structure contains information such as the
session's master secret, the peer certificate, or the session ticket
issues by the server (if applicable).

During a renegotiation, the new session is constructed aside the existing
one and destroys and replaces the latter only when the renegotiation is
complete. While conceptually clear, this means that during the renegotiation,
large pieces of information such as the peer's CRT or the session ticket
exist twice in memory, even though the original versions are removed
eventually.

This commit starts removing this memory inefficiency by freeing the old
session's SessionTicket before the one for the new session is allocated.
2019-06-05 14:25:28 +01:00
Jaeden Amero 2eaf2c7969 ssl: Don't access non-existent encrypt_then_mac field
When MBEDTLS_SSL_ENCRYPT_THEN_MAC is enabled, but not
MBEDTLS_SSL_SOME_MODES_USE_MAC, mbedtls_ssl_derive_keys() and
build_transforms() will attempt to use a non-existent `encrypt_then_mac`
field in the ssl_transform.

    Compile [ 93.7%]: ssl_tls.c
    [Error] ssl_tls.c@865,14: 'mbedtls_ssl_transform {aka struct mbedtls_ssl_transform}' ha
s no member named 'encrypt_then_mac'
    [ERROR] ./mbed-os/features/mbedtls/src/ssl_tls.c: In function 'mbedtls_ssl_derive_keys'
:
    ./mbed-os/features/mbedtls/src/ssl_tls.c:865:14: error: 'mbedtls_ssl_transform {aka str
uct mbedtls_ssl_transform}' has no member named 'encrypt_then_mac'
         transform->encrypt_then_mac = session->encrypt_then_mac;
                  ^~

Change mbedtls_ssl_derive_keys() and build_transforms() to only access
`encrypt_then_mac` if `encrypt_then_mac` is actually present. Fix any
unused variable warnings along the way, by additionally wrapping
function parameters with MBEDTLS_SSL_SOME_MODES_USE_MAC.

Add a regression test to detect when we have regressions with
configurations that do not include any MAC ciphersuites.

Fixes 92231325a7 ("Reduce size of `ssl_transform` if no MAC ciphersuite is enabled")
2019-06-05 14:22:11 +01:00
Hanno Becker aa8665ac26 Add a new X.509 API call for copy-less parsing of CRTs
Context:
The existing API `mbedtls_x509_parse_crt_der()` for parsing DER
encoded X.509 CRTs unconditionally makes creates a copy of the
input buffer in RAM. While this comes at the benefit of easy use,
-- specifically: allowing the user to free or re-use the input
buffer right after the call -- it creates a significant memory
overhead, as the CRT is duplicated in memory (at least temporarily).
This might not be tolerable a resource constrained device.

As a remedy, this commit adds a new X.509 API call

   `mbedtls_x509_parse_crt_der_nocopy()`

which has the same signature as `mbedtls_x509_parse_crt_der()`
and almost the same semantics, with one difference: The input
buffer must persist and be unmodified for the lifetime of the
established instance of `mbedtls_x509_crt`, that is, until
`mbedtls_x509_crt_free()` is called.
2019-06-05 13:16:55 +01:00
Hanno Becker c74ce446b9 Improve documentation of mbedtls_x509_get_ext()
- Explain the use of explicit ASN.1 tagging for the extensions structuree
- Remove misleading comment which suggests that mbedtls_x509_get_ext()
  also parsed the header of the first extension, which is not the case.
2019-06-04 14:01:10 +01:00
Hanno Becker 2f472140f9 Always return a high-level error code from X.509 module
Some functions within the X.509 module return an ASN.1 low level
error code where instead this error code should be wrapped by a
high-level X.509 error code as in the bulk of the module.

Specifically, the following functions are affected:
- mbedtls_x509_get_ext()
- x509_get_version()
- x509_get_uid()

This commit modifies these functions to always return an
X.509 high level error code.

Care has to be taken when adapting `mbetls_x509_get_ext()`:
Currently, the callers `mbedtls_x509_crt_ext()` treat the
return code `MBEDTLS_ERR_ASN1_UNEXPECTED_TAG` specially to
gracefully detect and continue if the extension structure is not
present. Wrapping the ASN.1 error with
`MBEDTLS_ERR_X509_INVALID_EXTENSIONS` and adapting the check
accordingly would mean that an unexpected tag somewhere
down the extension parsing would be ignored by the caller.

The way out of this is the following: Luckily, the extension
structure is always the last field in the surrounding structure,
so if there is some data remaining, it must be an Extension
structure, so we don't need to deal with a tag mismatch gracefully
in the first place.

We may therefore wrap the return code from the initial call to
`mbedtls_asn1_get_tag()` in `mbedtls_x509_get_ext()` by
`MBEDTLS_ERR_X509_INVALID_EXTENSIONS` and simply remove
the special treatment of `MBEDTLS_ERR_ASN1_UNEXPECTED_TAG`
in the callers `x509_crl_get_ext()` and `x509_crt_get_ext()`.

This renders `mbedtls_x509_get_ext()` unsuitable if it ever
happened that an Extension structure is optional and does not
occur at the end of its surrounding structure, but for CRTs
and CRLs, it's fine.

The following tests need to be adapted:
- "TBSCertificate v3, issuerID wrong tag"
  The issuerID is optional, so if we look for its presence
  but find a different tag, we silently continue and try
  parsing the subjectID, and then the extensions. The tag '00'
  used in this test doesn't match either of these, and the
  previous code would hence return LENGTH_MISMATCH after
  unsucessfully trying issuerID, subjectID and Extensions.
  With the new code, any data remaining after issuerID and
  subjectID _must_ be Extension data, so we fail with
  UNEXPECTED_TAG when trying to parse the Extension data.
- "TBSCertificate v3, UIDs, invalid length"
  The test hardcodes the expectation of
  MBEDTLS_ERR_ASN1_INVALID_LENGTH, which needs to be
  wrapped in MBEDTLS_ERR_X509_INVALID_FORMAT now.

Fixes #2431.
2019-06-04 14:01:10 +01:00
Hanno Becker 4e1bfc19cc Obey bounds of ASN.1 substructures
When parsing a substructure of an ASN.1 structure, no field within
the substructure must exceed the bounds of the substructure.
Concretely, the `end` pointer passed to the ASN.1 parsing routines
must be updated to point to the end of the substructure while parsing
the latter.

This was previously not the case for the routines
- x509_get_attr_type_and_value(),
- mbedtls_x509_get_crt_ext(),
- mbedtls_x509_get_crl_ext().
These functions kept using the end of the parent structure as the
`end` pointer and would hence allow substructure fields to cross
the substructure boundary. This could lead to successful parsing
of ill-formed X.509 CRTs.

This commit fixes this.

Care has to be taken when adapting `mbedtls_x509_get_crt_ext()`
and `mbedtls_x509_get_crl_ext()`, as the underlying function
`mbedtls_x509_get_ext()` returns `0` if no extensions are present
but doesn't set the variable which holds the bounds of the Extensions
structure in case the latter is present. This commit addresses
this by returning early from `mbedtls_x509_get_crt_ext()` and
`mbedtls_x509_get_crl_ext()` if parsing has reached the end of
the input buffer.

The following X.509 parsing tests need to be adapted:
- "TBSCertificate, issuer two inner set datas"
  This test exercises the X.509 CRT parser with a Subject name
  which has two empty `AttributeTypeAndValue` structures.
  This is supposed to fail with `MBEDTLS_ERR_ASN1_OUT_OF_DATA`
  because the parser should attempt to parse the first structure
  and fail because of a lack of data. Previously, it failed to
  obey the (0-length) bounds of the first AttributeTypeAndValue
  structure and would try to interpret the beginning of the second
  AttributeTypeAndValue structure as the first field of the first
  AttributeTypeAndValue structure, returning an UNEXPECTED_TAG error.
- "TBSCertificate, issuer, no full following string"
  This test exercises the parser's behaviour on an AttributeTypeAndValue
  structure which contains more data than expected; it should therefore
  fail with MBEDTLS_ERR_ASN1_LENGTH_MISMATCH. Because of the missing bounds
  check, it previously failed with UNEXPECTED_TAG because it interpreted
  the remaining byte in the first AttributeTypeAndValue structure as the
  first byte in the second AttributeTypeAndValue structure.
- "SubjectAltName repeated"
  This test should exercise two SubjectAltNames extensions in succession,
  but a wrong length values makes the second SubjectAltNames extension appear
  outside of the Extensions structure. With the new bounds in place, this
  therefore fails with a LENGTH_MISMATCH error. This commit adapts the test
  data to put the 2nd SubjectAltNames extension inside the Extensions
  structure, too.
2019-06-04 14:01:10 +01:00
Hanno Becker 7bf7710f40 Remove reference to outdated compile-time option 2019-06-04 09:44:25 +01:00
Hanno Becker 5dbcc9f441 Introduce specific error for ver/cfg mismatch on deserialization
This commit introduces a new SSL error code

  `MBEDTLS_ERR_SSL_VERSION_MISMATCH`

which can be used to indicate operation failure due to a
mismatch of version or configuration.

It is put to use in the implementation of `mbedtls_ssl_session_load()`
to signal the attempt to de-serialize a session which has been serialized
in a build of Mbed TLS using a different version or configuration.
2019-06-03 13:01:21 +01:00
Hanno Becker baf968cf69 Use def'n consts for bits in config-identifier of serialized data 2019-06-03 12:49:09 +01:00
Hanno Becker b36db4f368 Note that ver+fmt bytes in serialized data must not be removed 2019-06-03 12:49:09 +01:00
Hanno Becker 26829e99b2 Improve doc'n of config-identifying bitfield in serialized session 2019-06-03 12:48:50 +01:00
Hanno Becker 1d8b6d7b12 Session serialization: Fail with BAD_INPUT_DATA if buffer too small 2019-06-03 12:48:31 +01:00
Hanno Becker 41527624f6 Encode relevant parts of the config in serialized session header
This commit makes use of the added space in the session header to
encode the state of those parts of the compile-time configuration
which influence the structure of the serialized session in the
present version of Mbed TLS. Specifically, these are
- the options which influence the presence/omission of fields
  from mbedtls_ssl_session (which is currently shallow-copied
  into the serialized session)
- the setting of MBEDTLS_X509_CRT_PARSE_C, which determines whether
  the serialized session contains a CRT-length + CRT-value pair after
  the shallow-copied mbedtls_ssl_session instance.
- the setting of MBEDTLS_SSL_SESSION_TICKETS, which determines whether
  the serialized session contains a session ticket.
2019-06-03 12:48:16 +01:00
Hanno Becker 557fe9ffde Add configuration identifier to serialized SSL sessions
This commit adds space for two bytes in the header of serizlied
SSL sessions which can be used to determine the structure of the
remaining serialized session in the respective version of Mbed TLS.

Specifically, if parts of the session depend on whether specific
compile-time options are set or not, the setting of these options
can be encoded in the added space.

This commit doesn't yet make use of the fields.
2019-06-03 12:46:39 +01:00
Hanno Becker b5352f0489 Add Mbed TLS version to SSL sessions
The format of serialized SSL sessions depends on the version and the
configuration of Mbed TLS; attempts to restore sessions established
in different versions and/or configurations lead to undefined behaviour.

This commit adds an 3-byte version header to the serialized session
generated and cleanly fails ticket parsing in case a session from a
non-matching version of Mbed TLS is presented.
2019-06-03 12:46:23 +01:00
Manuel Pégourié-Gonnard 60a4299bbf Add new ABI-independent format for serialization 2019-06-03 10:15:07 +02:00
Manuel Pégourié-Gonnard 35ccdbb636 Normalize spelling to serialiZation
We have explicit recommendations to use US spelling for technical writing, so
let's apply this to code as well for uniformity. (My fingers tend to prefer UK
spelling, so this needs to be fixed in many places.)

sed -i 's/\([Ss]eriali\)s/\1z/g' **/*.[ch] **/*.function **/*.data ChangeLog
2019-06-03 09:55:16 +02:00
Manuel Pégourié-Gonnard 5709811dd2 Add test for session_load() from small buffers
This uncovered a bug that led to a double-free (in practice, in general could
be free() on any invalid value): initially the session structure is loaded
with `memcpy()` which copies the previous values of pointers peer_cert and
ticket to heap-allocated buffers (or any other value if the input is
attacker-controlled). Now if we exit before we got a chance to replace those
invalid values with valid ones (for example because the input buffer is too
small, or because the second malloc() failed), then the next call to
session_free() is going to call free() on invalid pointers.

This bug is fixed in this commit by always setting the pointers to NULL right
after they've been read from the serialised state, so that the invalid values
can never be used.

(An alternative would be to NULL-ify them when writing, which was rejected
mostly because we need to do it when reading anyway (as the consequences of
free(invalid) are too severe to take any risk), so doing it when writing as
well is redundant and a waste of code size.)

Also, while thinking about what happens in case of errors, it became apparent
to me that it was bad practice to leave the session structure in an
half-initialised state and rely on the caller to call session_free(), so this
commit also ensures we always clear the structure when loading failed.
2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard 32ce596c35 Improve save API by always updating olen
This allows callers to discover what an appropriate size is. Otherwise they'd
have to either try repeatedly, or allocate an overly large buffer (or some
combination of those).

Adapt documentation an example usage in ssl_client2.
2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard 37a5324c74 Add mbedtls_ssl_get_session_pointer()
Avoid useless copy with mbedtls_ssl_get_session() before serialising.

