Commit graph

4282 commits

Author SHA1 Message Date
Jaeden Amero 01b34fb316 Merge remote-tracking branch 'upstream-public/pr/2267' into development 2018-12-07 16:17:12 +00:00
Jaeden Amero 52ed0b9030 Merge remote-tracking branch 'upstream-public/pr/2101' into development 2018-12-07 16:15:31 +00:00
Janos Follath 683c582530 Clarify alternative ECP calling conventions
Function calls to alternative implementations have to follow certain
rules in order to preserve correct functionality. To avoid accidentally
breaking these rules we state them explicitly in the ECP module for
ourselves and every contributor to see.
2018-12-07 13:13:30 +00:00
Janos Follath af6f2694a4 Fix ECC hardware double initialization
We initialized the ECC hardware before calling
mbedtls_ecp_mul_shortcuts(). This in turn calls
mbedtls_ecp_mul_restartable(), which initializes and frees the hardware
too. This issue has been introduced by recent changes and caused some
accelerators to hang.

We move the initialization after the mbedtle_ecp_mul_shortcuts() calls
to avoid double initialization.
2018-12-07 11:03:47 +00:00
Jaeden Amero e1b1a2c979 Merge remote-tracking branch 'upstream-public/pr/2181' into development 2018-12-06 16:11:49 +00:00
Jaeden Amero 5b46fe774b Merge remote-tracking branch 'upstream-public/pr/2157' into development 2018-12-06 16:06:57 +00:00
Jaeden Amero bc1cf5cd36 Merge remote-tracking branch 'upstream-public/pr/2131' into development 2018-12-06 16:04:55 +00:00
Jaeden Amero a04617ec18 Merge remote-tracking branch 'upstream-public/pr/2125' into development 2018-12-06 16:02:31 +00:00
Jaeden Amero c27e3420b9 Merge remote-tracking branch 'upstream-public/pr/2117' into development 2018-12-06 15:59:32 +00:00
Jaeden Amero 41722ec29e Merge remote-tracking branch 'upstream-public/pr/1958' into development 2018-12-06 15:53:56 +00:00
Janos Follath 3fbdadad7b SSL: Make use of the new ECDH interface
The SSL module accesses ECDH context members directly. This can't work
with the new context, where we can't make any assumption about the
implementation of the context.

This commit makes use of the new functions to avoid accessing ECDH
members directly. The only members that are still accessed directly are
the group ID and the point format and they are independent from the
implementation.
2018-12-06 12:22:46 +00:00
Janos Follath 948f4bedcc Debug: Add functions for ECDH contexts
The SSL module accesses ECDH context members directly to print debug
information. This can't work with the new context, where we can't make
assumptions about the implementation of the context. This commit adds
new debug functions to complete the encapsulation of the ECDH context
and work around the problem.
2018-12-06 12:22:46 +00:00
Janos Follath 5a3e1bfda0 ECDH: Make the implementation use the new context
The functionality from public API functions are moved to
`xxx_internal()` functions. The public API functions are modified to do
basic parameter validation and dispatch the call to the right
implementation.

There is no intended change in behaviour when
`MBEDTLS_ECDH_LEGACY_CONTEXT` is enabled.
2018-12-06 12:22:18 +00:00
Janos Follath f61e486179 ECDH: Add mbedtls_ecdh_setup()
In the future we want to support alternative ECDH implementations. We
can't make assumptions about the structure of the context they might
use, and therefore shouldn't access the members of
`mbedtls_ecdh_context`.

Currently the lifecycle of the context can't be done without direct
manipulation. This commit adds `mbedtls_ecdh_setup()` to complete
covering the context lifecycle with functions.
2018-11-30 14:09:57 +00:00
Janos Follath 89ac8c9266 ECP: Add mbedtls_ecp_tls_read_group_id()
`mbedtls_ecp_tls_read_group()` both parses the group ID and loads the
group into the structure provided. We want to support alternative
implementations of ECDH in the future and for that we need to parse the
group ID without populating an `mbedtls_ecp_group` structure (because
alternative implementations might not use that).

This commit moves the part that parses the group ID to a new function.
There is no need to test the new function directly, because the tests
for `mbedtls_ecp_tls_read_group()` are already implicitly testing it.

