Commit graph

723 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard e05e57619b Remove use of C99 construct
This is an LTS branch, C99 isn't allowed yet, it breaks versions of MSVC that
we still support for this branch.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-29 10:06:39 +02:00
Manuel Pégourié-Gonnard 2f484bd979 Add missing const for consistency
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:29 +02:00
Manuel Pégourié-Gonnard 2da9a54559 Fix typos in comments
Co-authored-by: Janos Follath <janos.follath@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:29 +02:00
Manuel Pégourié-Gonnard 0cd0c731fd Check errors from the MD layer
Could be out-of-memory for some functions, accelerator issues for others.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard c9ef5a2b76 Remove unnecessary cast
This is C, not C++, casts between void * and other pointer types are free.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard ec956b1861 Improve some comments and internal documentation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard 41df0f2bca Factor repeated condition to its own macro
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard 4508c67c42 Implement cf_hmac() actually with constant flow
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard d11971875a Use existing implementation of cf_hmac()
Just move code from ssl_decrypt_buf() to the new cf_hmac() function and then
call cf_hmac() from there.

This makes the new cf_hmac() function used and validates that its interface
works for using it in ssl_decrypt_buf().

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard 3ba2bcaf0d Add dummy constant-flow HMAC function with tests
The dummy implementation is not constant-flow at all for now, it's just
here as a starting point and a support for developing the tests and putting
the infrastructure in place.

Depending on the implementation strategy, there might be various corner cases
depending on where the lengths fall relative to block boundaries. So it seems
safer to just test all possible lengths in a given range than to use only a
few randomly-chosen values.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:27 +02:00
Manuel Pégourié-Gonnard 8ebb88d1e0 Factor repeated preprocessor condition to a macro
The condition is a complex and repeated a few times. There were already some
inconsistencies in the repetitions as some of them forgot about DES.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 12:58:47 +02:00
Janos Follath 9cdda866bf Merge branch 'mbedtls-2.7-restricted' into mbedtls-2.7.16r0 2020-06-25 09:20:57 +01:00
Janos Follath 44183d1548
Merge pull request #3409 from bensze01/license-2.7
[Backport 2.7] Update license headers to reflect the Apache-2.0 OR GPL-2.0-or-later licensing
2020-06-18 15:54:09 +01:00
Manuel Pégourié-Gonnard 8352797c44 Use starts/finish around Lucky 13 dummy compressions
Fixes #3246

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-18 11:48:55 +02:00
Bence Szépkúti 4e9f71227a Update license headers to Apache-2.0 OR GPL-2.0-or-later
This will allow us to ship the LTS branches in a single archive

This commit was generated using the following script:

# ========================
#!/bin/sh

header1='\ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later\
 *\
 *  This file is provided under the Apache License 2.0, or the\
 *  GNU General Public License v2.0 or later.\
 *\
 *  **********\
 *  Apache License 2.0:\
 *\
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may\
 *  not use this file except in compliance with the License.\
 *  You may obtain a copy of the License at\
 *\
 *  http://www.apache.org/licenses/LICENSE-2.0\
 *\
 *  Unless required by applicable law or agreed to in writing, software\
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT\
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\
 *  See the License for the specific language governing permissions and\
 *  limitations under the License.\
 *\
 *  **********\
 *\
 *  **********\
 *  GNU General Public License v2.0 or later:\
 *\
 *  This program is free software; you can redistribute it and/or modify\
 *  it under the terms of the GNU General Public License as published by\
 *  the Free Software Foundation; either version 2 of the License, or\
 *  (at your option) any later version.\
 *\
 *  This program is distributed in the hope that it will be useful,\
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of\
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\
 *  GNU General Public License for more details.\
 *\
 *  You should have received a copy of the GNU General Public License along\
 *  with this program; if not, write to the Free Software Foundation, Inc.,\
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.\
 *\
 *  **********'

find -path './.git' -prune -o '(' -name '*.c' -o -name '*.cpp' -o -name '*.fmt' -o -name '*.h' ')' -print | xargs sed -i "
# Normalize the first line of the copyright headers (no text on the first line of a block comment)
/^\/\*.*Copyright.*Arm/I s/\/\*/&\n */

# Insert new copyright header
/SPDX-License-Identifier/ i\
$header1

# Delete old copyright header
/SPDX-License-Identifier/,$ {
  # Delete lines until the one preceding the mbedtls declaration
  N
  1,/This file is part of/ {
    /This file is part of/! D
  }
}
"

# Format copyright header for inclusion into scripts
header2=$(echo "$header1" | sed 's/^\\\? \* \?/#/')

find -path './.git' -prune -o '(' -name '*.gdb' -o -name '*.pl' -o -name '*.py' -o -name '*.sh' ')' -print | xargs sed -i "
# Insert new copyright header
/SPDX-License-Identifier/ i\
$header2

# Delete old copyright header
/SPDX-License-Identifier/,$ {
  # Delete lines until the one preceding the mbedtls declaration
  N
  1,/This file is part of/ {
    /This file is part of/! D
  }
}
"
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-06-15 12:56:41 +02:00
Ronald Cron a32236c813 Use defines to check alpn ext list validity
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-06-12 10:00:04 +02:00
Manuel Pégourié-Gonnard 6062b49d29 Fix bug in handling of DTLS client hard reconnect
We keep track of the current epoch and record sequence number in out_ctr,
which was overwritten when writing the record containing the
HelloVerifyRequest starting from out_buf. We can avoid that by only using the
rest of the buffer.

