Commit graph

6581 commits

Author SHA1 Message Date
Gilles Peskine d04d292b64 Get rid of useless handshake field out_async_start
The location where the signature goes is now tracked via
ssl->out_msglen, which makes ssl->handshake->out_async_start redundant.
2018-04-24 09:36:36 +02:00
Gilles Peskine ab50f83a93 Improve documentation of async operation start callbacks 2018-04-24 09:36:36 +02:00
Gilles Peskine 7ab013a08a ssl_write_server_key_exchange refactor: move signature_len out
Move the writing of signature_len out of
ssl_prepare_server_key_exchange. This simplifies the control flow (one
less goto).
2018-04-24 09:36:36 +02:00
Gilles Peskine 1004c19ed0 ssl_write_server_key_exchange refactor: don't use p in the signing phase
This is in preparation of further splitting ssl_write_server_key_exchange
into several functions.
2018-04-24 09:36:36 +02:00
Gilles Peskine 184a3faa8a ssl_write_server_key_exchange refactor: create ssl_prepare_server_key_exchange
This is in the process of splitting ssl_write_server_key_exchange
into several functions.
2018-04-24 09:36:36 +02:00
Gilles Peskine 3ce9b900d2 ssl_write_server_key_exchange refactor: remove dig_signed_len
Simplify the redundant varaible dig_signed_len away.

This is in preparation for splitting ssl_write_server_key_exchange
into several functions.
2018-04-24 09:36:36 +02:00
Gilles Peskine 3665f1db9d SSL asynchronous signature: test cases
Add test cases for SSL asynchronous signature to ssl-opt.sh:

* Delay=0,1 to test the sequences of calls to f_async_resume
* Test fallback when the async callbacks don't support that key
* Test error injection at each stage
* Test renegotiation
2018-04-24 09:36:36 +02:00
Gilles Peskine 4bf9a28d1d SSL asynchronous signature: first implementation
Implement SSL asynchronous private operation for the case of a
signature operation in a server.

This is a first implementation. It is functional, but the code is not
clean, with heavy reliance on goto.
2018-04-24 09:36:06 +02:00
Gilles Peskine ebd652fe2d ssl_write_server_key_exchange: calculate hashlen explicitly
The pk layer can infer the hash length from the hash type. Calculate
it explicitly here anyway because it's needed for debugging purposes,
and it's needed for the upcoming feature allowing the signature
operation to be offloaded to an external cryptographic processor, as
the offloading code will need to know what length hash to copy.
2018-04-24 09:34:38 +02:00
Gilles Peskine e1efdf912f ssl_write_server_key_exchange: don't hard-code max hash size 2018-04-24 09:32:29 +02:00
Gilles Peskine e198df53a0 ssl_pick_cert: use the public key for can_do
This is in preparation for support of external private key operations,
where there is no private key object.
2018-04-24 09:32:29 +02:00
Gilles Peskine 9eb5e9a16e SSL asynchronous private key operation callbacks: test server
New options in ssl_server2 to use the asynchronous private key
operation feature.

Features: resume delay to call resume more than once; error injection
at each stage; renegotiation support.
2018-04-24 09:32:29 +02:00
Gilles Peskine 8bf79f6dc6 SSL asynchronous private key operation callbacks: interface
New compile-time option MBEDTLS_SSL_ASYNC_PRIVATE_C, enabling
callbacks to replace private key operations. These callbacks allow the
SSL stack to make an asynchronous call to an external cryptographic
module instead of calling the cryptography layer inside the library.
The call is asynchronous in that it may return the new status code
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, in which case the SSL stack returns
and can be later called where it left off.

This commit introduces the configuration option. Later commits will
implement the feature proper.
2018-04-24 09:32:28 +02:00
Gilles Peskine 59e83d96db Add conf parameter to mbedtls_ssl_handshake_free
This function is declared in ssl_internal.h, so this is not a public
API change.

This is in preparation for mbedtls_ssl_handshake_free needing to call
methods from the config structure.
2018-04-24 09:32:28 +02:00
Gilles Peskine fe1c0937d7 ssl_write_server_key_exchange refactor: remove redundant variable n
Remove redundant variable n, which counts in parallel to p. Having
both adds the burden of keeping them in synch for no benefit.
2018-04-24 09:32:28 +02:00
Gilles Peskine 81d4e899a4 Don't rely on private key metadata in SSL
In SSL, don't use mbedtls_pk_ec or mbedtls_pk_rsa on a private
signature or decryption key (as opposed to a public key or a key used
for DH/ECDH). Extract the data (it's the same data) from the public
key object instead. This way the code works even if the private key is
opaque or if there is no private key object at all.