There is no intended change in behaviour in this commit.
2018-11-30 14:09:57 +00:00
Simon Butcher 51b8a2fa87 Merge remote-tracking branch 'restricted/pr/512' into development 2018-11-29 16:56:02 +00:00
Simon Butcher b9eb7866eb Merge remote-tracking branch 'restricted/pr/535' into development 2018-11-29 16:54:51 +00:00
Simon Butcher 658618b6b2 Merge remote-tracking branch 'restricted/pr/516' into development 2018-11-29 16:53:51 +00:00
Ron Eldor a16fa297f7 Refactor mpi_write_hlp to not be recursive
Refactor `mpi_write_hlp()` to not be recursive, to fix stack overflows.
Iterate over the `mbedtls_mpi` division of the radix requested,
until it is zero. Each iteration, put the residue in the next LSB
of the output buffer. Fixes #2190
2018-11-27 10:34:36 +02:00
Gilles Peskine 8220466297 Streamline mbedtls_xxx_drbg_update_seed_file
Refactor mbedtls_ctr_drbg_update_seed_file and
mbedtls_hmac_drbg_update_seed_file to make the error logic clearer.

The new code does not use fseek, so it works with non-seekable files.
2018-11-26 19:26:22 +01:00
Gilles Peskine b7f71c8bc1 HMAC_DRBG: report all errors from HMAC functions
Make sure that any error from mbedtls_md_hmac_xxx is propagated.
2018-11-26 19:26:22 +01:00
Gilles Peskine e0e9c573ad HMAC_DRBG: deprecate mbedtls_hmac_drbg_update because it ignores errors
Deprecate mbedtls_hmac_drbg_update (which returns void) in favor of a
new function mbedtls_hmac_drbg_update_ret which reports error.
2018-11-26 19:26:21 +01:00
Gilles Peskine d919993b76 CTR_DRBG: deprecate mbedtls_ctr_drbg_update because it ignores errors
Deprecate mbedtls_ctr_drbg_update (which returns void) in favor of a
new function mbedtls_ctr_drbg_update_ret which reports error.
2018-11-26 19:26:00 +01:00
Gilles Peskine afa803775a HMAC_DRBG: clean stack buffers
Wipe stack buffers that may contain sensitive data (data that
contributes to the DRBG state.
2018-11-26 15:47:14 +01:00
Gilles Peskine d9aa84dc0d CTR_DRBG: clean stack buffers
Wipe stack buffers that may contain sensitive data (data that
contributes to the DRBG state.
2018-11-26 15:47:14 +01:00
Gilles Peskine 11cdb0559e mbedtls_mpi_write_binary: don't leak the exact size of the number
In mbedtls_mpi_write_binary, avoid leaking the size of the number
through timing or branches, if possible. More precisely, if the number
fits in the output buffer based on its allocated size, the new code's
trace doesn't depend on the value of the number.
2018-11-20 17:09:27 +01:00
Simon Butcher c1b9892177 Update library version number to 2.14.0 2018-11-19 18:31:40 +00:00
Simon Butcher de13963d66 Merge remote-tracking branch 'restricted/pr/520' into development-restricted-proposed 2018-11-12 14:30:16 +00:00
Simon Butcher cdd1a6c872 Merge remote-tracking branch 'restricted/pr/510' into development-restricted-proposed 2018-11-12 14:29:14 +00:00
Simon Butcher e51d4b336b Merge remote-tracking branch 'public/pr/2054' into development-proposed 2018-11-09 19:57:53 +00:00
Ron Eldor 9924bdc792 Deprecate hardware acceleration errors
Deprecate the module-specific XXX_HW_ACCEL_FAILED and
XXX_FEATURE_UNAVAILABLE errors, as alternative implementations should now
return `MBEDTLS_ERR_PLATFORM_HW_FAILED` and
`MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED`.
2018-11-09 15:01:07 +00:00
Ron Eldor bcca58c6cd Add common feature unavailable error
Add a common error for the feature unavailable, in the
platform module.
2018-11-09 13:57:37 +00:00
Simon Butcher d83448b736 Merge remote-tracking branch 'public/pr/2052' into development-restricted-proposed 2018-11-07 12:59:14 +00:00
Simon Butcher 53b45ec881 Merge remote-tracking branch 'public/pr/2079' into development-restricted-proposed 2018-11-07 12:58:44 +00:00
Simon Butcher bbc31b4827 Merge remote-tracking branch 'public/pr/2085' into development-restricted-proposed 2018-11-07 12:57:38 +00:00
Simon Butcher 93a9b497e0 Merge remote-tracking branch 'public/pr/2077' into development-restricted-proposed 2018-11-07 12:57:24 +00:00
Simon Butcher 241823aab8 Merge remote-tracking branch 'public/pr/1641' into development-restricted-proposed 2018-11-07 12:55:47 +00:00
Simon Butcher 42ab4ae033 Merge remote-tracking branch 'public/pr/2167' into development-restricted-proposed 2018-11-07 12:54:45 +00:00
Hanno Becker f6d6e30820 Fix incomplete assertion in ssl_write_handshake_msg()
ssl_write_handshake_msg() includes the assertion that
`ssl->handshake != NULL` when handling a record which is
(a) a handshake message, and NOT
(b) a HelloRequest.
However, it later calls `ssl_append_flight()` for any
record different from a HelloRequest handshake record,
that is, records satisfying !(a) || !(b), instead of
(a) && !(b) as covered by the assertion (specifically,
CCS or Alert records).