Using MBEDTLS_SSL_MAX_CONTENT_LEN as the buffer size is still correct, as it
was a pretty conservative value when starting from out_buf.

Note: this bug was also fixed unknowingly in 2.13 by introducing a new buffer
that holds the current value of the sequence number (including epoch), while
working on datagram packing: 198594709b

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-31 13:04:19 +02:00
Manuel Pégourié-Gonnard 4bbbdc36bc Improve debug logging of client hard reconnect
The current logging was sub-standard, in particular there was no trace
whatsoever of the HelloVerifyRequest being sent. Now it's being logged with
the usual levels: 4 for full content, 2 return of f_send, 1 decision about
sending it (or taking other branches in the same function) because that's the
same level as state changes in the handshake, and also same as the "possible
client reconnect" message" to which it's the logical continuation (what are we
doing about it?).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-31 12:46:23 +02:00
Andres Amaya Garcia 8758053e80 Fix compilation issue when DTLS and SSL_HW_RECORD_ACCEL are on
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-02-26 10:26:02 +01:00
Jaeden Amero 0b2035794f Merge remote-tracking branch 'origin/pr/2713' into mbedtls-2.7
* origin/pr/2713:
  programs: Make `make clean` clean all programs always
  ssl_tls: Enable Suite B with subset of ECP curves
  windows: Fix Release x64 configuration
  timing: Remove redundant include file
  net_sockets: Fix typo in net_would_block()
2019-06-21 15:58:02 +01:00
Jaeden Amero 0cf1776a2d Merge remote-tracking branch 'origin/pr/2451' into mbedtls-2.7
* origin/pr/2451:
  Fix #2370, minor typos and spelling mistakes
2019-06-21 15:55:21 +01:00
Jaeden Amero ba59f6b38e ssl_tls: Enable Suite B with subset of ECP curves
Make sure the code compiles even if some curves are not defined.

Fixes #1591
2019-06-20 16:30:36 +01:00
Antonin Décimo 8fd9156a4a Fix #2370, minor typos and spelling mistakes 2019-02-18 15:57:54 +00:00
Hanno Becker a34cc6b1c6 Correct length check for DTLS records from old epochs.
DTLS records from previous epochs were incorrectly checked against the
current epoch transform's minimal content length, leading to the
rejection of entire datagrams. This commit fixed that and adapts two
test cases accordingly.

Internal reference: IOTSSL-1417
2019-01-30 15:07:09 +01:00
Simon Butcher 5a15fa3cdc Merge remote-tracking branch 'public/pr/2096' into mbedtls-2.7-proposed 2018-11-04 18:48:46 +00:00
Hanno Becker ca31b47188 Fail when encountering invalid CBC padding in EtM records
This commit changes the behavior of the record decryption routine
`ssl_decrypt_buf()` in the following situation:
1. A CBC ciphersuite with Encrypt-then-MAC is used.
2. A record with valid MAC but invalid CBC padding is received.
In this situation, the previous code would not raise and error but
instead forward the decrypted packet, including the wrong padding,
to the user.

This commit changes this behavior to return the error
MBEDTLS_ERR_SSL_INVALID_MAC instead.

While erroneous, the previous behavior does not constitute a
security flaw since it can only happen for properly authenticated
records, that is, if the peer makes a mistake while preparing the
padded plaintext.
2018-10-17 14:54:16 +01:00
Hanno Becker d82e0c0235 Add missing zeroization of reassembled handshake messages
This commit ensures that buffers holding fragmented or
handshake messages get zeroized before they are freed
when the respective handshake message is no longer needed.
Previously, the handshake message content would leak on
the heap.
2018-10-16 09:14:03 +01:00
Simon Butcher 9877efb401 Merge remote-tracking branch 'restricted/pr/437' into mbedtls-2.7-restricted 2018-08-28 15:34:28 +01:00
Simon Butcher 6910201cd1 Merge remote-tracking branch 'restricted/pr/493' into mbedtls-2.7-restricted 2018-08-28 15:23:39 +01:00
Simon Butcher f7be6b029e Merge remote-tracking branch 'public/pr/1960' into mbedtls-2.7 2018-08-28 11:51:56 +01:00
Hanno Becker 12f7ede56e Compute record expansion in steps to ease readability 2018-08-17 15:30:03 +01:00
Hanno Becker dbd3e88479 Fix mbedtls_ssl_get_record_expansion() for CBC modes
`mbedtls_ssl_get_record_expansion()` is supposed to return the maximum
difference between the size of a protected record and the size of the
encapsulated plaintext.