Used in ssl_client2 for testing and demonstrating usage, but unfortunately
that means mbedtls_ssl_get_session() is no longer tested, which will be fixed
in the next commit.
2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard ef4ae611e4 Add support for serialisation session with ticket
On client side, this is required for the main use case where of serialising a
session for later resumption, in case tickets are used.

On server side, this doesn't change much as ticket_len will always be 0.

This unblocks testing the functions by using them in ssl_client2, which will
be done in the next commit.
2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard 91f4ca2ed1 Move session save/load function to ssl_tls.c
This finishes making these functions public. Next step is to get them tested,
but there's currently a blocker for that, see next commit (and the commit
after it for tests).
2019-06-03 09:51:08 +02:00
Hanno Becker 9582a47460 Re-generate library/certs.c from script 2019-05-30 10:58:12 +01:00
Hanno Becker bc12242f4f Use strict syntax to annotate origin of test data in certs.c
This allows to auto-generate them from scripts.
2019-05-30 10:58:12 +01:00
Hanno Becker 7b34f0ff69 Allow DHM self test to run without MBEDTLS_PEM_PARSE_C 2019-05-30 10:58:12 +01:00
Hanno Becker 72309d0847 Document origin of hardcoded certificates in library/certs.c
All of them are copied from (former) CRT and key files in `tests/data_files`.
For files which have been regenerated since they've been copied to `certs.c`,
update the copy.

Add declarations for DER encoded test CRTs to certs.h

Add DER encoded versions of CRTs to certs.c

fix comment in certs.c

Don't use (signed) char for DER encoded certificates

Consistently use `const char *` for test CRTs regardless of encoding

Remove non-sensical and unused PW variable for DER encoded key

Provide test CRTs in PEM and DER fmt, + pick suitable per config

This commit modifies `certs.h` and `certs.c` to start following the
following pattern for the provided test certificates and files:

- Raw test data is named `NAME_ATTR1_ATTR2_..._ATTRn`

  For example, there are
     `TEST_CA_CRT_{RSA|EC}_{PEM|DER}_{SHA1|SHA256}`.

- Derived test data with fewer attributes, iteratively defined as one
  of the raw test data instances which suits the current configuration.

  For example,
     `TEST_CA_CRT_RSA_PEM`
  is one of `TEST_CA_CRT_RSA_PEM_SHA1` or `TEST_CA_CRT_RSA_PEM_SHA256`,
  depending on whether SHA-1 and/or SHA-256 are defined in the current
  config.

Add missing public declaration of test key password

Fix signedness and naming mismatches

Further improve structure of certs.h and certs.c

Fix definition of mbedtls_test_cas test CRTs depending on config

Remove semicolon after macro string constant in certs.c
2019-05-30 10:27:49 +01:00
Simon Butcher 0d1d76f987 Merge remote-tracking branch 'origin/pr/561' into baremetal 2019-05-29 15:09:24 +01:00
Simon Butcher d5e1bfc6b4 Merge remote-tracking branch 'origin/pr/569' into baremetal 2019-05-24 15:07:10 +01:00
Simon Butcher 0edb924e16 Merge remote-tracking branch 'origin/pr/565' into baremetal 2019-05-24 15:06:56 +01:00
Simon Butcher 5a790f9214 Merge remote-tracking branch 'origin/pr/563' into baremetal 2019-05-24 15:06:16 +01:00
Hanno Becker 675c4d6d35 Add debug line witnessing receipt of unexpected CID 2019-05-24 10:11:06 +01:00
Hanno Becker d8f7c4aa59 Fix indentation in debug message in ssl_tls.c 2019-05-23 17:03:44 +01:00
Hanno Becker 3b2bf5b214 Improve comment in ssl_parse_record_header() 2019-05-23 17:03:19 +01:00
Hanno Becker 633d604837 Allow passing NULL pointers to mbedtls_ssl_get_peer_cid()
This commit modifies mbedtls_ssl_get_peer_cid() to also allow passing
NULL pointers in the arguments for the peer's CID value and length, in
case this information is needed.

For example, some users might only be interested in whether the use of
the CID was negotiated, in which case both CID value and length pointers
can be set to NULL. Other users might only be interested in confirming
that the use of CID was negotiated and the peer chose the empty CID,
in which case the CID value pointer only would be set to NULL.
It doesn't make sense to pass a NULL pointer for the CID length but a
non-NULL pointer for the CID value, as the caller has no way of telling
the length of the returned CID - and this case is therefore forbidden.
2019-05-22 16:50:35 +01:00
Hanno Becker a5a2b08a05 Rename MBEDTLS_SSL_CID to MBEDTLS_SSL_DTLS_CONNECTION_ID
Files modified via

sed -i 's/MBEDTLS_SSL_CID\([^_]\|$\)/MBEDTLS_SSL_DTLS_CONNECTION_ID\1/g' **/*.c **/*.h **/*.sh **/*.function
2019-05-20 15:35:36 +01:00
Hanno Becker 3cdf8fe50b Consistently reference CID draft through name + URL 2019-05-20 15:32:36 +01:00
Hanno Becker e582d12264 Slightly reorder CID debug messages during creation of transforms 2019-05-20 15:32:36 +01:00
Hanno Becker 75b334f33a Update references to CID draft to version 5 2019-05-20 15:32:36 +01:00
Hanno Becker 791ec6bff2 Fix mbedtls_ssl_conf_cid() to not depend on macro constant values
The previous implementation of mbedtls_ssl_conf_cid() relied on
MBEDTLS_SSL_UNEXPECTED_CID_IGNORE being defined as 1.
2019-05-20 15:32:36 +01:00
Hanno Becker b86c2a8c5d Remove warnings about unfinished CID implementation
The implementation is complete now.
2019-05-20 15:32:36 +01:00
Hanno Becker e8eff9a517 Allow to configure the stack's behaviour on unexpected CIDs
This commit modifies the CID configuration API mbedtls_ssl_conf_cid_len()
to allow the configuration of the stack's behaviour when receiving an
encrypted DTLS record with unexpected CID.
2019-05-20 15:32:36 +01:00
Hanno Becker 7c3cdb62de Add specific SSL error code for unexpected CIDs
Currently, the stack silently ignores DTLS frames with an unexpected CID.
However, in a system which performs CID-based demultiplexing before passing
datagrams to the Mbed TLS stack, unexpected CIDs are a sign of something not
working properly, and users might want to know about it.

This commit introduces an SSL error code MBEDTLS_ERR_SSL_UNEXPECTED_CID
which the stack can return in response to an unexpected CID. It will
conditionally be put to use in subsequent commits.
2019-05-20 15:32:36 +01:00
Hanno Becker 7842609e3b Remove restriction on value of MBEDTLS_SSL_CID_PADDING_GRANULARITY 2019-05-20 15:32:36 +01:00
Hanno Becker 7ba3568318 Make signed to unsigned integer truncation cast explicit 2019-05-20 15:32:36 +01:00
Hanno Becker 550e1662c7 Allow the configuration of padding when using CID extension 2019-05-20 15:32:36 +01:00
Hanno Becker 9bf10ea25d Set CID pointer to default value even for TLS
There are two options:
1. Don't set it, and don't use it during record protection,
   guarding the respective paths by a check whether TLS or
   DTLS is used.
2. Set it to the default value even for TLS, and avoid the
   protocol-dependent branch during record protection.

This commit picks option 2.
2019-05-20 15:32:36 +01:00
Hanno Becker f65ad82eba Fix typo in comment 2019-05-20 15:32:36 +01:00
Hanno Becker 043a2a4869 Remove indicators and warnings about unfinished CID implementation 2019-05-20 15:32:36 +01:00
Hanno Becker 4932f9f229 Re-enable passing CIDs to record transforms 2019-05-20 15:32:36 +01:00
Hanno Becker 687e0fb568 Don't fail on record with unexpected CID
This commit changes the stack's behaviour when facing a record
with a non-matching CID. Previously, the stack failed in this
case, while now we silently skip over the current record.
2019-05-20 15:32:36 +01:00
Hanno Becker abd7c89923 Re-enable CID comparison when decrypting CID-based records 2019-05-20 15:32:36 +01:00
Hanno Becker 8b09b73cb1 Implement parsing of CID-based records
Previously, ssl_get_next_record() would fetch 13 Bytes for the
record header and hand over to ssl_parse_record_header() to parse
and validate these. With the introduction of CID-based records, the
record length is not known in advance, and parsing and validating
must happen at the same time. ssl_parse_record_header() is therefore
rewritten in the following way:
1. Fetch and validate record content type and version.
2. If the record content type indicates a record including a CID,
   adjust the record header pointers accordingly; here, we use the
   statically configured length of incoming CIDs, avoiding any
   elaborate CID parsing mechanism or dependency on the record
   epoch, as explained in the previous commit.
3. Fetch the rest of the record header (note: this doesn't actually
   fetch anything, but makes sure that the datagram fetched in the
   earlier call to ssl_fetch_input() contains enough data).
4. Parse and validate the rest of the record header as before.
2019-05-20 15:32:36 +01:00
Hanno Becker ff3e9c2d0d Adapt record encryption/decryption routines to change of record type
This commit modifies the code surrounding the invocations of
ssl_decrypt_buf() and ssl_encrypt_buf() to deal with a change
of record content type during CID-based record encryption/decryption.
2019-05-20 15:32:36 +01:00
Hanno Becker 70e7928d76 Add pointers to in/out CID fields to mbedtls_ssl_context
mbedtls_ssl_context contains pointers in_buf, in_hdr, in_len, ...
which point to various parts of the header of an incoming TLS or
DTLS record; similarly, there are pointers out_buf, ... for
outgoing records.

This commit adds fields in_cid and out_cid which point to where
the CID of incoming/outgoing records should reside, if present,
namely prior to where the record length resides.

Quoting https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-04:

   The DTLSInnerPlaintext value is then encrypted and the CID added to
   produce the final DTLSCiphertext.

        struct {
            ContentType special_type = tls12_cid; /* 25 */
            ProtocolVersion version;
            uint16 epoch;
            uint48 sequence_number;
            opaque cid[cid_length];               // New field
            uint16 length;
            opaque enc_content[DTLSCiphertext.length];
        } DTLSCiphertext;

For outgoing records, out_cid is set in ssl_update_out_pointers()
based on the settings in the current outgoing transform.

For incoming records, ssl_update_in_pointers() sets in_cid as if no
CID was present, and it is the responsibility of ssl_parse_record_header()
to update the field (as well as in_len, in_msg and in_iv) when parsing
records that do contain a CID. This will be done in a subsequent commit.

Finally, the code around the invocations of ssl_decrypt_buf()
and ssl_encrypt_buf() is adapted to transfer the CID from the
input/output buffer to the CID field in the internal record
structure (which is what ssl_{encrypt/decrypt}_buf() uses).

Note that mbedtls_ssl_in_hdr_len() doesn't need change because
it infers the header length as in_iv - in_hdr, which will account
for the CID for records using such.
2019-05-20 15:32:36 +01:00
Hanno Becker add0190059 Account for additional record expansion when using CIDs
Using the Connection ID extension increases the maximum record expansion
because
- the real record content type is added to the plaintext
- the plaintext may be padded with an arbitrary number of
  zero bytes, in order to prevent leakage of information
  through package length analysis. Currently, we always
  pad the plaintext in a minimal way so that its length
  is a multiple of 16 Bytes.

This commit adapts the various parts of the library to account
for that additional source of record expansion.
2019-05-20 15:32:36 +01:00
Hanno Becker eec2be9c9f Add CID configuration API
Context:
The CID draft does not require that the length of CIDs used for incoming
records must not change in the course of a connection. Since the record
header does not contain a length field for the CID, this means that if
CIDs of varying lengths are used, the CID length must be inferred from
other aspects of the record header (such as the epoch) and/or by means
outside of the protocol, e.g. by coding its length in the CID itself.

Inferring the CID length from the record's epoch is theoretically possible
in DTLS 1.2, but it requires the information about the epoch to be present
even if the epoch is no longer used: That's because one should silently drop
records from old epochs, but not the entire datagrams to which they belong
(there might be entire flights in a single datagram, including a change of
epoch); however, in order to do so, one needs to parse the record's content
length, the position of which is only known once the CID length for the epoch
is known. In conclusion, it puts a significant burden on the implementation
to infer the CID length from the record epoch, which moreover mangles record
processing with the high-level logic of the protocol (determining which epochs
are in use in which flights, when they are changed, etc. -- this would normally
determine when we drop epochs).

Moreover, with DTLS 1.3, CIDs are no longer uniquely associated to epochs,
but every epoch may use a set of CIDs of varying lengths -- in that case,
it's even theoretically impossible to do record header parsing based on
the epoch configuration only.

We must therefore seek a way for standalone record header parsing, which
means that we must either (a) fix the CID lengths for incoming records,
or (b) allow the application-code to configure a callback to implement
an application-specific CID parsing which would somehow infer the length
of the CID from the CID itself.

Supporting multiple lengths for incoming CIDs significantly increases
complexity while, on the other hand, the restriction to a fixed CID length
for incoming CIDs (which the application controls - in contrast to the
lengths of the CIDs used when writing messages to the peer) doesn't
appear to severely limit the usefulness of the CID extension.

Therefore, the initial implementation of the CID feature will require
a fixed length for incoming CIDs, which is what this commit enforces,
in the following way:

In order to avoid a change of API in case support for variable lengths
CIDs shall be added at some point, we keep mbedtls_ssl_set_cid(), which
includes a CID length parameter, but add a new API mbedtls_ssl_conf_cid_len()
which applies to an SSL configuration, and which fixes the CID length that
any call to mbetls_ssl_set_cid() which applies to an SSL context that is bound
to the given SSL configuration must use.