Since `ssl_append_flight()` assumes that `ssl->handshake != NULL`,
this rightfully triggers static analyzer warnings.

This commit expands the scope of the assertion to check
that `ssl->handshake != NULL` for any record which is not
a HelloRequest.
2018-11-07 11:57:51 +00:00
Simon Butcher 51b6abbbf2 Merge remote-tracking branch 'public/pr/2165' into development-proposed 2018-11-06 22:55:14 +00:00
Hanno Becker 9772da8792 Add missing bracket
Wasn't spotted earlier because it's guarded by `! HAVE_GETRANDOM`.
2018-11-06 13:12:47 +00:00
Ron Eldor 2981d8f161 Change to positive flow for all cases
Use the `rs_ctx` only when `MBEDTLS_ECP_RESTARTABLE` is defined.
2018-11-05 18:08:46 +02:00
Ron Eldor 93ace0199b Revert positive flow check
Revert changes for checking whether `MBEDTLS_ECP_RESTARTABLE`
is defined, since it broke the CI. The context is used whether the
restartable feature is defined or not.
2018-11-05 17:50:07 +02:00
Ron Eldor b430d9f262 Change to positive checks
1. Checge to check for `MBEDTLS_ECP_RESTARTABLE` for all definitions
of `rs_ctx`.
2. Remove checks for `_ALT` when using `rs_ctx` as they cannot coexist
with the Restartable configuration.
2018-11-05 17:18:29 +02:00
Ron Eldor 19779c4739 Some style and documentation fixes
1. Change description of of hte `MBEDTLS_ECP_RESTARTABLE`
in the configuration file.
2. Change check for compilation of `rs_ctx` to positive flow.
2018-11-05 16:58:13 +02:00
Ron Eldor 5ed8c1eded Avoid using restartable and alternative ECP imp.
1. Add a check that MBEDTLS_ECP_RESTARTABLE is not defined
   along any EC* alternative implementation.
2. Add a closing comment foran `#endif`.
2018-11-05 14:04:26 +02:00
Hanno Becker b75ffb5061 Don't perform binary comparison of CRL issuer and CA subject
Previously, when checking whether a CRT was revoked through
one of the configured CRLs, the library would only consider
those CRLs whose `issuer` field binary-matches the `subject`
field of the CA that has issued the CRT in question. If those
fields were not binary equivalent, the corresponding CRL was
discarded.

This is not in line with RFC 5280, which demands that the
comparison should be format- and case-insensitive. For example:

- If the same string is once encoded as a `PrintableString` and
  another time as a `UTF8String`, they should compare equal.
- If two strings differ only in their choice of upper and lower case
  letters, they should compare equal.

This commit fixes this by using the dedicated x509_name_cmp()
function to compare the CRL issuer with the CA subject.