Specifically, with an EC key, when checking whether the curve in a
server key matches the handshake parameters, rely only on the offered
certificate and not on the metadata of the private key.
2018-04-24 09:26:03 +02:00
Manuel Pégourié-Gonnard 7aeb470f61 Merge remote-tracking branch 'public/pr/1234' into development-proposed
* public/pr/1234:
  Doxygen: don't traverse symbolic links
2018-04-18 16:13:52 +02:00
Manuel Pégourié-Gonnard 64f5adf9f9 Merge remote-tracking branch 'public/pr/1380' into development-proposed
* public/pr/1380:
  Update ChangeLog for #1380
  Generate RSA keys according to FIPS 186-4
  Generate primes according to FIPS 186-4
  Avoid small private exponents during RSA key generation
2018-04-18 16:13:52 +02:00
Manuel Pégourié-Gonnard 4acb0055e3 Merge remote-tracking branch 'public/pr/1518' into development-proposed
* public/pr/1518:
  Update platform.h
  Update platform.h
2018-04-18 16:13:52 +02:00
Manuel Pégourié-Gonnard 66d396826a Merge remote-tracking branch 'public/pr/1516' into development-proposed
* public/pr/1516:
  Update sha512.h
2018-04-18 16:13:52 +02:00
Manuel Pégourié-Gonnard bb93c04aab Merge remote-tracking branch 'public/pr/1515' into development-proposed
* public/pr/1515:
  Update sha256.h
  Update sha256.h
2018-04-18 16:13:52 +02:00
Gilles Peskine b80f04eb67 Merge remote-tracking branch 'upstream-public/pr/1514' into development-proposed 2018-04-18 16:13:30 +02:00
Gilles Peskine 2e1934ac0c Fix comment formatting to pacify check-names.sh 2018-04-18 16:08:26 +02:00
Manuel Pégourié-Gonnard a9377336be Merge remote-tracking branch 'public/pr/1513' into development-proposed
* public/pr/1513:
  Update rsa.h
  Update rsa.h
  Update rsa.h
2018-04-18 11:58:53 +02:00
Manuel Pégourié-Gonnard 0392bff1b9 Merge remote-tracking branch 'public/pr/1512' into development-proposed
* public/pr/1512:
  Update md.h
  Update md.h
2018-04-18 11:57:50 +02:00
Manuel Pégourié-Gonnard b3a8fe7285 Merge remote-tracking branch 'public/pr/1509' into development-proposed
* public/pr/1509:
  Update ecdh.h
  Update ecdh.h
2018-04-18 11:56:49 +02:00
Manuel Pégourié-Gonnard 01d72df113 Merge remote-tracking branch 'public/pr/1508' into development-proposed
* public/pr/1508:
  Update ctr_drbg.h
  Update ctr_drbg.h
2018-04-18 11:55:30 +02:00
Manuel Pégourié-Gonnard 7153496395 Merge remote-tracking branch 'public/pr/1507' into development-proposed
* public/pr/1507:
  Update cmac.h
  Update cmac.h
2018-04-18 11:54:42 +02:00
Manuel Pégourié-Gonnard c265a25f4f Merge remote-tracking branch 'public/pr/1503' into development-proposed
* public/pr/1503:
  Update aes.h
  Update aes.h
2018-04-18 11:48:10 +02:00
Rose Zadik 21e2926736
Update rsa.h
minor change to the file's brief desc.
2018-04-17 14:08:56 +01:00
Rose Zadik 6ee22a7d52
Update sha256.h
Minor fix based on review comments
2018-04-17 10:38:39 +01:00
Rose Zadik 92d66b88ae
Update sha1.h
Changes based on review comments
2018-04-17 10:36:56 +01:00
Rose Zadik f2ec288bf8
Update rsa.h
Changes based on review comments.
2018-04-17 10:27:25 +01:00
Rose Zadik f3e4736131
Update md.h
Changes based on review comments
2018-04-16 16:31:16 +01:00
Rose Zadik 7375b0f6c1
Update ecdh.h
Changs based on review comments
2018-04-16 16:04:57 +01:00
Rose Zadik 9464d7b6e3
Update platform.h
Implemented changes based on review comments
2018-04-16 15:28:35 +01:00
Rose Zadik f25eb6eef6
Update ctr_drbg.h
minor changes based on comments
2018-04-16 14:51:52 +01:00
Rose Zadik c138bb7b05
Update cmac.h
minor changes based on comments
2018-04-16 11:11:25 +01:00
Rose Zadik 819d13dfff
Update aes.h
fixed missing multiple returns on mbedtls_aes_setkey_enc
2018-04-16 09:35:15 +01:00
Jethro Beekman cb122373f0 Update ChangeLog for #1380 2018-04-11 08:40:38 -07:00
Jethro Beekman c645bfe176 Generate RSA keys according to FIPS 186-4
The specification requires that P and Q are not too close. The specification
also requires that you generate a P and stick with it, generating new Qs until
you have found a pair that works. In practice, it turns out that sometimes a
particular P results in it being very unlikely a Q can be found matching all
the constraints. So we keep the original behavior where a new P and Q are
generated every round.
2018-04-11 08:38:37 -07:00
Jethro Beekman 666892792d Generate primes according to FIPS 186-4
The specification requires that numbers are the raw entropy (except for odd/
even) and at least 2^(nbits-0.5). If not, new random bits need to be used for
the next number. Similarly, if the number is not prime new random bits need to
be used.
2018-04-11 08:38:37 -07:00
Jethro Beekman 97f95c9ef3 Avoid small private exponents during RSA key generation
Attacks against RSA exist for small D. [Wiener] established this for
D < N^0.25. [Boneh] suggests the bound should be N^0.5.

