Commit graph

725 commits

Author SHA1 Message Date
Simon Butcher 37b9fd5df6 Merge remote-tracking branch 'restricted/pr/490' into development 2018-07-24 23:40:37 +01:00
Angus Gratton 1a7a17e548 Check for invalid short Alert messages
(Short Change Cipher Spec & Handshake messages are already checked for.)
2018-07-20 23:09:29 +01:00
Angus Gratton 34817929ea TLSv1.2: Treat zero-length fragments as invalid, unless they are application data
TLS v1.2 explicitly disallows other kinds of zero length fragments (earlier standards
don't mention zero-length fragments at all).
2018-07-20 23:09:29 +01:00
Angus Gratton b512bc1d29 CBC mode: Allow zero-length message fragments (100% padding)
Fixes https://github.com/ARMmbed/mbedtls/issues/1632
2018-07-20 23:09:29 +01:00
Simon Butcher 922bd1efb2 Merge remote-tracking branch 'public/pr/1752' into development 2018-07-20 14:33:18 +01:00
Simon Butcher df15356259 Merge remote-tracking branch 'public/pr/1663' into development 2018-07-19 19:48:10 +01:00
Manuel Pégourié-Gonnard 8744a02357 Clarify a few comments
The "+" sign could be misinterpreted as addition.
2018-07-11 12:30:40 +02:00
Simon Butcher e7aeef09ee Merge remote-tracking branch 'public/pr/536' into development 2018-07-10 15:24:26 +01:00
Manuel Pégourié-Gonnard 6a25cfae2a Avoid debug message that might leak length
The length to the debug message could conceivably leak through the time it
takes to print it, and that length would in turn reveal whether padding was
correct or not.
2018-07-10 11:15:36 +02:00
Manuel Pégourié-Gonnard 7b42030b5d Add counter-measure to cache-based Lucky 13
The basis for the Lucky 13 family of attacks is for an attacker to be able to
distinguish between (long) valid TLS-CBC padding and invalid TLS-CBC padding.
Since our code sets padlen = 0 for invalid padding, the length of the input to
the HMAC function, and the location where we read the MAC, give information
about that.

A local attacker could gain information about that by observing via a
cache attack whether the bytes at the end of the record (at the location of
would-be padding) have been read during MAC verification (computation +
comparison).

Let's make sure they're always read.
2018-07-05 14:44:49 +02:00
Simon Butcher 4b6b08e7d2 Merge remote-tracking branch 'public/pr/1006' into development 2018-06-28 12:08:59 +01:00
niisato 8ee2422ef8 about a issue Replace "new" variable #1782 2018-06-25 19:05:48 +09:00
Andres Amaya Garcia 5b92352374 Document ssl_write_real() behaviour in detail 2018-06-21 19:23:21 +01:00
Manuel Pégourié-Gonnard 2e58e8ee34 Implement ChachaPoly mode in TLS 2018-06-19 12:12:47 +02:00
Angus Gratton d8213d00db Let MBEDTLS_SSL_MAX_CONTENT_LEN to be split into outward & inward sizes
For the situation where the mbedTLS device has limited RAM, but the
other end of the connection doesn't support the max_fragment_length
extension. To be spec-compliant, mbedTLS has to keep a 16384 byte
incoming buffer. However the outgoing buffer can be made smaller without
breaking spec compliance, and we save some RAM.

See comments in include/mbedtls/config.h for some more details.