While this creates a slight redundancy of parameters, it allows to
potentially add an API like mbedtls_ssl_conf_cid_len_cb() later which
could allow users to register a callback which dynamically infers the
length of a CID at record header parsing time, without changing the
rest of the API.
2019-05-20 15:32:36 +01:00
Hanno Becker 4339576208 Split mbedtls_ssl_hdr_len() in separate functions for in/out records
The function mbedtls_ssl_hdr_len() returns the length of the record
header (so far: always 13 Bytes for DTLS, and always 5 Bytes for TLS).

With the introduction of the CID extension, the lengths of record
headers depends on whether the records are incoming or outgoing,
and also on the current transform.

Preparing for this, this commit splits mbedtls_ssl_hdr_len() in two
-- so far unmodified -- functions mbedtls_ssl_in_hdr_len() and
mbedtls_ssl_out_hdr_len() and replaces the uses of mbedtls_ssl_hdr_len()
according to whether they are about incoming or outgoing records.

There is no need to change the signature of mbedtls_ssl_{in/out}_hdr_len()
in preparation for its dependency on the currently active transform,
since the SSL context is passed as an argument, and the currently
active transform is referenced from that.
2019-05-20 15:32:36 +01:00
Hanno Becker 46483f11bf Add helper function to check validity of record content type
With the introduction of the CID feature, the stack needs to be able
to handle a change of record content type during record protection,
which in particular means that the record content type check will
need to move or be duplicated.

This commit introduces a tiny static helper function which checks
the validity of record content types, which hopefully makes it
easier to subsequently move or duplicate this check.
2019-05-20 15:32:36 +01:00
Hanno Becker 74dd3a70d8 Move dropping of unexpected AD records to after record decryption
With the introduction of the CID extension, the record content type
may change during decryption; we must therefore re-consider every
record content type check that happens before decryption, and either
move or duplicate it to ensure it also applies to records whose
real content type is only revealed during decryption.

This commit does this for the silent dropping of unexpected
ApplicationData records in DTLS. Previously, this was caught
in ssl_parse_record_header(), returning
MBEDTLS_ERR_SSL_UNEXPECTED_RECORD which in ssl_get_next_record()
would lead to silent skipping of the record.

When using CID, this check wouldn't trigger e.g. when delayed
encrypted ApplicationData records come on a CID-based connection
during a renegotiation.

This commit moves the check to mbedtls_ssl_handle_message_type()
and returns MBEDTLS_ERR_SSL_NON_FATAL if it triggers, which leads
so silent skipover in the caller mbedtls_ssl_read_record().
2019-05-20 15:32:36 +01:00
Hanno Becker f5970a0945 Set pointer to start of plaintext at record decryption time
The SSL context structure mbedtls_ssl_context contains several pointers
ssl->in_hdr, ssl->in_len, ssl->in_iv, ssl->in_msg pointing to various
parts of the record header in an incoming record, and they are setup
in the static function ssl_update_in_pointers() based on the _expected_
transform for the next incoming record.
In particular, the pointer ssl->in_msg is set to where the record plaintext
should reside after record decryption, and an assertion double-checks this
after each call to ssl_decrypt_buf().

This commit removes the dependency of ssl_update_in_pointers() on the
expected incoming transform by setting ssl->in_msg to ssl->in_iv --
the beginning of the record content (potentially including the IV) --
and adjusting ssl->in_msg after calling ssl_decrypt_buf() on a protected
record.

Care has to be taken to not load ssl->in_msg before calling
mbedtls_ssl_read_record(), then, which was previously the
case in ssl_parse_server_hello(); the commit fixes that.
2019-05-20 15:32:36 +01:00
Hanno Becker 16e9ae2f95 Treat an invalid record after decryption as fatal
If a record exhibits an invalid feature only after successful
authenticated decryption, this is a protocol violation by the
peer and should hence lead to connection failure. The previous
code, however, would silently ignore such records. This commit
fixes this.

So far, the only case to which this applies is the non-acceptance
of empty non-AD records in TLS 1.2. With the present commit, such
records lead to connection failure, while previously, they were
silently ignored.

With the introduction of the Connection ID extension (or TLS 1.3),
this will also apply to records whose real content type -- which
is only revealed during authenticated decryption -- is invalid.
2019-05-20 15:32:36 +01:00
Hanno Becker 70463dbb2d Expain rationale for handling of consecutive empty AD records 2019-05-20 15:32:36 +01:00
Hanno Becker 78c430269b Don't allow calling CID API outside of DTLS 2019-05-20 15:32:36 +01:00
Hanno Becker 1f02f05f2e Fix additional data calculation if CID is disabled
In contrast to other aspects of the Connection ID extension,
the CID-based additional data for MAC computations differs from
the non-CID case even if the CID length is 0, because it
includes the CID length.
2019-05-20 15:17:05 +01:00
Hanno Becker 3b1a88506b Remove unnecessary empty line in ssl_tls.c 2019-05-20 15:10:50 +01:00
Hanno Becker 7dc2577f01 Don't quote DTLSInnerPlaintext structure multiple times 2019-05-20 15:08:01 +01:00
Hanno Becker 8969369a83 Improve wording in ssl_build_inner_plaintext() 2019-05-20 15:06:12 +01:00
Hanno Becker 24ce1eba66 Remove unnecessary whitespace in ssl_extract_add_data_from_record() 2019-05-20 15:01:46 +01:00
Hanno Becker 28a0c4e149 Reduce stack usage for additional data buffers in record dec/enc 2019-05-20 14:56:03 +01:00
Hanno Becker acadb0a8c9 Add length of CID to additional data used for record protection
Quoting the CID draft 04:

   -  Block Ciphers:

       MAC(MAC_write_key, seq_num +
           tls12_cid +                     // New input
           DTLSPlaintext.version +
           cid +                           // New input
           cid_length +                    // New input
           length_of_DTLSInnerPlaintext +  // New input
           DTLSInnerPlaintext.content +    // New input
           DTLSInnerPlaintext.real_type +  // New input
           DTLSInnerPlaintext.zeros        // New input
       )

And similar for AEAD and Encrypt-then-MAC.
2019-05-20 14:55:59 +01:00
Hanno Becker 99abf51056 Improve documentation of ssl_extract_add_data_from_record() 2019-05-20 14:55:30 +01:00
Manuel Pégourié-Gonnard 9c5bcc9220 Use more specific name in debug message for testing
While 'session hash' is currently unique, so suitable to prove that the
intended code path has been taken, it's a generic enough phrase that in the
future we might add other debug messages containing it in completely unrelated
code paths. In order to future-proof the accuracy of the test, let's use a
more specific string.
2019-05-20 12:09:50 +02:00
Manuel Pégourié-Gonnard 762d011ece Fix alignment issues 2019-05-20 10:27:20 +02:00
Manuel Pégourié-Gonnard 42c814fdc1 Clarify comment about TLS versions
The previous comment used "TLS" as a shortcut for "TLS 1.0/1.1" which was
confusing. This partially reflected the names of the calc_verify/finished that
go ssl, tls (for 1.0/1.1) tls_shaxxx (for 1.2), but still it's clearer to be
explicit in the comment - and perhaps in the long term the function names
could be clarified instead.
2019-05-20 10:12:43 +02:00
Manuel Pégourié-Gonnard 5478e1e5ed Remove redundant debug message.
Two consecutive messages (ie no branch between them) at the same level are not
needed, so only keep the one that has the most information.
2019-05-20 10:07:29 +02:00
Hanno Becker 505089d944 Fix missing compile-time guards around CID-only constants 2019-05-17 10:23:47 +01:00
Hanno Becker 4c6fe12db8 Remove TODO 2019-05-17 10:23:47 +01:00
Hanno Becker 2e7cd5aa4c Use MBEDTLS_ namespace for internal CID length constant 2019-05-17 10:23:47 +01:00
Hanno Becker d91dc3767f Skip copying CIDs to SSL transforms until CID feature is complete
This commit temporarily comments the copying of the negotiated CIDs
into the established ::mbedtls_ssl_transform in mbedtls_ssl_derive_keys()
until the CID feature has been fully implemented.

While mbedtls_ssl_decrypt_buf() and mbedtls_ssl_encrypt_buf() do
support CID-based record protection by now and can be unit tested,
the following two changes in the rest of the stack are still missing
before CID-based record protection can be integrated:
- Parsing of CIDs in incoming records.
- Allowing the new CID record content type for incoming records.
- Dealing with a change of record content type during record
  decryption.

Further, since mbedtls_ssl_get_peer_cid() judges the use of CIDs by
the CID fields in the currently transforms, this change also requires
temporarily disabling some grepping for ssl_client2 / ssl_server2
debug output in ssl-opt.sh.
2019-05-17 10:23:47 +01:00
Hanno Becker 92c930f7c4 Implement inner plaintext parsing/writing for CID-based connections 2019-05-17 10:23:47 +01:00
Hanno Becker e83efe6d79 Incorporate CID into MAC computations during record protection
This commit modifies ssl_decrypt_buf() and ssl_encrypt_buf()
to include the CID into authentication data during record
protection.

It does not yet implement the new DTLSInnerPlaintext format
from https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-04
2019-05-17 10:23:47 +01:00
Hanno Becker 8013b27481 Replace 'ingoing' -> 'incoming' in CID debug messages 2019-05-17 10:20:41 +01:00
Hanno Becker cb063f5a5b Document behaviour of mbedtls_ssl_get_peer_cid() for empty CIDs 2019-05-17 10:20:41 +01:00
Hanno Becker f885d3bba2 Improve structure of client-side CID extension parsing
Group configuring CID values together.
2019-05-17 10:20:41 +01:00
Hanno Becker 8f68f87382 Improve debugging output of client-side CID extension parsing 2019-05-17 10:20:41 +01:00
Hanno Becker 19976b5345 Improve structure of ssl_parse_cid_ext()
Group configuring CID values together.
2019-05-17 10:20:41 +01:00
Hanno Becker 31f1668d3c Correct compile-time guard around CID extension writing func on srv 2019-05-17 10:20:41 +01:00
Hanno Becker b4a5606e2d Make integer truncation explicit in mbedtls_ssl_set_cid() 2019-05-17 10:20:41 +01:00
Hanno Becker 2de89fae8f Implement mbedtls_ssl_get_peer_cid() 2019-05-17 10:20:41 +01:00
Hanno Becker dd0afca3f6 Copy CIDs into SSL transform if use of CID has been negotiated 2019-05-17 10:20:41 +01:00
Hanno Becker 1ba81f62a6 Implement parsing of CID extension in ServerHello 2019-05-17 10:20:41 +01:00
Hanno Becker 072d4eca2e Implement writing of CID extension in ServerHello 2019-05-17 10:20:41 +01:00
Hanno Becker c403b264e8 Implement parsing of CID extension in ClientHello 2019-05-17 10:20:41 +01:00
Hanno Becker 39ec525e4f Implement writing of CID extension in ClientHello 2019-05-17 10:20:41 +01:00
Hanno Becker 0748986178 Allow configuring own CID fields through mbedtls_ssl_get_peer_cid() 2019-05-17 10:20:41 +01:00
Hanno Becker fce6f836ba Merge branch 'mbedtls-2.16' into baremetal 2019-05-17 10:06:02 +01:00
Manuel Pégourié-Gonnard 84ef8bde68 Remove 'session' input from populate_tranform()
When using this function to deserialize, it's not a problem to have a session
structure as input as we'll have one around anyway (most probably freshly
deserialised).

However for tests it's convenient to be able to build a transform without
having a session structure around.

Also, removing this structure from parameters makes the function signature
more uniform, the only exception left being the ssl param at the end that's
hard to avoid for now.
2019-05-10 10:50:04 +02:00
Manuel Pégourié-Gonnard cf31216ace Fix typo in comment 2019-05-10 10:25:00 +02:00
Simon Butcher 724a695534 Merge remote-tracking branch 'origin/pr/562' into baremetal 2019-05-09 17:11:38 +01:00
Simon Butcher e372d5fb8f Merge remote-tracking branch 'origin/pr/558' into baremetal 2019-05-09 17:03:18 +01:00
Simon Butcher 999ac174cc Merge remote-tracking branch 'origin/pr/566' into baremetal 2019-05-09 16:59:02 +01:00
Manuel Pégourié-Gonnard afdc1b5cbd Consistently use the name tinycrypt over uecc
We called in tinycrypt in the file names, but uecc in config.h, all.sh and
other places, which could be confusing. Just use tinycrypt everywhere because
that's the name of the project and repo where we took the files.