Fixes #1784.
2018-11-05 11:54:06 +00:00
Hanno Becker 1f8527f1cf Move static x509_name_cmp() in library/x509_crt.c
A subsequent change will need this function earlier
within the file.
2018-11-05 11:54:06 +00:00
Simon Butcher 06f88e9c42 Merge remote-tracking branch 'public/pr/2007' into development-proposed 2018-11-04 19:12:57 +00:00
Simon Butcher 76646a4bac Merge remote-tracking branch 'public/pr/1777' into development-proposed 2018-11-04 18:51:36 +00:00
Simon Butcher 2705beaeef Merge remote-tracking branch 'public/pr/2095' into development-proposed 2018-11-04 18:48:04 +00:00
Hanno Becker 710f203541 Merge branch 'iotssl-1770' into development_thomas_dee 2018-11-02 10:52:49 +00:00
Hanno Becker cec1c2685f Break overly long line in library/x509_create.c 2018-11-02 10:52:38 +00:00
Hanno Becker ee334a3a5c Remove Doxygen tags from documentation of private structure 2018-11-02 10:52:38 +00:00
Hanno Becker beffcd8d4a Update hardcoded certificates in library/certs.c
library/certs.c provides some hardcoded certificates that
are used e.g. by the test applications ssl_server2, ssl_client2
in case no certificates are provided on the command line.

The certificates used are from the tests/data_files folder
and have been updated in the latest commits. This commit
updates their copies in certs.c. It also adds comments
indicating the files from which the data is taken, in
order to ease update in the future.
2018-11-02 10:52:38 +00:00
Hanno Becker 6e1adee42b Regenerate test files
Previous commits have added or modified build instructions for
server1*, server2*, server5*, test-ca*, cli-rsa* in the Makefile
tests/data_files/Makefile, or the apps they invoke have been changed.

This commit regenerates those files to make sure they are in match with
the build instructions.
2018-11-02 10:52:38 +00:00
Hanno Becker cb93813e04 Don't perform binary comparison of CRL issuer and CA subject
Previously, when checking whether a CRT was revoked through
one of the configured CRLs, the library would only consider
those CRLs whose `issuer` field binary-matches the `subject`
field of the CA that has issued the CRT in question. If those
fields were not binary equivalent, the corresponding CRL was
discarded.

This is not in line with RFC 5280, which demands that the
comparison should be format- and case-insensitive. For example:

- If the same string is once encoded as a `PrintableString` and
  another time as a `UTF8String`, they should compare equal.
- If two strings differ only in their choice of upper and lower case
  letters, they should compare equal.

This commit fixes this by using the dedicated x509_name_cmp()
function to compare the CRL issuer with the CA subject.

