Commit graph

5576 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard a968843429 Improve some comments in verify_chain() 2017-08-23 11:37:22 +02:00
Manuel Pégourié-Gonnard 3627a8b2f6 Clarify state handling in find_parent(_in)() 2017-08-23 11:20:48 +02:00
Manuel Pégourié-Gonnard 83e923ba2b Better initialisation of ver_chain
Use dedicated function for consistency, and initialise flags to -1 as this is
the safe value.
2017-08-23 10:55:41 +02:00
Manuel Pégourié-Gonnard 8b7b96bbd3 Fix typo 2017-08-23 10:02:51 +02:00
Manuel Pégourié-Gonnard d55f776cb7 Skip context allocation if restart disabled 2017-08-18 17:40:15 +02:00
Manuel Pégourié-Gonnard aaa9814879 Uniformize ifdefs to ECDSA_C+ECP_RESTARTABLE
Some parts were already implicitly using this as the two ifdefs were nested,
and some others didn't, which resulted in compile errors in some configs. This
fixes those errors and saves a bit of code+RAM that was previously wasted when
ECP_RESTARTABLE was defined but ECDSA_C wasn't
2017-08-18 17:30:37 +02:00
Manuel Pégourié-Gonnard fe6877034d Keep PK layer context in the PK layer
Previously we kept the ecdsa context created by the PK layer for ECDSA
operations on ECKEY in the ecdsa_restart_ctx structure, which was wrong, and
caused by the fact that we didn't have a proper handling of restart
sub-contexts in the PK layer.
2017-08-18 17:04:07 +02:00
Manuel Pégourié-Gonnard 0bbc66cc76 Dynamically allocate/free restart subcontext in PK 2017-08-18 16:22:06 +02:00
Manuel Pégourié-Gonnard 15d7df2ba8 Introduce mbedtls_pk_restart_ctx and use it
The fact that you needed to pass a pointer to mbedtls_ecdsa_restart_ctx (or
that you needed to know the key type of the PK context) was a breach of
abstraction.

Change the API (and callers) now, and the implementation will be changed in
the next commit.
2017-08-17 15:16:11 +02:00
Manuel Pégourié-Gonnard 98a6778d47 Better document some function arguments 2017-08-17 10:52:20 +02:00
Manuel Pégourié-Gonnard b889d3e5fb Clarify & uniformise test comments 2017-08-17 10:25:18 +02:00
Manuel Pégourié-Gonnard 5faafa76cf Update X.509 test certs' Readme 2017-08-17 10:13:00 +02:00
Manuel Pégourié-Gonnard c9e16a97da Disable restartable ECC by default 2017-08-15 14:30:59 +02:00
Manuel Pégourié-Gonnard 9897cc933d Update ChangeLog 2017-08-15 14:30:43 +02:00
Manuel Pégourié-Gonnard 3bf49c4552 Enable restart for certificate verify 2017-08-15 14:12:47 +02:00
Manuel Pégourié-Gonnard fed37ed039 Extract some code to separate function
Goals include:
- reducing the number of local variables in the main function (so that we
  don't have to worry about saving/restoring them)
- reducing the number exit points in the main function, making it easier to
  update ssl->state only right before we return
2017-08-15 13:35:42 +02:00
Manuel Pégourié-Gonnard 39eda87382 Make more auto variables const
That way we know we don't have to worry about saving and restoring their
value.
2017-08-15 13:00:33 +02:00
Manuel Pégourié-Gonnard 6b7301c872 Change restart context type.
No need to have both x509 and ecdsa, as the former contains the later.
2017-08-15 12:08:45 +02:00
Manuel Pégourié-Gonnard d27d1a5a82 Clean up existing SSL restartable ECC code
- more consistent naming with ecrs prefix for everything
- always check it enabled before touching the rest
- rm duplicated code in parse_server_hello()
2017-08-15 11:49:08 +02:00
Manuel Pégourié-Gonnard 8b59049407 Make verify() actually restartable 2017-08-15 10:45:09 +02:00
Manuel Pégourié-Gonnard c11e4baa63 Rework type for verify chain
- create container with length + table
- make types public (will be needed in restart context)
2017-08-15 10:44:13 +02:00
Manuel Pégourié-Gonnard 18547b5db6 Refactor find_parent() to merge two call sites 2017-08-15 10:44:13 +02:00
Manuel Pégourié-Gonnard a4a5d1dbe6 Adapt function signatures to rs_ctx + ret 2017-08-15 10:44:13 +02:00
Manuel Pégourié-Gonnard be4ff42fe4 Call crt_check_signature from one place only 2017-08-15 10:44:13 +02:00
Manuel Pégourié-Gonnard d19a41d9aa Add tests for verify_restartable()
For selection of test cases, see comments added in the commit.