The changes were made using the following commands (with GNU sed and zsh):

sed -i 's/uecc/tinycrypt/g' **/*.[ch] tests/scripts/all.sh
sed -i 's/MBEDTLS_USE_UECC/MBEDTLS_USE_TINYCRYPT/g' **/*.[ch] tests/scripts/all.sh scripts/config.pl
2019-05-09 11:24:11 +02:00
Manuel Pégourié-Gonnard 86e48c213c Enforce promise to not use whole ssl context
Configs with no DEBUG_C are use for example in test-ref-configs.pl, which also
runs parts of compat.sh or ssl-opt.sh on them, so the added 'ssl = NULL'
statements will be exercised in those tests at least.
2019-05-07 10:32:19 +02:00
Manuel Pégourié-Gonnard 1d10a98f56 Partially rm 'ssl' input from populate_transform() 2019-05-07 10:31:53 +02:00
Manuel Pégourié-Gonnard 0bcfbc3e04 Remove "handshake" input from populate_transform() 2019-05-07 09:59:41 +02:00
Manuel Pégourié-Gonnard 12a3f445b6 Start refining parameters of populate_transform()
Parameters 'handshake' and 'ssl' will be replaced with more fine-grained
inputs in follow-up commits.
2019-05-07 09:59:41 +02:00
Manuel Pégourié-Gonnard a1abb26094 Move compress_buf allocation to derive_keys 2019-05-07 09:59:41 +02:00
Manuel Pégourié-Gonnard 707728dfca Move handling of randbytes to derive_keys() 2019-05-07 09:59:41 +02:00
Manuel Pégourié-Gonnard bcf258e077 Remove duplicated branch in ssl_compute_master() 2019-05-07 09:59:40 +02:00
Manuel Pégourié-Gonnard a575975280 Make calc_verify() return the length as well
Simplifies ssl_compute_hash(), but unfortunately not so much the other uses.
2019-05-07 09:59:32 +02:00
Manuel Pégourié-Gonnard ed3b7a9492 Constify ssl_context param of calc_verify() 2019-05-03 10:00:45 +02:00
Manuel Pégourié-Gonnard c28c8895e5 Improve signature of ssl_compute_master()
Make it more explicit what's used. Unfortunately, we still need ssl as a
parameter for debugging, and because calc_verify wants it as a parameter (for
all TLS versions except SSL3 it would actually only need handshake, but SSL3
also accesses session_negotiate).

It's also because of calc_verify that we can't make it const yet, but see next
commit.
2019-05-03 10:00:45 +02:00
Manuel Pégourié-Gonnard dafe5227d4 Reduce indentation in ssl_compute_master()
Exit earlier when there's noting to do.

For a small diff, review with 'git show -w'.
2019-05-03 10:00:44 +02:00
Manuel Pégourié-Gonnard 7edd5876ce Start extracting ssl_compute_master()
For now just moving code around, not changing indentation. Calling convention
and signature are going to be adjusted in upcoming commits.
2019-05-03 10:00:44 +02:00
Manuel Pégourié-Gonnard aa3c701193 Fix signature of ssl_set_transform_prfs() 2019-05-03 10:00:44 +02:00
Manuel Pégourié-Gonnard 52aa520c96 Start extraction ssl_set_handshake_prfs()
For now just moving code around, will improve signature in the next commit.
2019-04-30 11:54:22 +02:00
Manuel Pégourié-Gonnard 5ed5e90ec4 Start splitting populate_transform() out of derive_keys()
This is currently a dummy, just introducing the new name.
2019-04-30 11:41:40 +02:00
Hanno Becker 08885813c3 Fix uninitialized variable access in debug output of record enc/dec 2019-04-29 12:21:31 +02:00
Hanno Becker c5aee96855 Adapt record length value after encryption 2019-04-29 12:19:07 +02:00
Hanno Becker 30d02cdeb0 Rename ssl_decrypt_buf() to mbedtls_ssl_decrypt_buf() in comment 2019-04-29 12:18:38 +02:00
Hanno Becker 93012fe8e8 Double check that record expansion is as expected during decryption 2019-04-29 12:17:58 +02:00
Hanno Becker a795323cd5 Move debugging output after record decryption
The debugging call printing the decrypted record payload happened
before updating ssl->in_msglen.
2019-04-29 12:17:51 +02:00
Hanno Becker 611a83b571 Add tests for record encryption/decryption
This commit adds tests exercising mutually inverse pairs of
record encryption and decryption transformations for the various
transformation types allowed in TLS: Stream, CBC, and AEAD.
2019-04-29 12:15:21 +02:00
Hanno Becker 92231325a7 Reduce size of ssl_transform if no MAC ciphersuite is enabled
The hash contexts `ssl_transform->md_ctx_{enc/dec}` are not used if
only AEAD ciphersuites are enabled. This commit removes them from the
`ssl_transform` struct in this case, saving a few bytes.
2019-04-29 12:15:05 +02:00
Hanno Becker f122944b7d Remove code from ssl_derive_keys if relevant modes are not enabled
This commit guards code specific to AEAD, CBC and stream cipher modes
in `ssl_derive_keys` by the respective configuration flags, analogous
to the guards that are already in place in the record decryption and
encryption functions `ssl_decrypt_buf` resp. `ssl_decrypt_buf`.
2019-04-29 12:14:51 +02:00
Hanno Becker 4c6876b134 Provide standalone version of ssl_decrypt_buf
Analogous to the previous commit, but concerning the record decryption
routine `ssl_decrypt_buf`.

An important change regards the checking of CBC padding:
Prior to this commit, the CBC padding check always read 256 bytes at
the end of the internal record buffer, almost always going past the
boundaries of the record under consideration. In order to stay within
the bounds of the given record, this commit changes this behavior by
always reading the last min(256, plaintext_len) bytes of the record
plaintext buffer and taking into consideration the last `padlen` of
these for the padding check. With this change, the memory access
pattern and runtime of the padding check is entirely determined by
the size of the encrypted record, in particular not giving away
any information on the validity of the padding.

The following depicts the different behaviors:

1) Previous CBC padding check

1.a) Claimed padding length <= plaintext length

  +----------------------------------------+----+
  |   Record plaintext buffer   |          | PL |
  +----------------------------------------+----+
                                 \__ PL __/

                                +------------------------------------...
                                |  read for padding check            ...
                                +------------------------------------...
                                                |
                                                 contents discarded
                                                 from here

1.b) Claimed padding length > plaintext length

  +----------------------------------------+----+
  |   Record plaintext buffer              | PL |
  +----------------------------------------+----+
                                           +-------------------------...
                                           |  read for padding check ...
                                           +-------------------------...
                                                |
                                                 contents discarded
                                                 from here

2) New CBC padding check

  +----------------------------------------+----+
  |   Record plaintext buffer   |          | PL |
  +----------------------------------------+----+
                                 \__ PL __/

        +---------------------------------------+
        |        read for padding check         |
        +---------------------------------------+
                                |
                                 contents discarded
                                 until here
2019-04-29 12:13:25 +02:00
Hanno Becker 3307b53413 Provide standalone version of ssl_encrypt_buf
The previous version of the record encryption function
`ssl_encrypt_buf` takes the entire SSL context as an argument,
while intuitively, it should only depend on the current security
parameters and the record buffer.

Analyzing the exact dependencies, it turned out that in addition
to the currently active `ssl_transform` instance and the record
information, the encryption function needs access to
- the negotiated protocol version, and
- the status of the encrypt-then-MAC extension.

This commit moves these two fields into `ssl_transform` and
changes the signature of `ssl_encrypt_buf` to only use an instance
of `ssl_transform` and an instance of the new `ssl_record` type.
The `ssl_context` instance is *solely* kept for the debugging macros
which need an SSL context instance.

The benefit of the change is twofold:
1) It avoids the need of the MPS to deal with instances of
   `ssl_context`. The MPS should only work with records and
   opaque security parameters, which is what the change in
   this commit makes progress towards.
2) It significantly eases testing of the encryption function:
   independent of any SSL context, the encryption function can
   be passed some record buffer to encrypt alongside some arbitrary
   choice of parameters, and e.g. be checked to not overflow the
   provided memory.
2019-04-29 10:58:15 +02:00
Hanno Becker 5cc04d5ae7 Correct space needed for MAC in case of NULL cipher
The macro constant `MBEDTLS_SSL_MAC_ADD` defined in `ssl_internal.h`
defines an upper bound for the amount of space needed for the record
authentication tag. Its definition distinguishes between the
presence of an ARC4 or CBC ciphersuite suite, in which case the maximum
size of an enabled SHA digest is used; otherwise, `MBEDTLS_SSL_MAC_ADD`
is set to 16 to accomodate AEAD authentication tags.

This assignment has a flaw in the situation where confidentiality is
not needed and the NULL cipher is in use. In this case, the
authentication tag also uses a SHA digest, but the definition of
`MBEDTLS_SSL_MAC_ADD` doesn't guarantee enough space.

The present commit fixes this by distinguishing between the presence
of *some* ciphersuite using a MAC, including those using a NULL cipher.
For that, the previously internal macro `SSL_SOME_MODES_USE_MAC` from
`ssl_tls.c` is renamed and moved to the public macro
`MBEDTLS_SOME_MODES_USE_MAC` defined in `ssl_internal.h`.
2019-04-29 10:36:09 +02:00
Hanno Becker 8759e16242 Remove ciphersuite_info from ssl_transform
Prior to this commit, the security parameter struct `ssl_transform`
contained a `ciphersuite_info` field pointing to the information
structure for the negotiated ciphersuite. However, the only
information extracted from that structure that was used in the core
encryption and decryption functions `ssl_encrypt_buf`/`ssl_decrypt_buf`
was the authentication tag length in case of an AEAD cipher.

The present commit removes the `ciphersuite_info` field from the
`ssl_transform` structure and adds an explicit `taglen` field
for AEAD authentication tag length.

This is in accordance with the principle that the `ssl_transform`
structure should contain the raw parameters needed for the record
encryption and decryption functions to work, but not the higher-level
information that gave rise to them. For example, the `ssl_transform`
structure implicitly contains the encryption/decryption keys within
their cipher contexts, but it doesn't contain the SSL master or
premaster secrets. Likewise, it contains an explicit `maclen`, while
the status of the 'Truncated HMAC' extension -- which  determines the
value of `maclen` when the `ssl_transform` structure is created in
`ssl_derive_keys` -- is not contained in `ssl_transform`.

The `ciphersuite_info` pointer was used in other places outside
the encryption/decryption functions during the handshake, and for
these functions to work, this commit adds a `ciphersuite_info` pointer
field to the handshake-local `ssl_handshake_params` structure.
2019-04-29 10:36:01 +02:00
Hanno Becker e7f2df03a3 Remove key length field from ssl_transform
The `ssl_transform` security parameter structure contains opaque
cipher contexts for use by the record encryption/decryption functions
`ssl_decrypt_buf`/`ssl_encrypt_buf`, while the underlying key material
is configured once in `ssl_derive_keys` and is not explicitly dealt with
anymore afterwards. In particular, the key length is not needed
explicitly by the encryption/decryption functions but is nonetheless
stored in an explicit yet superfluous `keylen` field in `ssl_transform`.
This commit removes this field.
2019-04-29 09:32:08 +02:00
Jarno Lamsa 6fe99be972 Fix check-generated-files after creating a flag 2019-04-25 13:54:32 +03:00
Jarno Lamsa 6f519a3b22 Fix typo in CMakeLists.txt 2019-04-25 13:51:54 +03:00
Jarno Lamsa 337dad98f6 Tinycrypt support for makefile builds 2019-04-25 11:00:41 +03:00
Jarno Lamsa 79e3b946db Add CMake support for uecc 2019-04-24 16:17:10 +03:00
Hanno Becker 9306f1c65d Add more missing parentheses around macro parameters 2019-04-24 10:52:53 +02:00
Hanno Becker 3ac21aca9b Add further missing brackets around macro parameters 2019-04-24 10:52:45 +02:00
Hanno Becker d6028a1894 Improve macro hygiene
This commit improves hygiene and formatting of macro definitions
throughout the library. Specifically:
- It adds brackets around parameters to avoid unintended
  interpretation of arguments, e.g. due to operator precedence.
- It adds uses of the `do { ... } while( 0 )` idiom for macros that
  can be used as commands.
2019-04-24 10:51:54 +02:00
Hanno Becker ba8cd67467 Guard CID implementations by MBEDTLS_SSL_CID 2019-04-23 12:31:42 +01:00
Hanno Becker 8d0893d0b0 Add warnings about status of implementation of CID API 2019-04-23 12:01:20 +01:00
Hanno Becker b9e7dea082 Add dummy implementations for CID API 2019-04-09 18:26:59 +01:00
Hanno Becker 2c54db5e66 Update version_features.c 2019-04-09 18:26:59 +01:00
Jaeden Amero 77027354f4 Merge remote-tracking branch 'origin/pr/2503' into mbedtls-2.16
* origin/pr/2503:
  Fix ChangeLog entry ordering
  Fix typo
  Add non-regression test for buffer overflow
  Improve documentation of mbedtls_mpi_write_string()
  Adapt ChangeLog
  Fix 1-byte buffer overflow in mbedtls_mpi_write_string()
2019-04-05 14:10:02 +01:00
Jaeden Amero 749c944664 Merge remote-tracking branch 'origin/pr/2514' into mbedtls-2.16
* origin/pr/2514:
  x509.c: Fix potential memory leak in X.509 self test
2019-04-05 13:48:45 +01:00
Jaeden Amero 186c2c054d Merge remote-tracking branch 'restricted/pr/553' into mbedtls-2.16
* restricted/pr/553:
  Fix mbedtls_ecdh_get_params with new ECDH context
  Add changelog entry for mbedtls_ecdh_get_params robustness
  Fix ecdh_get_params with mismatching group
  Add test case for ecdh_get_params with mismatching group
  Add test case for ecdh_calc_secret
  Fix typo in documentation
2019-03-27 14:54:00 +00:00
Jaeden Amero f2357f8903 Merge remote-tracking branch 'origin/pr/2526' into mbedtls-2.16
* origin/pr/2526:
  Update library version to 2.16.1
2019-03-26 15:27:56 +00:00
Jaeden Amero 9f4f8eec93 Update library version to 2.16.1 2019-03-19 16:20:02 +00:00
Junhwan Park 60ee28b36b x509.c: Fix potential memory leak in X.509 self test
Found and fixed by Junhwan Park in #2106.

