Commit graph

1186 commits

Author SHA1 Message Date
sander-visser 1abe8ee554 Expose SSL HW record acceleration error.
Fix issue with variable shadowing.

Signed-off-by: sander-visser <github@visser.se>
2020-05-06 21:29:01 +02:00
irwir d3085ab2b8 Avoid re-assigning zero to ret variable.
Resolve #3182.

Signed-off-by: irwir <irwir@users.noreply.github.com>
2020-04-21 22:26:59 +03:00
Manuel Pégourié-Gonnard 5d318cc22b
Merge pull request #3130 from gbryant-arm/generic-psk
Clarify and simplify PSK
2020-04-14 10:54:01 +02:00
Andrzej Kurek 8ea6872889
Improve pointer calculations when resizing I/O buffers
This commit introduces two changes:
- Add in_msg and out_msg calculations for buffer upsizing. This was previously
considered as unnecessary, but renegotiation using certain ciphersuites needs
this.
- Improving the way out_msg and in_msg pointers are calculated, so that even 
if no resizing is introduced, the pointers remain the same;

New tests added:
- various renegotiation schemes with a range of MFL's and ciphersuites;
- an ssl-opt.sh test exercising two things that were problematic: renegotiation
with TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 and a server MFL that's smaller
than the one negotiated by the client.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-04-09 04:33:00 -04:00
Andrzej Kurek 90c6e84a9c
Split the maximum fragment length into two - an input and output MFL
Since the server might want to have a different maximum fragment length
for the outgoing messages than the negotiated one - introduce a new way of
computing it. This commit also adds additional ssl-opt.sh tests ensuring
that the maximum fragment lengths are set as expected. 
mbedtls_ssl_get_max_frag_len() is now a deprecated function,
being an alias to mbedtls_ssl_get_output_max_frag_len(). The behaviour
of this function is the same as before.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-04-09 04:30:34 -04:00
Guilhem Bryant 0c9b1955ca Return internal error if no PSK is found when deriving the premaster secret
Signed-off-by: Guilhem Bryant <Guilhem.Bryant@arm.com>
2020-04-08 13:06:49 +01:00
Guilhem Bryant 03d3711bb1 Fix bracket style
Signed-off-by: Guilhem Bryant <Guilhem.Bryant@arm.com>
2020-04-03 18:21:19 +01:00
Guilhem Bryant b5f04e4d84 Properly initialise psk and psk_len
Signed-off-by: Guilhem Bryant <Guilhem.Bryant@arm.com>
2020-04-01 11:25:12 +01:00
Guilhem Bryant 61b0fe617e Initialise psk_len in mbedtls_ssl_psk_derive_premaster()
Signed-off-by: Guilhem Bryant <Guilhem.Bryant@arm.com>
2020-03-27 11:15:28 +00:00
Guilhem Bryant 82194c888d Fix bracketing style in ssl_tls.c
Signed-off-by: Guilhem Bryant <Guilhem.Bryant@arm.com>
2020-03-26 17:05:59 +00:00
Guilhem Bryant c5285d8c40 Use internal PSK getter
Signed-off-by: Guilhem Bryant <Guilhem.Bryant@arm.com>
2020-03-25 17:47:25 +00:00
Gilles Peskine 5e7d6fd240 Merge 'mbedtls/development' into merge-crypto-unremoved-20200304
Merge the latest state of the target branch (mbedtls/development) into the
pull request to merge mbed-crypto into mbedtls.

Conflicts:

* ChangeLog: add/add conflict. Resolve by using the usual section order.
2020-03-23 18:02:07 +01:00
Gilles Peskine eccd888717 Rename identifiers containing double-underscore
Rename identifiers containing double-underscore (`__`) to avoid `__`.
The reason to avoid double-underscore is that all identifiers
containing double-underscore are reserved in C++. Rename all such
identifiers that appear in any public header, including ssl_internal.h
which is in principle private but in practice is installed with the
public headers.