(The lower limit of outgoing buffer size is the buffer size used during
handshake/cert negotiation. As the handshake is half-duplex it might
even be possible to store this data in the "incoming" buffer during the
handshake, which would save even more RAM - but it would also be a lot
hackier and error-prone. I didn't really explore this possibility, but
thought I'd mention it here in case someone sees this later on a mission
to jam mbedTLS into an even tinier RAM footprint.)
2018-06-18 20:51:51 +10:00
Simon Butcher 5f57f1e3cc Merge remote-tracking branch 'public/pr/1270' into development 2018-06-15 14:17:31 +01:00
Philippe Antoine 747fd53938 Fixes different off by ones 2018-06-05 16:13:10 +02:00
Gilles Peskine d0e55a4657 ssl_decrypt_buf: remove code for hashes that aren't used in TLS 2018-06-04 14:41:19 +02:00
Gilles Peskine 5c38984fa7 Use our habitual INTERNAL_ERROR debug message 2018-06-04 12:02:43 +02:00
Gilles Peskine a7fe25d5a5 Remove tests of #define's that don't exist 2018-06-04 12:01:18 +02:00
Gilles Peskine 1bd9d58b21 Clarify comment about integer division by a variable 2018-06-04 11:58:44 +02:00
Gilles Peskine 20b4408fbd Fix Lucky13 attack protection when using HMAC-SHA-384
As a protection against the Lucky Thirteen attack, the TLS code for
CBC decryption in encrypt-then-MAC mode performs extra MAC
calculations to compensate for variations in message size due to
padding. The amount of extra MAC calculation to perform was based on
the assumption that the bulk of the time is spent in processing
64-byte blocks, which is correct for most supported hashes but not for
SHA-384. Correct the amount of extra work for SHA-384 (and SHA-512
which is currently not used in TLS, and MD2 although no one should
care about that).
2018-05-29 14:06:49 +02:00
Manuel Pégourié-Gonnard a3712beb9b Merge branch 'development' into iotssl-1941-aria-ciphersuites
* development: (504 commits)
  Fix minor code style issues
  Add the uodate to the soversion to the ChangeLog
  Fix the ChangeLog for clarity, english and credit
  Update version to 2.9.0
  ecp: Fix binary compatibility with group ID
  Changelog entry
  Change accepted ciphersuite versions when parsing server hello
  Remove preprocessor directives around platform_util.h include
  Fix style for mbedtls_mpi_zeroize()
  Improve mbedtls_platform_zeroize() docs
  mbedtls_zeroize -> mbedtls_platform_zeroize in docs
  Reword config.h docs for MBEDTLS_PLATFORM_ZEROIZE_ALT
  Organize CMakeLists targets in alphabetical order
  Organize output objs in alfabetical order in Makefile
  Regenerate errors after ecp.h updates
  Update ecp.h
  Change variable bytes_written to header_bytes in record decompression
  Update ecp.h
  Update ecp.h
  Update ecp.h
  ...
2018-05-22 15:58:50 +02:00
Darryl Green 11999bb72e Fix minor code style issues 2018-05-15 09:21:57 +01:00
Jaeden Amero a331e0f0af Merge remote-tracking branch 'upstream-restricted/pr/421' into development-proposed 2018-05-04 14:39:24 +01:00
Gilles Peskine 1febfef561 Rename mbedtls_ssl_async_{get,set}_data for clarity
Rename to mbedtls_ssl_get_async_operation_data and
mbedtls_ssl_set_async_operation_data so that they're about
"async operation data" and not about some not-obvious "data".
2018-04-30 11:54:39 +02:00
Gilles Peskine 8f97af7ea3 Don't pass the async config data to async callbacks
The config data is in the SSL config, so callbacks can retrieve it
from there, with the new function mbedtls_ssl_conf_get_async_config_data.
2018-04-26 11:46:10 +02:00
Gilles Peskine df13d5c7a6 Pass the SSL context to async callbacks
When a handshake step starts an asynchronous operation, the
application needs to know which SSL connection the operation is for,
so that when the operation completes, the application can wake that
connection up. Therefore the async start callbacks need to take the
SSL context as an argument. It isn't enough to let them set a cookie
in the SSL connection, the application needs to be able to find the
right SSL connection later.

Also pass the SSL context to the other callbacks for consistency. Add
a new field to the handshake that the application can use to store a
per-connection context. This new field replaces the former
context (operation_ctx) that was created by the start function and
passed to the resume function.