Signed-off-by: Junhwan Park <semoking@naver.com>
2019-03-11 15:19:05 +02:00
Janos Follath 870ed0008a Fix typo 2019-03-06 13:51:30 +00:00
Hanno Becker c1fa6cdab6 Improve documentation of mbedtls_mpi_write_string() 2019-03-06 13:51:19 +00:00
Hanno Becker af97cae27d Fix 1-byte buffer overflow in mbedtls_mpi_write_string()
This can only occur for negative numbers. Fixes #2404.
2019-03-06 13:50:54 +00:00
Jaeden Amero b0abd1c84f Merge remote-tracking branch 'origin/pr/2388' into mbedtls-2.16
* origin/pr/2388:
  Update change log
  all.sh: Test MBEDTLS_MPI_WINDOW_SIZE=1
  Fix DEADCODE in mbedtls_mpi_exp_mod()
2019-03-05 16:34:40 +00:00
Jaeden Amero 203123b5b7 Merge remote-tracking branch 'origin/pr/1818' into mbedtls-2.16
* origin/pr/1818:
  Move ChangeLog entry from Bugfix to Changes section
  Adapt ChangeLog
  Return from debugging functions if SSL context is unset
2019-03-05 16:28:18 +00:00
Jaeden Amero daed232dd7 Merge remote-tracking branch 'origin/pr/2436' into mbedtls-2.16
* origin/pr/2436:
  Use certificates from data_files and refer them
  Specify server certificate to use in SHA-1 test
  refactor CA and SRV certificates into separate blocks
  refactor SHA-1 certificate defintions and assignment
  refactor server SHA-1 certificate definition into a new block
  define TEST_SRV_CRT_RSA_SOME in similar logic to TEST_CA_CRT_RSA_SOME
  server SHA-256 certificate now follows the same logic as CA SHA-256 certificate
  add entry to ChangeLog
2019-03-05 16:26:34 +00:00
Simon Butcher 799cd57c72 Merge remote-tracking branch 'restricted/pr/550' into mbedtls-2.16
* restricted/pr/550:
  Update query_config.c
  Fix failure in SSLv3 per-version suites test
  Adjust DES exclude lists in test scripts
  Clarify 3DES changes in ChangeLog
  Fix documentation for 3DES removal
  Exclude 3DES tests in test scripts
  Fix wording of ChangeLog and 3DES_REMOVE docs
  Reduce priority of 3DES ciphersuites
2019-03-01 13:05:43 +00:00
Andres Amaya Garcia 5d8aade01d Reduce priority of 3DES ciphersuites 2019-03-01 10:29:13 +01:00
Gilles Peskine 05fcf4f3c5 Fix mbedtls_ecdh_get_params with new ECDH context
The new check for matching groups in mbedtls_ecdh_get_params only worked
with legacy ECDH contexts. Make it work with the new context format.
2019-02-22 12:51:51 +01:00
Gilles Peskine b47045a18e Fix ecdh_get_params with mismatching group
If mbedtls_ecdh_get_params is called with keys belonging to
different groups, make it return an error the second time, rather than
silently interpret the first key as being on the second curve.

This makes the non-regression test added by the previous commit pass.
2019-02-22 10:24:31 +01:00
Antonin Décimo d5f4759594 Fix #2370, minor typos and spelling mistakes 2019-02-18 14:50:57 +00:00
Ron Eldor e900969cb5 Use certificates from data_files and refer them
Use the server certificate from `data_files` folder, for formality,
and refer to the source, for easier reproduction.
2019-02-12 17:10:29 +02:00
ILUXONCHIK a51f4c737b refactor CA and SRV certificates into separate blocks 2019-02-12 17:10:28 +02:00
ILUXONCHIK ecc6c13655 refactor SHA-1 certificate defintions and assignment
As per refactoring suggestion that I made in #1520.
2019-02-12 17:10:28 +02:00
ILUXONCHIK 5f97b32b63 refactor server SHA-1 certificate definition into a new block 2019-02-12 17:10:28 +02:00
ILUXONCHIK c3d1f546c3 define TEST_SRV_CRT_RSA_SOME in similar logic to TEST_CA_CRT_RSA_SOME 2019-02-12 17:10:28 +02:00
ILUXONCHIK 761f37616e server SHA-256 certificate now follows the same logic as CA SHA-256 certificate 2019-02-12 17:10:28 +02:00
Andres Amaya Garcia d60e378016 Fix ASN1 bitstring writing
Refactor the function mbedtls_asn1_write_bitstring() that removes
trailing 0s at the end of DER encoded bitstrings. The function is
implemented according to Hanno Becker's suggestions.

This commit also changes the functions x509write_crt_set_ns_cert_type
and crt_set_key_usage to call the new function as the use named
bitstrings instead of the regular bitstrings.
2019-02-11 21:13:33 +00:00
Peter Kolbus b83d41d828 Fix DEADCODE in mbedtls_mpi_exp_mod()
In mbedtls_mpi_exp_mod(), the limit check on wsize is never true when
MBEDTLS_MPI_WINDOW_SIZE is at least 6. Wrap in a preprocessor guard
to remove the dead code and resolve a Coverity finding from the
DEADCODE checker.

Change-Id: Ice7739031a9e8249283a04de11150565b613ae89
2019-02-05 16:44:03 +01:00
Jaeden Amero 6f76795bf5 Merge remote-tracking branch 'origin/pr/2346' into mbedtls-2.16 2019-01-30 17:35:02 +00:00
Jaeden Amero 9fc7af017a Merge remote-tracking branch 'origin/pr/2040' into mbedtls-2.16 2019-01-30 16:17:22 +00:00
Jaeden Amero 462dfc5068 Merge remote-tracking branch 'origin/pr/2332' into mbedtls-2.16 2019-01-30 15:52:26 +00:00
Jaeden Amero 4002ada9f3 Merge remote-tracking branch 'origin/pr/2214' into mbedtls-2.16 2019-01-30 15:03:02 +00:00
Jaeden Amero d81c57fc80 Merge remote-tracking branch 'origin/pr/2347' into mbedtls-2.16 2019-01-30 15:02:04 +00:00
Hanno Becker d6ddcd660f Avoid MSVC compiler warning
MSVC warns about use of unary `-` operator on unsigned integers.
2019-01-10 09:23:48 +00:00
Ron Eldor a04efb8b89 Return error code of underlying function.
Return the error code if failed, instead of returning value `1`.
If not failed, return the call of the underlying function,
in `mbedtls_ecdsa_genkey()`.
2019-01-10 10:52:08 +02:00
Gilles Peskine 5fa32a7a7a Use CMAKE_BUILD_TYPE to do Asan builds
Use `cmake -D CMAKE_BUILD_TYPE=Asan` rather than manually setting
`-fsanitize=address`. This lets cmake determine the necessary compiler
and linker flags.

With UNSAFE_BUILD on, force -Wno-error. This is necessary to build
with MBEDTLS_TEST_NULL_ENTROPY.
2019-01-09 22:35:57 +01:00
Hanno Becker 0e810b9648 Don't call memcpy with NULL pointer in mbedtls_mpi_read_binary()
mbedtls_mpi_read_binary() calls memcpy() with the source pointer being
the source pointer passed to mbedtls_mpi_read_binary(), the latter may
be NULL if the buffer length is 0 (and this happens e.g. in the ECJPAKE
test suite). The behavior of memcpy(), in contrast, is undefined when
called with NULL source buffer, even if the length of the copy operation
is 0.

This commit fixes this by explicitly checking that the source pointer is
not NULL before calling memcpy(), and skipping the call otherwise.
2019-01-03 17:13:11 +00:00
Hanno Becker 9f6d16ad79 Fix preprocessor macro existence check in bignum.c 2019-01-02 17:15:06 +00:00
Hanno Becker 6dab6200c6 Fix typo after rebase 2019-01-02 16:42:29 +00:00
Hanno Becker 5d91c0bbee Add missing macro existence check in byte swapping code in bignum.c 2019-01-02 11:38:14 +00:00
Hanno Becker f872007782 Optimize mpi_bigendian_to_host() for speed and size
Use GCC / Clang builtins for byte swapping.
2019-01-02 11:38:14 +00:00
Hanno Becker 2be8a55f72 Change signature of mpi_bigendian_to_host() to reflect usage 2019-01-02 11:37:25 +00:00
Hanno Becker da1655a48e Remove temporary stack-buffer from mbedtls_mpi_fill_random()
Context: The function `mbedtls_mpi_fill_random()` uses a temporary stack
buffer to hold the random data before reading it into the target MPI.

Problem: This is inefficient both computationally and memory-wise.
Memory-wise, it may lead to a stack overflow on constrained devices with
limited stack.

Fix: This commit introduces the following changes to get rid of the
temporary stack buffer entirely:

1. It modifies the call to the PRNG to output the random data directly
   into the target MPI's data buffer.

This alone, however, constitutes a change of observable behaviour:
The previous implementation guaranteed to interpret the bytes emitted by
the PRNG in a big-endian fashion, while rerouting the PRNG output into the
target MPI's limb array leads to an interpretation that depends on the
endianness of the host machine.
As a remedy, the following change is applied, too:

2. Reorder the bytes emitted from the PRNG within the target MPI's
   data buffer to ensure big-endian semantics.

Luckily, the byte reordering was already implemented as part of
`mbedtls_mpi_read_binary()`, so:

3. Extract bigendian-to-host byte reordering from
   `mbedtls_mpi_read_binary()` to a separate internal function
   `mpi_bigendian_to_host()` to be used by `mbedtls_mpi_read_binary()`
   and `mbedtls_mpi_fill_random()`.
2019-01-02 11:37:25 +00:00
Simon Butcher 6c164e754b Update the version of the library to 2.16.0 2018-12-21 10:51:51 +00:00
Simon Butcher b6cdf980bc Merge remote-tracking branch 'public/pr/1721' into development-restricted 2018-12-20 12:37:13 +00:00
Simon Butcher ad7c2105a2 Merge remote-tracking branch 'public/pr/2274' into development 2018-12-20 12:16:57 +00:00
Simon Butcher 12b4240300 Merge remote-tracking branch 'public/pr/2288' into development 2018-12-20 12:16:46 +00:00
Simon Butcher c831193c85 Merge remote-tracking branch 'public/pr/2302' into development 2018-12-20 12:16:39 +00:00
Simon Butcher 1efda39f8a Merge remote-tracking branch 'public/pr/2297' into development 2018-12-20 12:16:29 +00:00
Simon Butcher 5aa7809ac8 Merge remote-tracking branch 'public/pr/2275' into development 2018-12-20 12:15:19 +00:00
Simon Butcher 780cf189b0 Merge remote-tracking branch 'public/pr/2271' into development 2018-12-20 12:15:08 +00:00
Simon Butcher 032c037052 Merge remote-tracking branch 'public/pr/2270' into development 2018-12-20 12:04:13 +00:00
Simon Butcher a033633bb0 Merge remote-tracking branch 'public/pr/2269' into development 2018-12-20 12:02:56 +00:00
Simon Butcher 70935a4001 Merge remote-tracking branch 'public/pr/2299' into development 2018-12-20 12:02:23 +00:00
Simon Butcher 003c0e032f Merge remote-tracking branch 'public/pr/2292' into development 2018-12-20 12:02:17 +00:00
Simon Butcher decf2f5c2c Merge remote-tracking branch 'public/pr/2291' into development 2018-12-20 12:02:11 +00:00
Simon Butcher 65ce5dc981 Merge remote-tracking branch 'public/pr/2290' into development 2018-12-20 12:02:05 +00:00
Simon Butcher ad2e0dae32 Merge remote-tracking branch 'public/pr/2283' into development 2018-12-20 12:01:58 +00:00
Simon Butcher 0bbf7f450d Merge remote-tracking branch 'public/pr/2279' into development 2018-12-20 12:01:49 +00:00
Simon Butcher 962b7b17d5 Merge remote-tracking branch 'public/pr/2273' into development 2018-12-20 12:01:17 +00:00
Simon Butcher 6be67a6518 Merge remote-tracking branch 'public/pr/2281' into development 2018-12-20 12:01:09 +00:00
Simon Butcher dac513e246 Merge remote-tracking branch 'public/pr/2282' into development 2018-12-20 12:01:04 +00:00
Simon Butcher ccafd14fee Merge remote-tracking branch 'public/pr/2276' into development 2018-12-20 12:00:57 +00:00
Simon Butcher 2a8d32c6c1 Merge remote-tracking branch 'public/pr/2287' into development 2018-12-20 12:00:50 +00:00
Manuel Pégourié-Gonnard 01d4b76b7e Remove faulty cipher_finish calls from nist_kw
The calls to cipher_finish didn't actually do anything:
- the cipher mode is always ECB
- in that case cipher_finish() only sets *olen to zero, and returns either 0
  or an error depending on whether there was pending data
- olen is a local variable in the caller, so setting it to zero right before
  returning is not essential
- the return value of cipher_finis() was not checked by the caller so that's
  not useful either
- the cipher layer does not have ALT implementations so the behaviour
  described above is unconditional on ALT implementations (in particular,
cipher_finish() can't be useful to hardware as (with ECB) it doesn't call any
functions from lower-level modules that could release resources for example)