This commit makes check-names.sh pass.

```
perl -i -pe 's/\bMBEDTLS_SSL__ECP_RESTARTABLE\b/MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED/g; s/\bMBEDTLS_KEY_EXCHANGE_(_\w+)_(_\w+)\b/MBEDTLS_KEY_EXCHANGE${1}${2}/g' include/mbedtls/*.h library/*.c programs/*/*.c scripts/data_files/rename-1.3-2.0.txt tests/suites/*.function
```
2020-03-23 17:55:32 +01:00
Manuel Pégourié-Gonnard 21d1cbccda
Merge pull request #2262 from andresag01/iotssl-2544-deprecate-record-accel
Fix compilation failure when MBEDTLS_SSL_HW_RECORD_ACCEL is enabled
2020-03-16 10:37:16 +01:00
Manuel Pégourié-Gonnard 7ae6ed4435 Keep SSL context const when hw accel is disabled
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-13 11:28:58 +01:00
Andrzej Kurek 0afa2a1b65
Add I/O buffer resizing in handshake init and free
Add a conditional buffer resizing feature. Introduce tests exercising
it in various setups (serialization, renegotiation, mfl manipulations).
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-03-04 09:28:16 -05:00
Darryl Green b33cc7688e
Add I/O buffer length fields to mbedtls_ssl_context
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
Signed-off-by: Darryl Green <darryl.green@arm.com>
2020-03-03 10:44:49 -05:00
Manuel Pégourié-Gonnard e07bc20155 Fix compile errors with MBEDTLS_SSL_HW_RECORD_ACCEL
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-02-26 09:53:42 +01:00
Hanno Becker 9d062f9cd7 Move ssl_mac() from ssl_tls.c to ssl_msg.c 2020-02-07 11:38:03 +00:00
Hanno Becker af752d4bd6 Remove code from ssl_tls.c & ssl_msg.c to get disjoint functionality
This commit is the final step in separating the functionality of
what was originally ssl_tls.c into both ssl_tls.c and ssl_msg.c.

So far, ssl_msg.c has been created as an identical copy of ssl_tls.c.
For each block of code in these files, this commit removes it from
precisely one of the two files, depending on where the respective
functionality belongs.

The splitting separates the following functionalities:

1) An implementation of the TLS and DTLS messaging layer, that is,
   the record layer as well as the DTLS retransmission state machine.

   This is now contained in ssl_msg.c

2) Handshake parsing and writing functions shared between client and
   server (functions specific to either client or server are implemented
   in ssl_cli.c and ssl_srv.c, respectively).

   This is remains in ssl_tls.c.
2020-02-05 16:12:24 +00:00
Hanno Becker 471c0c98f6 Rename temporary copy ssl_tls_old.c back to ssl_tls.c 2020-02-05 16:10:22 +00:00
Hanno Becker abd9cef520 Duplicate ssl_tls.c as ssl_tls_old.c and ssl_msg.c
This commit is the first in a series of commits aiming to split
the content of ssl_tls.c in two files ssl_tls.c and ssl_msg.c.

As a first step, this commit replaces ssl_tls.c by two identical
copies ssl_tls_old.c and ssl_msg.c. Even though the file
ssl_tls_old.c will subsequently be renamed back into ssl_tls.c,
this approach retains the git history in both files.
2020-02-05 16:08:41 +00:00
Hanno Becker 89490716e9 Move ssl_get_current_mtu() to public namespace 2020-02-05 10:50:52 +00:00
Hanno Becker 533ab5f5c2 Move flight and message buffering functions to public namespace 2020-02-05 10:50:52 +00:00
Hanno Becker 40cdaa1263 Move ssl_start_renegotiation() to public namespace 2020-02-05 10:50:51 +00:00
Hanno Becker ce5f5fdcb4 Move ssl_handshake_wrapup_free_hs_transform() to public namespace 2020-02-05 10:50:51 +00:00
Hanno Becker 786300f898 Move ssl_resend_hello_request() to public namespace 2020-02-05 10:50:51 +00:00
Hanno Becker 7e8e6a6870 Move ssl_dtls_replay_reset() to public namespace 2020-02-05 10:50:51 +00:00
Hanno Becker 43aefe2321 Move ssl_session_reset_int() to public namespace 2020-02-05 10:50:51 +00:00
Hanno Becker 3e6f8ab14a Move SSL internal pointer updating routines to public namespace 2020-02-05 10:50:51 +00:00
Hanno Becker 7876d127a9 Move ssl_check_timer() to public namespace 2020-02-05 10:50:51 +00:00
Hanno Becker dd77229184 Move ssl_ep_len() to public namespace 2020-02-05 10:50:51 +00:00
Hanno Becker 0f57a65391 Move ssl_set_timer() to public namespace 2020-02-05 10:50:45 +00:00
Manuel Pégourié-Gonnard c40b685837 Fix bug in record decompression
ssl_decompress_buf() was operating on data from the ssl context, but called at
a point where this data is actually in the rec structure. Call it later so
that the data is back to the ssl structure.
2020-01-24 10:44:13 +01:00
jiblime 9f25b8deff Fixes definition error when the deprecated MBEDTLS_ZLIB_SUPPORT and ENABLE_ZLIB_SUPPORT macro are defined/enabled for zlib support in mbedtls
100% tests passed, 0 tests failed out of 85

https://github.com/ARMmbed/mbedtls/blob/mbedtls-2.19.1/library/ssl_tls.c#L1842

https://github.com/ARMmbed/mbedtls/blob/mbedtls-2.19.1/library/ssl_tls.c#L1862
2020-01-24 09:34:06 +01:00
Janos Follath 73c616bdc1 Put includes in alphabetical order
The library style is to start with the includes corresponding to the
current module and then the rest in alphabetical order. Some modules
have several header files (eg. ssl_internal.h).