Fixes #1784.
2018-11-02 10:49:09 +00:00
Hanno Becker 0f6903d84c Move static x509_name_cmp() in library/x509_crt.c
A subsequent change will need this function earlier
within the file.
2018-11-02 10:49:08 +00:00
Ron Eldor 2b161c33be Fix compilation issue
Fix compilation error when both `MBEDTLS_ECP_RESTARTABLE` and the
alternative definition of ECDH function are defined.
2018-11-01 16:18:20 +02:00
Ron Eldor 936d284f4d Minor fixes
1. Fix unused symbols compilation warnings.
2. Add comments for the closing `endif`.
2018-11-01 13:05:52 +02:00
Ron Eldor 8493f80e65 conditionaly compile ECDH and ECDSA alt functions
Return the condition compilation flags surrounding
`mbedtls_ecdh_compute_shared()`, `mbedtls_ecdh_gen_public()`,
`mbedtls_ecdsa_sign()` and `mbedtls_ecdsa_verify()` that were accidentally
removed in a previous merge.
Resolves #2163
2018-11-01 11:32:15 +02:00
Krzysztof Stachowiak c388a8c394 Fix typo in a test condition code 2018-10-31 16:49:20 +01:00
Simon Butcher 7904f94550 Merge remote-tracking branch 'public/pr/1099' into development-proposed 2018-10-28 18:10:37 +00:00
Simon Butcher 17a0fab345 Merge remote-tracking branch 'public/pr/2111' into development-proposed 2018-10-28 16:22:18 +00:00
Simon Butcher a07d86e8af Merge remote-tracking branch 'public/pr/1902' into development 2018-10-27 18:36:55 +01:00
Simon Butcher ef263ebcd7 Merge remote-tracking branch 'public/pr/1993' into development 2018-10-27 18:36:28 +01:00
Hanno Becker b10c66073f Detect unsigned integer overflow in mbedtls_ecp_check_budget()
This commit modifies a bounds check in `mbedtls_ecp_check_budget()` to
be correct even if the requested number of ECC operations would overflow
the operation counter.
2018-10-26 15:09:35 +01:00
Hanno Becker 6934e9b288 Indentation fix 2018-10-25 16:07:16 +01:00
Hanno Becker 137015c1b1 Fix unsafe bounds checks in ssl_load_session()
Fixes #659 reported by Guido Vranken.
2018-10-25 16:07:08 +01:00
Simon Butcher 169712e15a Merge remote-tracking branch 'restricted/pr/390' into development 2018-10-24 18:34:30 +01:00
Hanno Becker 9543373668 Use brackets around shift operations
Use `( x >> y ) & z` instead of `x >> y & z`. Both are equivalent
by operator precedence, but the former is more readable and the
commonly used idiom in the library.
2018-10-24 13:31:49 +01:00
Jaeden Amero a74faba27a aes: xts: Correct NIST 80-38E to 800-38E
Correct a typo in an AES XTS implementation comment where the relevant
NIST standard was incorrectly referred to as NIST 80-38E instead of NIST
800-38E.
2018-10-23 12:07:18 +01:00
Jaeden Amero 8381fcb3f9 aes: xts: Update inaccurate comments
It is inaccurate to call a data unit a "sector". A disk sector is a
common use case for the data unit, but there exist other types of data
units that are not sectors.
2018-10-23 12:07:18 +01:00
Manuel Pégourié-Gonnard a966fdea72 Fix some documentation typos and improve a comment 2018-10-23 10:41:11 +02:00
Brian J Murray f343de12dc typo fix 2018-10-22 16:41:35 -07:00
Manuel Pégourié-Gonnard ca29fdf569 Fix some typos in documentation and comments 2018-10-22 09:56:53 +02:00
Hanno Becker 27516979c1 Entropy: Fall through to /dev/random if getrandom() syscall unknown
This commit fixes issue #1212 related to platform-specific entropy
polling in an syscall-emulated environment.

Previously, the implementation of the entropy gathering function
`mbedtls_platform_entropy_poll()` for linux machines used the
following logic to determine how to obtain entropy from the kernel:

1. If the getrandom() system call identifier SYS_getrandom is present and
   the kernel version is 3.17 or higher, use syscall( SYS_getrandom, ... )
2. Otherwise, fall back to reading from /dev/random.

There are two issues with this:

1. Portability:
   When cross-compiling the code for a different
   architecture and running it through system call
   emulation in qemu, qemu reports the host kernel
   version through uname but, as of v.2.5.0,
   doesn't support emulating the getrandom() syscall.
   This leads to `mbedtls_platform_entropy_poll()`
   failing even though reading from /dev/random would
   have worked.

2. Style:
   Extracting the linux kernel version from
   the output of `uname` is slightly tedious.

This commit fixes both by implementing the suggestion in #1212:
- It removes the kernel-version detection through uname().
- Instead, it checks whether `syscall( SYS_getrandom, ... )`
  fails with errno set to ENOSYS indicating an unknown system call.
  If so, it falls through to trying to read from /dev/random.

Fixes #1212.
2018-10-18 12:12:04 +01:00
Hanno Becker dd3ab13da3 Fail when encountering invalid CBC padding in EtM records
This commit changes the behavior of the record decryption routine
`ssl_decrypt_buf()` in the following situation:
1. A CBC ciphersuite with Encrypt-then-MAC is used.
2. A record with valid MAC but invalid CBC padding is received.
In this situation, the previous code would not raise and error but
instead forward the decrypted packet, including the wrong padding,
to the user.

This commit changes this behavior to return the error
MBEDTLS_ERR_SSL_INVALID_MAC instead.

While erroneous, the previous behavior does not constitute a
security flaw since it can only happen for properly authenticated
records, that is, if the peer makes a mistake while preparing the
padded plaintext.
2018-10-17 14:43:14 +01:00
Hanno Becker 44da18a294 Duplicate mbedtls_asn1_find_named_data in asn1write.c to avoid dep.
This commit duplicates the public function mbedtls_asn1_find_named_data()
defined in library/asn1parse.c within library/asn1write.c in order to
avoid a dependency of the ASN.1 writing module on the ASN.1 parsing module.