Since the calls are causing issues with parameter validation, and were no
serving any functional purpose, it's simpler to just remove them.
2018-12-20 12:15:40 +01:00
Hanno Becker 2f6de42622 Move SHA256_VALIDATE[_RET] outside of MBEDTLS_SHA256_ALT guard
Somehow, mbedtls_sha256_ret() is defined even if MBEDTLS_SHA256_ALT
is set, and it is using SHA256_VALIDATE_RET. The documentation should
be enhanced to indicate that MBEDTLS_SHA256_ALT does _not_ replace
the entire module, but only the core SHA-256 functions.
2018-12-20 10:24:29 +00:00
Hanno Becker c756049dc3 Move SHA512_VALIDATE[_RET] outside of MBEDTLS_SHA512_ALT guard
Somehow, mbedtls_sha512_ret() is defined even if MBEDTLS_SHA512_ALT
is set, and it is using SHA512_VALIDATE_RET. The documentation should
be enhanced to indicate that MBEDTLS_SHA512_ALT does _not_ replace
the entire module, but only the core SHA-512 functions.
2018-12-20 10:24:00 +00:00
Hanno Becker b3c70230d2 Move SHA1_VALIDATE[_RET] outside of MBEDTLS_SHA1_ALT guard
Somehow, mbedtls_sha1_ret() is defined even if MBEDTLS_SHA1_ALT
is set, and it is using SHA1_VALIDATE_RET. The documentation should
be enhanced to indicate that MBEDTLS_SHA1_ALT does _not_ replace
the entire module, but only the core SHA-1 functions.
2018-12-20 10:18:05 +00:00
k-stachowiak 6adb0574ea Improve details of CCM parameter validation and documentation 2018-12-19 19:02:39 +01:00
k-stachowiak f712534801 Add missing validation code in CCM 2018-12-19 19:02:39 +01:00
k-stachowiak ff8a0989c8 Allow empty arguments in some CCM functions' parameter validation 2018-12-19 19:02:39 +01:00
k-stachowiak fd42d531ba Explicitly allow NULL as an argument to mbedtls_ccm_free() 2018-12-19 19:02:39 +01:00
k-stachowiak 26d365eb54 Add parameter validation for CCM 2018-12-19 19:02:39 +01:00
Gilles Peskine 6af45ec53e PK: document context validity requirements
Document when a context must be initialized or not, when it must be
set up or not, and whether it needs a private key or a public key will
do.

The implementation is sometimes more liberal than the documentation,
accepting a non-set-up context as a context that can't perform the
requested information. This preserves backward compatibility.
2018-12-19 18:10:03 +01:00
Hanno Becker f25ee7f79d Fix parameter validation for mbedtls_mpi_lsb()
The MPI_VALIDATE_RET() macro cannot be used for parameter
validation of mbedtls_mpi_lsb() because this function returns
a size_t.

Use the underlying MBEDTLS_INTERNAL_VALIDATE_RET() insteaed,
returning 0 on failure.

Also, add a test for this behaviour.
2018-12-19 16:51:50 +00:00
Gilles Peskine 8c71b3ecb3 pk_parse*keyfile: explicitly validate path=NULL
Don't rely on the check in pk_load_file, that's fragile.
2018-12-19 17:37:02 +01:00
k-stachowiak 516897a44a Remove unnecessary parameter validation from the Cipher module 2018-12-19 17:34:58 +01:00
k-stachowiak 1a9df6bcb7 Improve style in the Cipher module 2018-12-19 17:34:58 +01:00
k-stachowiak 95070a8286 Make some cipher parameter validation unconditional 2018-12-19 17:34:58 +01:00
k-stachowiak c29d94c7bf Account for optional NULL buffer arguments in the Cipher module 2018-12-19 17:34:13 +01:00
k-stachowiak a539070f82 Make all parameter validation tests optional 2018-12-19 17:34:13 +01:00
Krzysztof Stachowiak e0215d7869 Add Cipher module parameter validation 2018-12-19 17:34:13 +01:00
k-stachowiak 21298a20c4 Improve parameter validation in mbedtls_gcm_free() 2018-12-19 17:32:19 +01:00
k-stachowiak 8ffc92a1e8 Add parameter validation for the GCM module 2018-12-19 17:30:38 +01:00
Hanno Becker 8ce11a323e Minor improvements to bignum module 2018-12-19 16:18:52 +00:00
Gilles Peskine ee3cfec3cc PK sign/verify: hash=NULL is ok if md_alg=0 and hash_len=0 2018-12-19 17:11:44 +01:00
Gilles Peskine 159171b72a PK parse/write: support keylen=0 correctly
A 0-length buffer for the key is a legitimate edge case. Ensure that
it works, even with buf=NULL. Document the key and keylen parameters.

There are already test cases for parsing an empty buffer. A subsequent
commit will add tests for writing to an empty buffer.
2018-12-19 17:03:28 +01:00
Hanno Becker 70ded3602c Minor improvements to Camellia module and documentation 2018-12-19 13:42:05 +00:00
Gilles Peskine 1f19fa6f62 PK: Fix free(NULL) in library and tests
free() functions are documented as no-ops on NULL. Implement and test
this correctly.
2018-12-19 14:18:39 +01:00
Hanno Becker 541aa69de4 Implement parameter validation for Blowfish module 2018-12-19 12:52:59 +00:00
Hanno Becker b54ae0bc0d Implement parameter validation for ARIA module 2018-12-19 12:51:00 +00:00
Hanno Becker ff62f44ad7 Remove duplicated parameter check in CAMELLIA module 2018-12-19 12:47:55 +00:00
Hanno Becker b4b7fb7504 Implement parameter validation for CAMELLIA module 2018-12-19 12:47:55 +00:00
Hanno Becker 9994e0d7cf Regenerate errors.c 2018-12-19 09:55:40 +00:00
Hanno Becker d8e4f4a764 Regenerate errors.c 2018-12-19 09:54:55 +00:00
Hanno Becker 859522a31c Regenerate errors.c 2018-12-19 09:54:14 +00:00
Hanno Becker 185e516309 Minor fixes to ECJPAKE parameter validation 2018-12-19 09:48:50 +00:00
Hanno Becker b7a04a7851 Fix mbedtls_ecp_curve_info_from_name() for NULL input 2018-12-19 08:52:05 +00:00
Hanno Becker 80f71689ee Add parameter validation to mbedtls_ecp_restart_init() 2018-12-19 08:51:52 +00:00
Simon Butcher 54b789aa74 Merge remote-tracking branch 'public/pr/2298' into development 2018-12-19 08:08:14 +00:00
Gilles Peskine e97dc60b42 Implement parameter validation in pk, pkparse and pkwrite
Add checks for null pointers under MBEDTLS_CHECK_PARAMS.

In functions that perform operations with a context, only check if the
context pointer is non-null under MBEDTLS_CHECK_PARAMS. In the default
configuration, unconditionally dereference the context pointer.

In functions that query a context, support NULL as a
pointer-to-context argument, and return the same value as for a
context which has been initialized but not set up.
2018-12-19 00:55:36 +01:00
Hanno Becker c81cfece8f Minor fixes to parameter validation in ECDH module 2018-12-18 23:32:42 +00:00
Hanno Becker a7634e8347 Fix wrong invocation of parameter validation macro in ECDH module 2018-12-18 18:45:00 +00:00
Hanno Becker 54c91dd235 Remove double semicolon from bignum.c 2018-12-18 18:12:13 +00:00
Hanno Becker 73d7d79bc1 Implement parameter validation for MPI module 2018-12-18 18:12:13 +00:00
Hanno Becker 38e15d49f3 Don't declare MBEDTLS-namespace identifiers in sha512.c 2018-12-18 17:54:00 +00:00
Hanno Becker 8d215e7130 Don't define MBEDTLS-namespace macros in sha256.c 2018-12-18 17:53:21 +00:00
Hanno Becker 039ccab243 Don't declare MBEDTLS-namespace macros in sha1.c 2018-12-18 17:52:14 +00:00
Hanno Becker 2f660d047d Forbid passing NULL input buffers to RSA encryption routines 2018-12-18 17:07:30 +00:00
Hanno Becker adc9b178ca Minor improvements to DHM module 2018-12-18 16:59:09 +00:00
Hanno Becker 5c14ed6f86 Implement parameter validation for DHM module 2018-12-18 16:59:09 +00:00
Hanno Becker ca6f4585c7 Fix parameter validation in SHA-512 module 2018-12-18 16:36:26 +00:00
Hanno Becker 596e014a06 Add validation is is224 argument in mbedtls_sha256_starts_ret() 2018-12-18 16:31:06 +00:00
Hanno Becker 230b4f4159 Fix definition of MBEDTLS_SHA256_VALIDATE[_RET] in sha256.c 2018-12-18 16:31:06 +00:00
Hanno Becker 236ea16c01 Fix wrong conditional in free() functions 2018-12-18 15:30:30 +00:00
Hanno Becker e463c42902 Minor improvements 2018-12-18 15:30:30 +00:00
Hanno Becker 305e4e4f32 Implement parameter validation for ChaCha/Poly modules 2018-12-18 15:30:30 +00:00
Andres Amaya Garcia 863d483965 Add MBEDTLS_ERR_SHA512_BAD_INPUT_DATA to error.{h,c} 2018-12-18 15:06:39 +00:00
Andres Amaya Garcia ba519b94a5 Add parameter validation to SHA-512 module 2018-12-18 15:06:39 +00:00
Hanno Becker b86e684ed4 Move/remove param validation in mbedtls_rsa_rsaes_pkcs1_v15_encrypt
- The validity of the input and output parameters is checked by
  parameter validation.
- A PRNG is required in public mode only (even though it's also
  recommended in private mode), so move the check to the
  corresponding branch.
2018-12-18 14:46:04 +00:00
Hanno Becker 319ae11ab3 Implement parameter validation in ECDSA module 2018-12-18 14:31:50 +00:00
Hanno Becker 71c8e1b8d8 Implement parameter validation in ECJPAKE module 2018-12-18 14:31:18 +00:00
Hanno Becker 91796d7471 Implement parameter validation in ECDH module 2018-12-18 14:30:39 +00:00
Hanno Becker ddeeed7d1b Implement parameter validation for RSA module 2018-12-18 13:38:05 +00:00
Hanno Becker 4f8e8e5805 Implement parameter validation for ECP module 2018-12-18 13:00:48 +00:00
Andres Amaya Garcia 9e76c0e77f Add MBEDTLS_ERR_SHA256_BAD_INPUT_DATA to error.{h,c} 2018-12-18 11:41:20 +00:00
Andres Amaya Garcia 79e593f617 Add parameter validation to SHA-256 module 2018-12-18 11:41:20 +00:00
Hanno Becker b3906d8829 Minor fixes to implementation of SHA1 parameter validation 2018-12-18 11:37:28 +00:00
Andres Amaya Garcia a685d4f28d Add MBEDTLS_ERR_SHA1_BAD_INPUT_DATA to error.{h,c} 2018-12-18 11:37:28 +00:00
Andres Amaya Garcia f7c43b3145 Add parameter validation to SHA-1 2018-12-18 11:37:28 +00:00
Manuel Pégourié-Gonnard e55e103bfe Fix off-by-one in iv_off check and add tests 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard 5b89c09273 Add check for iv_off in AES-CFB128 and AES-OFB
The check is mandatory as skipping it results in buffer overread of arbitrary
size.
2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard 998a358529 Make a check more explicit in aes.c
The check was already done later when calling ECB, (as evidenced by the tests
passing, which have a call with data_unit set to NULL), but it's more readable
to have it here too, and more helpful when debugging.
2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard eb6d3968b1 Fix some whitespace issues in aes.c 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard 2bc535be86 Add parameter validation for AES-CTR 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard 8e41eb7187 Add parameter validation for AES-OFB 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard 1677cca54b Add parameter validation for AES-CFB functions 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard 191af1313a Add param validation for mbedtls_aes_crypt_xts() 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard 3178d1a997 Add param validation for mbedtls_aes_crypt_cbc() 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard 1aca260571 Add parameter validation for mbedtls_aes_crypt_ecb() 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard 68e3dff3f1 Add parameter validation XTS setkey functions 2018-12-18 12:22:40 +01:00
Hanno Becker 6640b0d9a3 Undo deprecation of MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH 2018-12-18 09:53:14 +00:00
Hanno Becker a034369eca Undo deprecation of MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH 2018-12-18 09:53:11 +00:00
Hanno Becker 938f9e9bdb Undo deprecation of MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
Merging MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH and
MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH is an API break.
2018-12-18 09:50:57 +00:00
Hanno Becker 3214215b1e Update errors.c 2018-12-17 13:26:42 +00:00
Hanno Becker d2f3a00062 Introduce single BLOWFISH error code for bad input data
Deprecate the old specific error codes
* MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH
* MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH
2018-12-17 13:26:37 +00:00
Hanno Becker 4c029d09be Introduce single CAMELLIA error code for bad input data
Deprecate the old specific error codes
* MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
* MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
2018-12-17 13:26:33 +00:00
Hanno Becker 2f47550018 Introduce single ARIA error code for bad input data
Deprecate the old specific error codes
* MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH
* MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH
2018-12-17 13:26:28 +00:00
Manuel Pégourié-Gonnard e451be5d04 Update version_features.c 2018-12-11 12:28:56 +01:00
Manuel Pégourié-Gonnard 44c5d58d05 Document AES functions and fix free() functions 2018-12-11 12:28:56 +01:00
Manuel Pégourié-Gonnard 0e9cddbf1a Introduce generic validation macros
Avoid duplicating source code for each module.
2018-12-11 12:28:56 +01:00
Simon Butcher 4c37db6d87 Remove the library provided function of MBEDTLS_PARAM_FAILED
The function called through the macro MBEDTLS_PARAM_FAILED() must be supplied by
users and makes no sense as a library function, apart from debug and test.
2018-12-11 12:28:56 +01:00
Simon Butcher 5201e414aa Add optional parameter validation to the AES module
This adds additional and optional parameter validation to the AES module that
can be used by enabling the MBEDTLS_CHECK_PARAMS config.h option.
2018-12-11 12:28:56 +01:00
Simon Butcher b4868034dd Add initial options and support for parameter validation
This function adds the additional config.h option of MBEDTLS_CHECK_PARAMS which
allows additional validation of parameters passed to the library.
2018-12-11 12:28:56 +01:00
Jaeden Amero 01b34fb316 Merge remote-tracking branch 'upstream-public/pr/2267' into development 2018-12-07 16:17:12 +00:00
Jaeden Amero 52ed0b9030 Merge remote-tracking branch 'upstream-public/pr/2101' into development 2018-12-07 16:15:31 +00:00
Janos Follath 683c582530 Clarify alternative ECP calling conventions
Function calls to alternative implementations have to follow certain
rules in order to preserve correct functionality. To avoid accidentally
breaking these rules we state them explicitly in the ECP module for
ourselves and every contributor to see.
2018-12-07 13:13:30 +00:00
Janos Follath af6f2694a4 Fix ECC hardware double initialization
We initialized the ECC hardware before calling
mbedtls_ecp_mul_shortcuts(). This in turn calls
mbedtls_ecp_mul_restartable(), which initializes and frees the hardware
too. This issue has been introduced by recent changes and caused some
accelerators to hang.