Add a boolean flag to the handshake structure to track whether an
asynchronous operation is in progress. This is more robust than
relying on the application to set a non-null application context.
2018-04-26 10:00:40 +02:00
Gilles Peskine 9b562d5c36 mbedtls_ssl_handshake_free: take the SSL context as argument
Change the signature of mbedtls_ssl_handshake_free again. Now take the
whole SSL context as argument and not just the configuration and the
handshake substructure.

This is in preparation for changing the asynchronous cancel callback
to take the SSL context as an argument.
2018-04-26 10:00:40 +02:00
Gilles Peskine b74a1c73b1 Rename MBEDTLS_SSL_ASYNC_PRIVATE_C to MBEDTLS_SSL_ASYNC_PRIVATE
This is an optional feature, not a module of its own, so don't call it
MBEDTLS_xxx_C and put it in the appropriate section of config.h.
2018-04-26 10:00:39 +02:00
Gilles Peskine f112725487 Style and grammar fixes 2018-04-26 10:00:39 +02:00
Gilles Peskine b44692f126 Merge branch 'mbedtls_ssl_get_key_exchange_md_ssl_tls-return_hashlen' into tls_async_server-2.9
Conflict resolution:
* ChangeLog: put the new entry from my branch in the proper place.
* include/mbedtls/error.h: counted high-level module error codes again.
* include/mbedtls/ssl.h: picked different numeric codes for the
  concurrently added errors; made the new error a full sentence per
  current standards.
* library/error.c: ran scripts/generate_errors.pl.
* library/ssl_srv.c:
    * ssl_prepare_server_key_exchange "DHE key exchanges": the conflict
      was due to style corrections in development
      (4cb1f4d49c) which I merged with
      my refactoring.
    * ssl_prepare_server_key_exchange "For key exchanges involving the
      server signing", first case, variable declarations: merged line
      by line:
        * dig_signed_len: added in async
        * signature_len: removed in async
        * hashlen: type changed to size_t in development
        * hash: size changed to MBEDTLS_MD_MAX_SIZE in async
        * ret: added in async
    * ssl_prepare_server_key_exchange "For key exchanges involving the
      server signing", first cae comment: the conflict was due to style
      corrections in development (4cb1f4d49c)
      which I merged with my comment changes made as part of refactoring
      the function.
    * ssl_prepare_server_key_exchange "Compute the hash to be signed" if
      `md_alg != MBEDTLS_MD_NONE`: conflict between
      ebd652fe2d
      "ssl_write_server_key_exchange: calculate hashlen explicitly" and
      46f5a3e9b4 "Check return codes from
      MD in ssl code". I took the code from commit
      ca1d742904 made on top of development
      which makes mbedtls_ssl_get_key_exchange_md_ssl_tls return the
      hash length.
* programs/ssl/ssl_server2.c: multiple conflicts between the introduction
  of MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS and new auxiliary functions and
  definitions for async support, and the introduction of idle().
    * definitions before main: concurrent additions, kept both.
    * main, just after `handshake:`: in the loop around
      mbedtls_ssl_handshake(), merge the addition of support for
      MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS and SSL_ASYNC_INJECT_ERROR_CANCEL
      with the addition of the idle() call.
    * main, if `opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM`: take the
      code from development and add a check for
      MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS.
    * main, loop around mbedtls_ssl_read() in the datagram case:
      take the code from development and add a check for
      MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; revert to a do...while loop.
    * main, loop around mbedtls_ssl_write() in the datagram case:
      take the code from development and add a check for
      MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; revert to a do...while loop.
2018-04-26 10:00:27 +02:00
Andrzej Kurek a9ceef8e03 Change variable bytes_written to header_bytes in record decompression
The name is changed to better reflect the input, decompression case
2018-04-24 06:34:17 -04:00
Gilles Peskine ca1d742904 mbedtls_ssl_get_key_exchange_md_tls1_2: return hashlen
In mbedtls_ssl_get_key_exchange_md_tls1_2, add an output parameter for
the hash length. The code that calls this function can currently do
without it, but it will need the hash length in the future, when
adding support for a third-party callback to calculate the signature
of the hash.
2018-04-24 11:53:22 +02:00
Gilles Peskine 8bf79f6dc6 SSL asynchronous private key operation callbacks: interface
New compile-time option MBEDTLS_SSL_ASYNC_PRIVATE_C, enabling
callbacks to replace private key operations. These callbacks allow the
SSL stack to make an asynchronous call to an external cryptographic
module instead of calling the cryptography layer inside the library.
The call is asynchronous in that it may return the new status code
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, in which case the SSL stack returns
and can be later called where it left off.