The recently added error.h includes did not respect this convention and
this commit restores it. In some cases this is not possible just by
moving the error.h declarations. This commit fixes the pre-existing
order in these instances too.
2019-12-19 10:27:57 +00:00
Janos Follath 865b3ebf84 Initialize return values to an error
Initializing the return values to an error is best practice and makes
the library more robust against programmer errors.
2019-12-16 15:15:16 +00:00
Jaeden Amero 1a61d455e9
Merge pull request #2841 from k-stachowiak/improve-memory-operation-clarity
Improve clarity of a memory operation call
2019-12-09 19:54:29 +02:00
Piotr Nowicki 9926eaf695 Do not allow configuring zero-length PSK
fix error when calloc is called with size 0
2019-11-25 15:49:53 +01:00
Jaeden Amero 5d74241b54 Merge remote-tracking branch 'origin/pr/2854' into development
* origin/pr/2854:
  Shorter version of mbedtls_ssl_send_fatal_handshake_failure
  Resolve #2801 - remove repetitive assignment to ssl->in_msg (the first value was never used)
  Resolve #2800 - move declaration to avoid unused variable warning in case MBEDTLS_SSL_PROTO_DTLS was undefined
  Resolve #2717 - remove erroneous sizeof (the operator was applied to constant integer number)
2019-11-22 10:20:19 +00:00
Arto Kinnunen 7f8089b2ec Fix mbedtls_ssl_check_record usage with ext buf
Record checking fails if mbedtls_ssl_check_record() is called with
external buffer. Received record sequence number is available in the
incoming record but it is not available in the ssl contexts `in_ctr`-
variable that is used when decoding the sequence number.

To fix the problem, temporarily update ssl context `in_ctr` to
point to the received record header and restore value later.
2019-10-29 13:51:37 +02:00
irwir 6c0da64094 Shorter version of mbedtls_ssl_send_fatal_handshake_failure 2019-10-28 19:54:04 +03:00
irwir 89af51ff39 Resolve #2801 - remove repetitive assignment to ssl->in_msg (the first value was never used) 2019-09-26 21:04:56 +03:00
irwir 734f0cf65e Resolve #2800 - move declaration to avoid unused variable warning in case MBEDTLS_SSL_PROTO_DTLS was undefined 2019-09-26 21:03:24 +03:00
irwir 40883e91a6 Resolve #2717 - remove erroneous sizeof (the operator was applied to constant integer number) 2019-09-26 21:00:56 +03:00
Gilles Peskine 311f54d0ee tls_prf: support an empty master secret
In TLS, the master secret is always a key. But EAP-TLS uses the TLS
PRF to derive an IV with an empty string for the "secret" input. The
code always stored the secret into a key slot before calling the TLS
PRF, but this doesn't work when the secret is empty, since PSA Crypto
no longer supports empty keys. Add a special case for an empty secret.
2019-09-23 18:19:22 +02:00
k-stachowiak 95b68ef5ae Improve clarity of a memory operation call 2019-09-16 12:21:00 +02:00
Jaeden Amero fa63645ec8 ssl: Remove key exporter bug workaround
It is no longer necessary to cast the randbytes to non-const when
exporting keys.
2019-09-12 15:18:25 +01:00
Hanno Becker 361b10d1c4 Fix SSL context deserialization
The SSL context maintains a set of 'out pointers' indicating the
address at which to write the header fields of the next outgoing
record. Some of these addresses have a static offset from the
beginning of the record header, while other offsets can vary
depending on the active record encryption mechanism: For example,
if an explicit IV is in use, there's an offset between the end
of the record header and the beginning of the encrypted data to
allow the explicit IV to be placed in between; also, if the DTLS
Connection ID (CID) feature is in use, the CID is part of the
record header, shifting all subsequent information (length, IV, data)
to the back.
When setting up an SSL context, the out pointers are initialized
according to the identity transform + no CID, and it is important
to keep them up to date whenever the record encryption mechanism
changes, which is done by the helper function ssl_update_out_pointers().

During context deserialization, updating the out pointers according
to the deserialized record transform went missing, leaving the out
pointers the initial state. When attemping to encrypt a record in
this state, this lead to failure if either a CID or an explicit IV
was in use. This wasn't caught in the tests by the bad luck that
they didn't use CID, _and_ used the default ciphersuite based on
ChaChaPoly, which doesn't have an explicit IV. Changing either of
this would have made the existing tests fail.

This commit fixes the bug by adding a call to ssl_update_out_pointers()
to ssl_context_load() implementing context deserialization.

Extending test coverage is left for a separate commit.
2019-08-30 12:14:25 +01:00
k-stachowiak 81053a5584 Use multipart PSA key derivation API 2019-08-17 11:43:35 +02:00