We move the initialization after the mbedtle_ecp_mul_shortcuts() calls
to avoid double initialization.
2018-12-07 11:03:47 +00:00
Jaeden Amero e1b1a2c979 Merge remote-tracking branch 'upstream-public/pr/2181' into development 2018-12-06 16:11:49 +00:00
Jaeden Amero 5b46fe774b Merge remote-tracking branch 'upstream-public/pr/2157' into development 2018-12-06 16:06:57 +00:00
Jaeden Amero bc1cf5cd36 Merge remote-tracking branch 'upstream-public/pr/2131' into development 2018-12-06 16:04:55 +00:00
Jaeden Amero a04617ec18 Merge remote-tracking branch 'upstream-public/pr/2125' into development 2018-12-06 16:02:31 +00:00
Jaeden Amero c27e3420b9 Merge remote-tracking branch 'upstream-public/pr/2117' into development 2018-12-06 15:59:32 +00:00
Jaeden Amero 41722ec29e Merge remote-tracking branch 'upstream-public/pr/1958' into development 2018-12-06 15:53:56 +00:00
Janos Follath 3fbdadad7b SSL: Make use of the new ECDH interface
The SSL module accesses ECDH context members directly. This can't work
with the new context, where we can't make any assumption about the
implementation of the context.

This commit makes use of the new functions to avoid accessing ECDH
members directly. The only members that are still accessed directly are
the group ID and the point format and they are independent from the
implementation.
2018-12-06 12:22:46 +00:00
Janos Follath 948f4bedcc Debug: Add functions for ECDH contexts
The SSL module accesses ECDH context members directly to print debug
information. This can't work with the new context, where we can't make
assumptions about the implementation of the context. This commit adds
new debug functions to complete the encapsulation of the ECDH context
and work around the problem.
2018-12-06 12:22:46 +00:00
Janos Follath 5a3e1bfda0 ECDH: Make the implementation use the new context
The functionality from public API functions are moved to
`xxx_internal()` functions. The public API functions are modified to do
basic parameter validation and dispatch the call to the right
implementation.

There is no intended change in behaviour when
`MBEDTLS_ECDH_LEGACY_CONTEXT` is enabled.
2018-12-06 12:22:18 +00:00
Janos Follath f61e486179 ECDH: Add mbedtls_ecdh_setup()
In the future we want to support alternative ECDH implementations. We
can't make assumptions about the structure of the context they might
use, and therefore shouldn't access the members of
`mbedtls_ecdh_context`.

Currently the lifecycle of the context can't be done without direct
manipulation. This commit adds `mbedtls_ecdh_setup()` to complete
covering the context lifecycle with functions.
2018-11-30 14:09:57 +00:00
Janos Follath 89ac8c9266 ECP: Add mbedtls_ecp_tls_read_group_id()
`mbedtls_ecp_tls_read_group()` both parses the group ID and loads the
group into the structure provided. We want to support alternative
implementations of ECDH in the future and for that we need to parse the
group ID without populating an `mbedtls_ecp_group` structure (because
alternative implementations might not use that).

This commit moves the part that parses the group ID to a new function.
There is no need to test the new function directly, because the tests
for `mbedtls_ecp_tls_read_group()` are already implicitly testing it.

There is no intended change in behaviour in this commit.
2018-11-30 14:09:57 +00:00
Simon Butcher 51b8a2fa87 Merge remote-tracking branch 'restricted/pr/512' into development 2018-11-29 16:56:02 +00:00
Simon Butcher b9eb7866eb Merge remote-tracking branch 'restricted/pr/535' into development 2018-11-29 16:54:51 +00:00
Simon Butcher 658618b6b2 Merge remote-tracking branch 'restricted/pr/516' into development 2018-11-29 16:53:51 +00:00
Ron Eldor a16fa297f7 Refactor mpi_write_hlp to not be recursive
Refactor `mpi_write_hlp()` to not be recursive, to fix stack overflows.
Iterate over the `mbedtls_mpi` division of the radix requested,
until it is zero. Each iteration, put the residue in the next LSB
of the output buffer. Fixes #2190
2018-11-27 10:34:36 +02:00
Gilles Peskine 8220466297 Streamline mbedtls_xxx_drbg_update_seed_file
Refactor mbedtls_ctr_drbg_update_seed_file and
mbedtls_hmac_drbg_update_seed_file to make the error logic clearer.

The new code does not use fseek, so it works with non-seekable files.
2018-11-26 19:26:22 +01:00
Gilles Peskine b7f71c8bc1 HMAC_DRBG: report all errors from HMAC functions
Make sure that any error from mbedtls_md_hmac_xxx is propagated.
2018-11-26 19:26:22 +01:00
Gilles Peskine e0e9c573ad HMAC_DRBG: deprecate mbedtls_hmac_drbg_update because it ignores errors
Deprecate mbedtls_hmac_drbg_update (which returns void) in favor of a
new function mbedtls_hmac_drbg_update_ret which reports error.
2018-11-26 19:26:21 +01:00
Gilles Peskine d919993b76 CTR_DRBG: deprecate mbedtls_ctr_drbg_update because it ignores errors
Deprecate mbedtls_ctr_drbg_update (which returns void) in favor of a
new function mbedtls_ctr_drbg_update_ret which reports error.
2018-11-26 19:26:00 +01:00
Gilles Peskine afa803775a HMAC_DRBG: clean stack buffers
Wipe stack buffers that may contain sensitive data (data that
contributes to the DRBG state.
2018-11-26 15:47:14 +01:00
Gilles Peskine d9aa84dc0d CTR_DRBG: clean stack buffers
Wipe stack buffers that may contain sensitive data (data that
contributes to the DRBG state.
2018-11-26 15:47:14 +01:00
Gilles Peskine 11cdb0559e mbedtls_mpi_write_binary: don't leak the exact size of the number
In mbedtls_mpi_write_binary, avoid leaking the size of the number
through timing or branches, if possible. More precisely, if the number
fits in the output buffer based on its allocated size, the new code's
trace doesn't depend on the value of the number.
2018-11-20 17:09:27 +01:00
Simon Butcher c1b9892177 Update library version number to 2.14.0 2018-11-19 18:31:40 +00:00
Simon Butcher de13963d66 Merge remote-tracking branch 'restricted/pr/520' into development-restricted-proposed 2018-11-12 14:30:16 +00:00
Simon Butcher cdd1a6c872 Merge remote-tracking branch 'restricted/pr/510' into development-restricted-proposed 2018-11-12 14:29:14 +00:00
Simon Butcher e51d4b336b Merge remote-tracking branch 'public/pr/2054' into development-proposed 2018-11-09 19:57:53 +00:00
Ron Eldor 9924bdc792 Deprecate hardware acceleration errors
Deprecate the module-specific XXX_HW_ACCEL_FAILED and
XXX_FEATURE_UNAVAILABLE errors, as alternative implementations should now
return `MBEDTLS_ERR_PLATFORM_HW_FAILED` and
`MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED`.
2018-11-09 15:01:07 +00:00
Ron Eldor bcca58c6cd Add common feature unavailable error
Add a common error for the feature unavailable, in the
platform module.
2018-11-09 13:57:37 +00:00
Simon Butcher d83448b736 Merge remote-tracking branch 'public/pr/2052' into development-restricted-proposed 2018-11-07 12:59:14 +00:00
Simon Butcher 53b45ec881 Merge remote-tracking branch 'public/pr/2079' into development-restricted-proposed 2018-11-07 12:58:44 +00:00
Simon Butcher bbc31b4827 Merge remote-tracking branch 'public/pr/2085' into development-restricted-proposed 2018-11-07 12:57:38 +00:00
Simon Butcher 93a9b497e0 Merge remote-tracking branch 'public/pr/2077' into development-restricted-proposed 2018-11-07 12:57:24 +00:00
Simon Butcher 241823aab8 Merge remote-tracking branch 'public/pr/1641' into development-restricted-proposed 2018-11-07 12:55:47 +00:00
Simon Butcher 42ab4ae033 Merge remote-tracking branch 'public/pr/2167' into development-restricted-proposed 2018-11-07 12:54:45 +00:00
Hanno Becker f6d6e30820 Fix incomplete assertion in ssl_write_handshake_msg()
ssl_write_handshake_msg() includes the assertion that
`ssl->handshake != NULL` when handling a record which is
(a) a handshake message, and NOT
(b) a HelloRequest.
However, it later calls `ssl_append_flight()` for any
record different from a HelloRequest handshake record,
that is, records satisfying !(a) || !(b), instead of
(a) && !(b) as covered by the assertion (specifically,
CCS or Alert records).

Since `ssl_append_flight()` assumes that `ssl->handshake != NULL`,
this rightfully triggers static analyzer warnings.

This commit expands the scope of the assertion to check
that `ssl->handshake != NULL` for any record which is not
a HelloRequest.
2018-11-07 11:57:51 +00:00
Simon Butcher 51b6abbbf2 Merge remote-tracking branch 'public/pr/2165' into development-proposed 2018-11-06 22:55:14 +00:00
Hanno Becker 9772da8792 Add missing bracket
Wasn't spotted earlier because it's guarded by `! HAVE_GETRANDOM`.
2018-11-06 13:12:47 +00:00
Ron Eldor 2981d8f161 Change to positive flow for all cases
Use the `rs_ctx` only when `MBEDTLS_ECP_RESTARTABLE` is defined.
2018-11-05 18:08:46 +02:00
Ron Eldor 93ace0199b Revert positive flow check
Revert changes for checking whether `MBEDTLS_ECP_RESTARTABLE`
is defined, since it broke the CI. The context is used whether the
restartable feature is defined or not.
2018-11-05 17:50:07 +02:00
Ron Eldor b430d9f262 Change to positive checks
1. Checge to check for `MBEDTLS_ECP_RESTARTABLE` for all definitions
of `rs_ctx`.
2. Remove checks for `_ALT` when using `rs_ctx` as they cannot coexist
with the Restartable configuration.
2018-11-05 17:18:29 +02:00
Ron Eldor 19779c4739 Some style and documentation fixes
1. Change description of of hte `MBEDTLS_ECP_RESTARTABLE`
in the configuration file.
2. Change check for compilation of `rs_ctx` to positive flow.
2018-11-05 16:58:13 +02:00
Ron Eldor 5ed8c1eded Avoid using restartable and alternative ECP imp.
1. Add a check that MBEDTLS_ECP_RESTARTABLE is not defined
   along any EC* alternative implementation.
2. Add a closing comment foran `#endif`.
2018-11-05 14:04:26 +02:00
Hanno Becker b75ffb5061 Don't perform binary comparison of CRL issuer and CA subject
Previously, when checking whether a CRT was revoked through
one of the configured CRLs, the library would only consider
those CRLs whose `issuer` field binary-matches the `subject`
field of the CA that has issued the CRT in question. If those
fields were not binary equivalent, the corresponding CRL was
discarded.

This is not in line with RFC 5280, which demands that the
comparison should be format- and case-insensitive. For example:

- If the same string is once encoded as a `PrintableString` and
  another time as a `UTF8String`, they should compare equal.
- If two strings differ only in their choice of upper and lower case
  letters, they should compare equal.

This commit fixes this by using the dedicated x509_name_cmp()
function to compare the CRL issuer with the CA subject.