The duplication is unproblematic from a semantic and an efficiency
perspective becasue it is just a short list traversal that doesn't
actually do any ASN.1 parsing.
2018-10-16 13:44:06 +01:00
Hanno Becker 1ea604d3ee Guard mbedtls_pkcs5_pbes2() by MBEDTLS_ASN1_PARSE_C
Previously, mbedtls_pkcs5_pbes2() was unconditionally declared
in `pkcs5.h` but defined as a stub returning
`MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE` in case
MBEDTLS_ASN1_PARSE_C was not defined.

In line with the previous commits, this commit removes declaration
and definition from both `pkcs5.h` and `pkcs5.c` in case
MBEDTLS_ASN1_PARSE_C is not defined.
2018-10-16 13:39:40 +01:00
Hanno Becker 8a89f9fcd2 Make PBE-related parts of PKCS12 depend on MBEDTLS_ASN1_PARSE_C 2018-10-16 13:39:40 +01:00
Manuel Pégourié-Gonnard b25cb603bb Add a comment to clarify code flow 2018-10-16 11:48:09 +02:00
Manuel Pégourié-Gonnard a5a3e40c4e Fix missing dereference.
Went unnoticed because it was only on a defensive code path, in an internal
function, so not exercised.
2018-10-16 11:27:23 +02:00
Manuel Pégourié-Gonnard 90f31b71a8 Improve readability by moving counter decrement
Avoid the slightly awkward rs_ctx-> i = i + 1
2018-10-16 10:45:24 +02:00
Manuel Pégourié-Gonnard a58e011ac0 Fix alignment in a macro definition 2018-10-16 10:42:47 +02:00
Manuel Pégourié-Gonnard b843b15a02 Fix function name to fit conventions 2018-10-16 10:41:31 +02:00
Manuel Pégourié-Gonnard c0edc96704 Add comment on internal function API 2018-10-16 10:38:19 +02:00
Manuel Pégourié-Gonnard d8b73f2312 Remove unnecessary calls to init() from free()
Our API makes no guarantee that you can use a context after free()ing it
without re-init()ing it first, so better not give the wrong impression that we
do, while it's not policy and the rest of the code might not allow it.
2018-10-16 10:34:13 +02:00
Manuel Pégourié-Gonnard c37423fa76 Fix misleading sub-state name and comments
The enum constant had 'ske' in its name while this was a sub-state of the
"write client key exchange" state; corresponding issue in the comment.
2018-10-16 10:28:17 +02:00
Ron Eldor 5267b62248 Change error description
1. Change error description to a clearer one.
2. Change value in the error codes ranges description.
2018-10-15 18:44:42 +03:00
Ron Eldor a27190b774 Rename platform error code and value
Rename the PLATFORM HW error, to avoid ABI breakage with Mbed OS.
The value changed as well, as previous value was not in the range of
Mbed TLS low level error codes.
2018-10-15 16:33:43 +03:00
Manuel Pégourié-Gonnard ee68cff813 Fix or improve some comments (and whitespace) 2018-10-15 15:27:49 +02:00
Manuel Pégourié-Gonnard f0bbd7e3fd Misc documentation fixes/improvements. 2018-10-15 13:22:41 +02:00
Manuel Pégourié-Gonnard 6346a75dfb Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted
* development:
  ssl-opt.sh: change expected output for large srv packet test with SSLv3
  Adapt ChangeLog
  Fix bug in SSL ticket implementation removing keys of age < 1s
  ssl-opt.sh: Add DTLS session resumption tests
  Add ChangeLog entry
  Fix typo
  Fix hmac_drbg failure in benchmark, with threading
  Remove trailing whitespace
  Remove trailing whitespace
  ssl_server2: add buffer overhead for a termination character
  Add missing large and small packet tests for ssl_server2
  Added buffer_size and response_size options for ssl-server2. Added appropriate tests.