Previously, it did not correctly estimate the maximum record expansion
in case of CBC ciphersuites in (D)TLS versions 1.1 and higher, in which
case the ciphertext is prefixed by an explicit IV.

This commit fixes this bug. Fixes #1914.
2018-08-17 10:12:21 +01:00
Hanno Becker cd6a64a516 Reset session_in/out pointers in ssl_session_reset_int()
Fixes #1941.
2018-08-14 15:48:36 +01:00
k-stachowiak 2c161144e2 Revert change of a return variable name 2018-07-31 17:02:56 +02:00
Simon Butcher 7daacda940 Merge remote-tracking branch 'restricted/pr/494' into mbedtls-2.7 2018-07-24 23:40:53 +01:00
Simon Butcher d5a3ed36b8 Merge remote-tracking branch 'public/pr/1863' into mbedtls-2.7 2018-07-24 12:57:15 +01:00
Simon Butcher bc5ec41c01 Merge remote-tracking branch 'public/pr/1847' into mbedtls-2.7 2018-07-19 19:48:25 +01:00
Angus Gratton 8946b0dd30 Check for invalid short Alert messages
(Short Change Cipher Spec & Handshake messages are already checked for.)
2018-07-16 20:12:56 +01:00
Angus Gratton b91cb6e1e6 TLSv1.2: Treat zero-length fragments as invalid, unless they are application data
TLS v1.2 explicitly disallows other kinds of zero length fragments (earlier standards
don't mention zero-length fragments at all).
2018-07-16 20:12:55 +01:00
Angus Gratton 1ba8e911ec CBC mode: Allow zero-length message fragments (100% padding)
Fixes https://github.com/ARMmbed/mbedtls/issues/1632
2018-07-16 20:12:47 +01:00
Manuel Pégourié-Gonnard 7c34432b2d Avoid debug message that might leak length
The length to the debug message could conceivably leak through the time it
takes to print it, and that length would in turn reveal whether padding was
correct or not.
2018-07-12 10:18:37 +02:00
Manuel Pégourié-Gonnard aeeaaf271c Add counter-measure to cache-based Lucky 13
The basis for the Lucky 13 family of attacks is for an attacker to be able to
distinguish between (long) valid TLS-CBC padding and invalid TLS-CBC padding.
Since our code sets padlen = 0 for invalid padding, the length of the input to
the HMAC function, and the location where we read the MAC, give information
about that.

A local attacker could gain information about that by observing via a
cache attack whether the bytes at the end of the record (at the location of
would-be padding) have been read during MAC verification (computation +
comparison).

Let's make sure they're always read.
2018-07-12 10:18:37 +02:00
k-stachowiak c2eddee456 Fix memory leak in ssl_setup 2018-07-09 10:39:20 +02:00
Philippe Antoine 33e5c32a5b Fixes different off by ones 2018-07-09 10:39:02 +02:00
niisato a35dbf155c about a issue Replace "new" variable #1782 2018-06-29 11:17:41 +01:00
Andres Amaya Garcia 0fc4e0878e Document ssl_write_real() behaviour in detail 2018-06-21 19:29:49 +01:00
Simon Butcher bb5e1c3973 Fix multiple quality issues in the source
This PR fixes multiple issues in the source code to address issues raised by
tests/scripts/check-files.py. Specifically:
 * incorrect file permissions
 * missing newline at the end of files
 * trailing whitespace
 * Tabs present
 * TODOs in the souce code
2018-06-08 11:14:43 +01:00
Gilles Peskine bb07ca0bfb Fix Lucky13 attack protection when using HMAC-SHA-384
As a protection against the Lucky Thirteen attack, the TLS code for
CBC decryption in encrypt-then-MAC mode performs extra MAC
calculations to compensate for variations in message size due to
padding. The amount of extra MAC calculation to perform was based on
the assumption that the bulk of the time is spent in processing
64-byte blocks, which was correct for most supported hashes but not for
SHA-384. Adapt the formula to 128-byte blocks for SHA-384.
2018-06-06 17:23:31 +02:00
Andrzej Kurek 149f3a4d73 Change variable bytes_written to header_bytes in record decompression
The name is changed to better reflect the input, decompression case
2018-04-24 06:32:44 -04:00
Andrzej Kurek c3a3e2df0e ssl_tls: Fix invalid buffer sizes during compression / decompression
Adjust information passed to zlib to include already written data.
2018-04-23 08:39:13 -04:00