Fixes #1784.
2018-11-05 11:54:06 +00:00
Hanno Becker 1f8527f1cf Move static x509_name_cmp() in library/x509_crt.c
A subsequent change will need this function earlier
within the file.
2018-11-05 11:54:06 +00:00
Simon Butcher 06f88e9c42 Merge remote-tracking branch 'public/pr/2007' into development-proposed 2018-11-04 19:12:57 +00:00
Simon Butcher 76646a4bac Merge remote-tracking branch 'public/pr/1777' into development-proposed 2018-11-04 18:51:36 +00:00
Simon Butcher 2705beaeef Merge remote-tracking branch 'public/pr/2095' into development-proposed 2018-11-04 18:48:04 +00:00
Hanno Becker 710f203541 Merge branch 'iotssl-1770' into development_thomas_dee 2018-11-02 10:52:49 +00:00
Hanno Becker cec1c2685f Break overly long line in library/x509_create.c 2018-11-02 10:52:38 +00:00
Hanno Becker ee334a3a5c Remove Doxygen tags from documentation of private structure 2018-11-02 10:52:38 +00:00
Hanno Becker beffcd8d4a Update hardcoded certificates in library/certs.c
library/certs.c provides some hardcoded certificates that
are used e.g. by the test applications ssl_server2, ssl_client2
in case no certificates are provided on the command line.

The certificates used are from the tests/data_files folder
and have been updated in the latest commits. This commit
updates their copies in certs.c. It also adds comments
indicating the files from which the data is taken, in
order to ease update in the future.
2018-11-02 10:52:38 +00:00
Hanno Becker 6e1adee42b Regenerate test files
Previous commits have added or modified build instructions for
server1*, server2*, server5*, test-ca*, cli-rsa* in the Makefile
tests/data_files/Makefile, or the apps they invoke have been changed.

This commit regenerates those files to make sure they are in match with
the build instructions.
2018-11-02 10:52:38 +00:00
Hanno Becker cb93813e04 Don't perform binary comparison of CRL issuer and CA subject
Previously, when checking whether a CRT was revoked through
one of the configured CRLs, the library would only consider
those CRLs whose `issuer` field binary-matches the `subject`
field of the CA that has issued the CRT in question. If those
fields were not binary equivalent, the corresponding CRL was
discarded.

This is not in line with RFC 5280, which demands that the
comparison should be format- and case-insensitive. For example:

- If the same string is once encoded as a `PrintableString` and
  another time as a `UTF8String`, they should compare equal.
- If two strings differ only in their choice of upper and lower case
  letters, they should compare equal.

This commit fixes this by using the dedicated x509_name_cmp()
function to compare the CRL issuer with the CA subject.

Fixes #1784.
2018-11-02 10:49:09 +00:00
Hanno Becker 0f6903d84c Move static x509_name_cmp() in library/x509_crt.c
A subsequent change will need this function earlier
within the file.
2018-11-02 10:49:08 +00:00
Ron Eldor 2b161c33be Fix compilation issue
Fix compilation error when both `MBEDTLS_ECP_RESTARTABLE` and the
alternative definition of ECDH function are defined.
2018-11-01 16:18:20 +02:00
Ron Eldor 936d284f4d Minor fixes
1. Fix unused symbols compilation warnings.
2. Add comments for the closing `endif`.
2018-11-01 13:05:52 +02:00
Ron Eldor 8493f80e65 conditionaly compile ECDH and ECDSA alt functions
Return the condition compilation flags surrounding
`mbedtls_ecdh_compute_shared()`, `mbedtls_ecdh_gen_public()`,
`mbedtls_ecdsa_sign()` and `mbedtls_ecdsa_verify()` that were accidentally
removed in a previous merge.
Resolves #2163
2018-11-01 11:32:15 +02:00
Krzysztof Stachowiak c388a8c394 Fix typo in a test condition code 2018-10-31 16:49:20 +01:00
Simon Butcher 7904f94550 Merge remote-tracking branch 'public/pr/1099' into development-proposed 2018-10-28 18:10:37 +00:00
Simon Butcher 17a0fab345 Merge remote-tracking branch 'public/pr/2111' into development-proposed 2018-10-28 16:22:18 +00:00
Simon Butcher a07d86e8af Merge remote-tracking branch 'public/pr/1902' into development 2018-10-27 18:36:55 +01:00
Simon Butcher ef263ebcd7 Merge remote-tracking branch 'public/pr/1993' into development 2018-10-27 18:36:28 +01:00
Hanno Becker b10c66073f Detect unsigned integer overflow in mbedtls_ecp_check_budget()
This commit modifies a bounds check in `mbedtls_ecp_check_budget()` to
be correct even if the requested number of ECC operations would overflow
the operation counter.
2018-10-26 15:09:35 +01:00
Hanno Becker 6934e9b288 Indentation fix 2018-10-25 16:07:16 +01:00
Hanno Becker 137015c1b1 Fix unsafe bounds checks in ssl_load_session()
Fixes #659 reported by Guido Vranken.
2018-10-25 16:07:08 +01:00
Simon Butcher 169712e15a Merge remote-tracking branch 'restricted/pr/390' into development 2018-10-24 18:34:30 +01:00
Hanno Becker 9543373668 Use brackets around shift operations
Use `( x >> y ) & z` instead of `x >> y & z`. Both are equivalent
by operator precedence, but the former is more readable and the
commonly used idiom in the library.
2018-10-24 13:31:49 +01:00
Jaeden Amero a74faba27a aes: xts: Correct NIST 80-38E to 800-38E
Correct a typo in an AES XTS implementation comment where the relevant
NIST standard was incorrectly referred to as NIST 80-38E instead of NIST
800-38E.
2018-10-23 12:07:18 +01:00
Jaeden Amero 8381fcb3f9 aes: xts: Update inaccurate comments
It is inaccurate to call a data unit a "sector". A disk sector is a
common use case for the data unit, but there exist other types of data
units that are not sectors.
2018-10-23 12:07:18 +01:00
Manuel Pégourié-Gonnard a966fdea72 Fix some documentation typos and improve a comment 2018-10-23 10:41:11 +02:00
Brian J Murray f343de12dc typo fix 2018-10-22 16:41:35 -07:00
Manuel Pégourié-Gonnard ca29fdf569 Fix some typos in documentation and comments 2018-10-22 09:56:53 +02:00
Hanno Becker 27516979c1 Entropy: Fall through to /dev/random if getrandom() syscall unknown
This commit fixes issue #1212 related to platform-specific entropy
polling in an syscall-emulated environment.

Previously, the implementation of the entropy gathering function
`mbedtls_platform_entropy_poll()` for linux machines used the
following logic to determine how to obtain entropy from the kernel:

1. If the getrandom() system call identifier SYS_getrandom is present and
   the kernel version is 3.17 or higher, use syscall( SYS_getrandom, ... )
2. Otherwise, fall back to reading from /dev/random.

There are two issues with this:

1. Portability:
   When cross-compiling the code for a different
   architecture and running it through system call
   emulation in qemu, qemu reports the host kernel
   version through uname but, as of v.2.5.0,
   doesn't support emulating the getrandom() syscall.
   This leads to `mbedtls_platform_entropy_poll()`
   failing even though reading from /dev/random would
   have worked.

2. Style:
   Extracting the linux kernel version from
   the output of `uname` is slightly tedious.

This commit fixes both by implementing the suggestion in #1212:
- It removes the kernel-version detection through uname().
- Instead, it checks whether `syscall( SYS_getrandom, ... )`
  fails with errno set to ENOSYS indicating an unknown system call.
  If so, it falls through to trying to read from /dev/random.

Fixes #1212.
2018-10-18 12:12:04 +01:00
Hanno Becker dd3ab13da3 Fail when encountering invalid CBC padding in EtM records
This commit changes the behavior of the record decryption routine
`ssl_decrypt_buf()` in the following situation:
1. A CBC ciphersuite with Encrypt-then-MAC is used.
2. A record with valid MAC but invalid CBC padding is received.
In this situation, the previous code would not raise and error but
instead forward the decrypted packet, including the wrong padding,
to the user.

This commit changes this behavior to return the error
MBEDTLS_ERR_SSL_INVALID_MAC instead.

While erroneous, the previous behavior does not constitute a
security flaw since it can only happen for properly authenticated
records, that is, if the peer makes a mistake while preparing the
padded plaintext.
2018-10-17 14:43:14 +01:00
Hanno Becker 44da18a294 Duplicate mbedtls_asn1_find_named_data in asn1write.c to avoid dep.
This commit duplicates the public function mbedtls_asn1_find_named_data()
defined in library/asn1parse.c within library/asn1write.c in order to
avoid a dependency of the ASN.1 writing module on the ASN.1 parsing module.

The duplication is unproblematic from a semantic and an efficiency
perspective becasue it is just a short list traversal that doesn't
actually do any ASN.1 parsing.
2018-10-16 13:44:06 +01:00
Hanno Becker 1ea604d3ee Guard mbedtls_pkcs5_pbes2() by MBEDTLS_ASN1_PARSE_C
Previously, mbedtls_pkcs5_pbes2() was unconditionally declared
in `pkcs5.h` but defined as a stub returning
`MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE` in case
MBEDTLS_ASN1_PARSE_C was not defined.

In line with the previous commits, this commit removes declaration
and definition from both `pkcs5.h` and `pkcs5.c` in case
MBEDTLS_ASN1_PARSE_C is not defined.
2018-10-16 13:39:40 +01:00
Hanno Becker 8a89f9fcd2 Make PBE-related parts of PKCS12 depend on MBEDTLS_ASN1_PARSE_C 2018-10-16 13:39:40 +01:00
Manuel Pégourié-Gonnard b25cb603bb Add a comment to clarify code flow 2018-10-16 11:48:09 +02:00
Manuel Pégourié-Gonnard a5a3e40c4e Fix missing dereference.
Went unnoticed because it was only on a defensive code path, in an internal
function, so not exercised.
2018-10-16 11:27:23 +02:00
Manuel Pégourié-Gonnard 90f31b71a8 Improve readability by moving counter decrement
Avoid the slightly awkward rs_ctx-> i = i + 1
2018-10-16 10:45:24 +02:00
Manuel Pégourié-Gonnard a58e011ac0 Fix alignment in a macro definition 2018-10-16 10:42:47 +02:00
Manuel Pégourié-Gonnard b843b15a02 Fix function name to fit conventions 2018-10-16 10:41:31 +02:00
Manuel Pégourié-Gonnard c0edc96704 Add comment on internal function API 2018-10-16 10:38:19 +02:00
Manuel Pégourié-Gonnard d8b73f2312 Remove unnecessary calls to init() from free()
Our API makes no guarantee that you can use a context after free()ing it
without re-init()ing it first, so better not give the wrong impression that we
do, while it's not policy and the rest of the code might not allow it.
2018-10-16 10:34:13 +02:00
Manuel Pégourié-Gonnard c37423fa76 Fix misleading sub-state name and comments
The enum constant had 'ske' in its name while this was a sub-state of the
"write client key exchange" state; corresponding issue in the comment.
2018-10-16 10:28:17 +02:00
Ron Eldor 5267b62248 Change error description
1. Change error description to a clearer one.
2. Change value in the error codes ranges description.
2018-10-15 18:44:42 +03:00
Ron Eldor a27190b774 Rename platform error code and value
Rename the PLATFORM HW error, to avoid ABI breakage with Mbed OS.
The value changed as well, as previous value was not in the range of
Mbed TLS low level error codes.
2018-10-15 16:33:43 +03:00
Manuel Pégourié-Gonnard ee68cff813 Fix or improve some comments (and whitespace) 2018-10-15 15:27:49 +02:00
Manuel Pégourié-Gonnard f0bbd7e3fd Misc documentation fixes/improvements. 2018-10-15 13:22:41 +02:00
Manuel Pégourié-Gonnard 6346a75dfb Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted
* development:
  ssl-opt.sh: change expected output for large srv packet test with SSLv3
  Adapt ChangeLog
  Fix bug in SSL ticket implementation removing keys of age < 1s
  ssl-opt.sh: Add DTLS session resumption tests
  Add ChangeLog entry
  Fix typo
  Fix hmac_drbg failure in benchmark, with threading
  Remove trailing whitespace
  Remove trailing whitespace
  ssl_server2: add buffer overhead for a termination character
  Add missing large and small packet tests for ssl_server2
  Added buffer_size and response_size options for ssl-server2. Added appropriate tests.

Solving a conflict in tests/ssl-opt.sh: two set of tests were added at the
same place (just after large packets):
- restartable ECC tests (in this branch)
- server-side large packets (in development)

Resolution was to move the ECC tests after the newly added server large packet
ones.
2018-10-15 11:26:17 +02:00
Gilles Peskine 4899247bf2 Fix undefined behavior in unsigned-to-signed conversion
The code assumed that `int x = - (unsigned) u` with 0 <= u < INT_MAX
sets `x` to the negative of u, but actually this calculates
(UINT_MAX - u) and then converts this value to int, which overflows.
Cast to int before applying the unary minus operator to guarantee the
desired behavior.
2018-10-12 20:32:55 +02:00
Gilles Peskine 9b430704d1 Fix likely-harmless undefined behavior surrounding volatile
The code was making two unsequenced reads from volatile locations.
This is undefined behavior. It was probably harmless because we didn't
care in what order the reads happened and the reads were from ordinary
memory, but UB is UB and IAR8 complained.
2018-10-12 20:32:52 +02:00
Hanno Becker 805f2e11bd Add missing zeroization of buffered handshake messages
This commit ensures that buffers holding fragmented or
future handshake messages get zeroized before they are
freed when the respective handshake message is no longer
needed. Previously, the handshake message content would
leak on the heap.
2018-10-12 16:50:37 +01:00
Andrzej Kurek 748face36f ssl_tls: fix maximum output length
set maximum output length to MBEDTLS_SSL_OUT_CONTENT_LEN instead of
MBEDTLS_SSL_MAX_CONTENT_LEN.
2018-10-11 07:20:19 -04:00