Solving a conflict in tests/ssl-opt.sh: two set of tests were added at the
same place (just after large packets):
- restartable ECC tests (in this branch)
- server-side large packets (in development)

Resolution was to move the ECC tests after the newly added server large packet
ones.
2018-10-15 11:26:17 +02:00
Gilles Peskine 4899247bf2 Fix undefined behavior in unsigned-to-signed conversion
The code assumed that `int x = - (unsigned) u` with 0 <= u < INT_MAX
sets `x` to the negative of u, but actually this calculates
(UINT_MAX - u) and then converts this value to int, which overflows.
Cast to int before applying the unary minus operator to guarantee the
desired behavior.
2018-10-12 20:32:55 +02:00
Gilles Peskine 9b430704d1 Fix likely-harmless undefined behavior surrounding volatile
The code was making two unsequenced reads from volatile locations.
This is undefined behavior. It was probably harmless because we didn't
care in what order the reads happened and the reads were from ordinary
memory, but UB is UB and IAR8 complained.
2018-10-12 20:32:52 +02:00
Hanno Becker 805f2e11bd Add missing zeroization of buffered handshake messages
This commit ensures that buffers holding fragmented or
future handshake messages get zeroized before they are
freed when the respective handshake message is no longer
needed. Previously, the handshake message content would
leak on the heap.
2018-10-12 16:50:37 +01:00
Andrzej Kurek 748face36f ssl_tls: fix maximum output length
set maximum output length to MBEDTLS_SSL_OUT_CONTENT_LEN instead of
MBEDTLS_SSL_MAX_CONTENT_LEN.
2018-10-11 07:20:19 -04:00
Hanno Becker 780f0a4cc1 Reinitialize PK ctx in mbedtls_pk_parse_key before reuse are free
Context: This commit makes a change to mbedtls_pk_parse_key() which
is responsible for parsing of private keys. The function doesn't know
the key format in advance (PEM vs. DER, encrypted vs. unencrypted) and
tries them one by one, resetting the PK context in between.

Issue: The previous code resets the PK context through a call to
mbedtls_pk_free() along, lacking the accompanying mbedtls_pk_init()
call. Practically, this is not an issue because functionally
mbedtls_pk_free() + mbedtls_pk_init() is equivalent to mbedtls_pk_free()
with the current implementation of these functions, but strictly
speaking it's nonetheless a violation of the API semantics according
to which xxx_free() functions leave a context in uninitialized state.
(yet not entirely random, because xxx_free() functions must be idempotent,
so they cannot just fill the context they operate on with garbage).

Change: The commit adds calls to mbedtls_pk_init() after those calls
to mbedtls_pk_free() within mbedtls_pk_parse_key() after which the
PK context might still be used.
2018-10-11 11:31:15 +01:00
Hanno Becker cfa2e33fd2 Omit runtime configuration of calloc/free if macro config enabled
This commit removes the definition of the API function

`mbedtls_platform_set_calloc_free()`

from `library/platform.c` in case the macros

`MBEDTLS_PLATFORM_CALLOC_MACRO`
`MBEDTLS_PLATFORM_FREE_MACRO`

for compile time configuration of calloc/free are set.

This is in line with the corresponding header `mbedtls/platform.h`
which declares `mbedtls_platform_set_calloc_free()` only if
`MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO` are not defined.

Fixes #1642.
2018-10-11 11:04:20 +01:00
Hanno Becker 8df10232cf Add explicit unsigned-to-signed integer conversion
The previous code triggered a compiler warning because of a comparison
of a signed and an unsigned integer.

The conversion is safe because `len` is representable by 16-bits,
hence smaller than the maximum integer.
2018-10-10 15:48:39 +01:00
Darryl Green e3f95ed25b Fix bias in random number generation in Miller-Rabin test
When a random number is generated for the Miller-Rabin primality test,
if the bit length of the random number is larger than the number being
tested, the random number is shifted right to have the same bit length.
This introduces bias, as the random number is now guaranteed to be
larger than 2^(bit length-1).

Changing this to instead zero all bits higher than the tested numbers
bit length will remove this bias and keep the random number being
uniformly generated.
2018-10-09 16:36:53 +01:00
Janos Follath a0b67c2f3e Bignum: Deprecate mbedtls_mpi_is_prime()
When using a primality testing function the tolerable error rate depends
on the scheme in question, the required security strength and wether it
is used for key generation or parameter validation. To support all use
cases we need more flexibility than what the old API provides.
2018-10-09 16:36:53 +01:00
Janos Follath da31fa137a Bignum: Fix prime validation vulnerability
The input distribution to primality testing functions is completely
different when used for generating primes and when for validating
primes. The constants used in the library are geared towards the prime
generation use case and are weak when used for validation. (Maliciously
constructed composite numbers can pass the test with high probability)