This commit introduces the configuration option. Later commits will
implement the feature proper.
2018-04-24 09:32:28 +02:00
Gilles Peskine 59e83d96db Add conf parameter to mbedtls_ssl_handshake_free
This function is declared in ssl_internal.h, so this is not a public
API change.

This is in preparation for mbedtls_ssl_handshake_free needing to call
methods from the config structure.
2018-04-24 09:32:28 +02:00
Andrzej Kurek 5462e02874 ssl_tls: Fix invalid buffer sizes during compression / decompression
Adjust information passed to zlib to include already written data.
2018-04-20 07:58:53 -04:00
Andres Amaya Garcia 1f6301b3c8 Rename mbedtls_zeroize to mbedtls_platform_zeroize 2018-04-17 10:00:21 -05:00
Andres Amaya Garcia e32df087fb Remove individual copies of mbedtls_zeroize()
This commit removes all the static occurrencies of the function
mbedtls_zeroize() in each of the individual .c modules. Instead the
function has been moved to utils.h that is included in each of the
modules.
2018-04-17 09:19:05 -05:00
Gilles Peskine 80aa3b8d65 Merge branch 'pr_946' into development-proposed 2018-04-04 10:33:45 +02:00
Gilles Peskine 73db8380ca Merge remote-tracking branch 'upstream-public/pr/1547' into development-proposed 2018-04-04 09:19:12 +02:00
Gilles Peskine a09453f495 Merge branch 'pr_1395' into development-proposed 2018-04-04 09:14:12 +02:00
mohammad1603 19d392b258 Fix compatibility problem in the printed message
Replace %zu with %lu and add cast for the printed value.
2018-04-02 07:35:50 -07:00
Gilles Peskine 039fd12834 Robustness fix in mbedtls_ssl_derive_keys
In mbedtls_ssl_derive_keys, don't call mbedtls_md_hmac_starts in
ciphersuites that don't use HMAC. This doesn't change the behavior of
the code, but avoids relying on an uncaught error when attempting to
start an HMAC operation that hadn't been initialized.
2018-03-31 22:53:49 +02:00
mohammad1603 52aecb9a7f Check whether INT_MAX larger than SIZE_MAX scenario
Check whether INT_MAX larger than SIZE_MAX scenario
2018-03-28 23:41:40 -07:00
Hanno Becker 2bd57578af Merge branch 'development' into iotssl-1204 2018-03-28 14:52:35 +01:00
mohammad1603 b878805919 Verify that f_send and f_recv send and receive the expected length
Verify that f_send and f_recv send and receive the expected length
2018-03-22 02:58:23 -07:00
Azim Khan 27e8a120b2 Assign NULL after freeing psk and psk_identity 2018-03-21 14:24:11 +00:00
junyeonLEE 316b162ac3 Separate psk and psk_identity buffers free
Sometimes, psk_identity buffer can't released because psk buffer is NULL.
So, separate it.
2018-03-21 14:15:28 +00:00
Gilles Peskine b4c571e603 Merge remote-tracking branch 'upstream-public/pr/1296' into HEAD 2018-03-11 00:44:14 +01:00