It makes the most sense to test with chains using ECC only, so for the chain
of length 2 we use server10 -> int-ca3 -> int-ca2 and trust int-ca2 directly.

Note: server10.crt was created by copying server10_int3_int-ca2.crt and
manually truncating it to remove the intermediates. That base can now be used
to create derived certs (without or with a chain) in a programmatic way.
2017-08-15 10:44:08 +02:00
Manuel Pégourié-Gonnard bc3f44ae9c Introduce mbedtls_x509_crt_verify_restartable() 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 21b7719fb2 Add ChangeLog entry for current progress 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 32033da127 Test some more handshake flows 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 23e416261c ECDH: not restartable unless explicitly enabled
This is mainly for the benefit of SSL modules, which only supports restart in
a limited number of cases. In the other cases (ECDHE_PSK) it would currently
return ERR_ECP_IN_PROGRESS and the user would thus call ssl_handshake() again,
but the SSL code wouldn't handle state properly and things would go wrong in
possibly unexpected ways.  This is undesirable, so it should be possible for
the SSL module to choose if ECDHE should behave the old or the new way.

Not that it also brings ECDHE more in line with the other modules which
already have that choice available (by passing a NULL or valid restart
context).
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 1f1f2a1ca6 Adapt ServerKeyEchange processing to restart 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 862cde5b8e Add restart support for ECDSA client auth 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 2350b4ebdc Adapt ECDHE_ECDSA key exchange to restartable EC
For now some other key exchanges (ECDHE_PSK) will just fail to work, this will
be either fixed or properly fixed later.
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard b3c8307960 Adapt ssl_client2 to restartable EC 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 171a481b96 Add a ChangeLog entry for changes so far 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 31f0ef7b19 Fix style issues introduced earlier 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 1f596064bc Make PK EC sign/verify actually restartable 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard c4ee9acb7b Add tests for restartable PK sign/verify 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 82cb27b3db PK: declare restartable sign/verify functions
For RSA, we could either have the function return an error code like
NOT_IMPLEMENTED or just run while disregarding ecp_max_ops. IMO the second
option makes more sense, as otherwise the caller would need to check whether
the key is EC or RSA before deciding to call either sign() or
sign_restartable(), and having to do this kind of check feels contrary to the
goal of the PK layer.
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard fd838dab5c Comment cosmetics 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 66ba48a3c8 Make ECDH functions actually restartable 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 71b2c53254 Add tests for restartable ECDH 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard c90d3b0f89 Update doc for restartable ECDH functions 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard af081f5460 Make ECDSA sign actually restartable 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 50b63ba2f5 Use ecp_gen_privkey() in ECDSA sign
Two different changes:

- the first one will allow us to store k in the restart context while
  restarting the following ecp_mul() operation

- the second one is an simplification, unrelated to restartability, made
  possible by the fact that ecp_gen_privkey() is now public
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 675439620d Improve sign/key_tries handling
(Unrelated to restartable work, just noticed while staring at the code.)

Checking at the end is inefficient as we might give up when we just generated
a valid signature or key.
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard b90883dc1d Prepare infra for restartable sign 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard eb402f3cd3 Add test for restartable signature
Test relies on deterministic signature as this uses plain sig internally, so
if deterministic works, then so does non-deterministic, while the reciprocal
is false. (Also, deterministic is enabled by default in config.h.)

Test case is taken from a RFC 6979 test vector, just manually converting (r,s)
to the encoded signature.
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard addb10efac Create functions for restartable sign 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 5314f234ca Make verify_restartable() actually restartable 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard a0c5bcc2bc Add infrastructure for ecdsa_verify_restartable() 2017-08-09 11:44:53 +02:00