Multiple possible values of D might exist for the same set of E, P, Q. The
attack works when there exists any possible D that is small. To make sure that
the generated key is not susceptible to attack, we need to make sure we have
found the smallest possible D, and then check that D is big enough. The
Carmichael function λ of p*q is lcm(p-1, q-1), so we can apply Carmichael's
theorem to show that D = d mod λ(n) is the smallest.

[Wiener] Michael J. Wiener, "Cryptanalysis of Short RSA Secret Exponents"
[Boneh] Dan Boneh and Glenn Durfee, "Cryptanalysis of RSA with Private Key d Less than N^0.292"
2018-04-11 08:38:37 -07:00
Manuel Pégourié-Gonnard 4ca9a45756 Merge remote-tracking branch 'public/pr/1560' into development-proposed
* public/pr/1560:
  Warn if using a memory sanitizer on AESNI
2018-04-11 13:06:30 +02:00
Manuel Pégourié-Gonnard e72d3225a7 Merge remote-tracking branch 'public/pr/1559' into development-proposed
* public/pr/1559:
  Make the memset call prior to FD_ZERO conditional to needing it
2018-04-11 13:05:31 +02:00
Gilles Peskine 5053efde33 Warn if using a memory sanitizer on AESNI
Clang-Msan is known to report spurious errors when MBEDTLS_AESNI_C is
enabled, due to the use of assembly code. The error reports don't
mention AES, so they can be difficult to trace back to the use of
AES-NI. Warn about this potential problem at compile time.
2018-04-05 15:37:38 +02:00
Gilles Peskine ec4733b645 Make the memset call prior to FD_ZERO conditional to needing it
Zeroing out an fd_set before calling FD_ZERO on it is in principle
useless, but without it some memory sanitizers think the fd_set is
still uninitialized after FD_ZERO (e.g. clang-msan/Glibc/x86_64 where
FD_ZERO is implemented in assembly). Make the zeroing conditional on
using a memory sanitizer.
2018-04-05 14:55:47 +02:00
Gilles Peskine 80aa3b8d65 Merge branch 'pr_946' into development-proposed 2018-04-04 10:33:45 +02:00
Gilles Peskine 5c77f2ef37 Merge remote-tracking branch 'upstream-public/pr/1535' into development-proposed 2018-04-04 10:31:09 +02:00
Gilles Peskine e4d3b7f860 Fix merge glitch in ChangeLog 2018-04-04 09:28:48 +02:00