The mbedtls_mpi_is_prime() function is in the public API and although it
is not documented, it is reasonable to assume that the primary use case
is validating primes. The RSA module too uses it for validating key
material.
2018-10-09 16:36:53 +01:00
Janos Follath b728c29114 Bignum: Remove dead code
Both variables affected by the code are overwritten before their next
read.
2018-10-09 16:33:27 +01:00
Janos Follath b8fc1b02ee RSA: Use MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR 2018-10-09 16:33:27 +01:00
Janos Follath f301d23ceb Bignum: Improve primality test for FIPS primes
The FIPS 186-4 RSA key generation prescribes lower failure probability
in primality testing and this makes key generation slower. We enable the
caller to decide between compliance/security and performance.

This python script calculates the base two logarithm of the formulas in
HAC Fact 4.48 and was used to determine the breakpoints and number of
rounds:

def mrpkt_log_2(k, t):
    if t <= k/9.0:
        return 3*math.log(k,2)/2+t-math.log(t,2)/2+4-2*math.sqrt(t*k)
    elif t <= k/4.0:
        c1 = math.log(7.0*k/20,2)-5*t
        c2 = math.log(1/7.0,2)+15*math.log(k,2)/4.0-k/2.0-2*t
        c3 = math.log(12*k,2)-k/4.0-3*t
        return max(c1, c2, c3)
    else:
        return math.log(1/7.0)+15*math.log(k,2)/4.0-k/2.0-2*t
2018-10-09 16:33:27 +01:00
Andrzej Kurek ef43ce6e25 Dtls: change the way unlimited mtu is set for client hello messages 2018-10-09 08:24:12 -04:00
Hanno Becker 1624e2e8bb Avoid overly long lines X.509 DN attr array def in x509_create.c 2018-10-08 14:52:20 +01:00
Hanno Becker 35b6854e54 Replace reference to RFC 3280 by reference to newer RFC 5280 2018-10-08 14:47:38 +01:00
Hanno Becker cfc47bab69 Correct some indentation and line lengths in x509_create.c 2018-10-08 14:45:42 +01:00
Hanno Becker d355e69aed Rename tag to default_tag in x509_attr_descriptor_t 2018-10-08 14:44:32 +01:00
Hanno Becker d2c9009e5a Improve documentation of x509_attr_descriptor_t 2018-10-08 14:42:34 +01:00
Hanno Becker 0c161d1956 Fix bounds check in ssl_parse_server_psk_hint()
In the previous bounds check `(*p) > end - len`, the computation
of `end - len` might underflow if `end` is within the first 64KB
of the address space (note that the length `len` is controlled by
the peer). In this case, the bounds check will be bypassed, leading
to `*p` exceed the message bounds by up to 64KB when leaving
`ssl_parse_server_psk_hint()`. In a pure PSK-based handshake,
this doesn't seem to have any consequences, as `*p*` is not accessed
afterwards. In a PSK-(EC)DHE handshake, however, `*p` is read from
in `ssl_parse_server_ecdh_params()` and `ssl_parse_server_dh_params()`
which might lead to an application crash of information leakage.
2018-10-08 13:40:50 +01:00
Simon Butcher e1660af2e2 Fix CSR parsing header call
Change the secondary X509 CSR parsing call for the alternative MS header to only
occur if the first call fails due to the header being unfound, instead of any
call.
2018-10-07 17:48:37 +01:00
Simon Butcher 0488ce653a Add support for alternative CSR headers
Add support for RFC7468, and the alternative Microsoft footer/headers for CSR's
that contain the text 'BEGIN NEW CERTIFICATE REQUEST' instead of
'BEGIN CERTIFICATE REQUEST'.
2018-10-06 17:17:54 +01:00
Gilles Peskine ec2a5fdee1 PKCS#1 v1.5 decoding: fix empty payload case 2018-10-05 20:48:20 +02:00
Gilles Peskine 40b57f4acd Remove a remaining sensitive memory access in PKCS#1 v1.5 decryption 2018-10-05 15:35:03 +02:00
Gilles Peskine 85a7442753 mbedtls_rsa_rsaes_pkcs1_v15_decrypt: remove the variable p
Get rid of the variable p. This makes it more apparent where the code
accesses the buffer at an offset whose value is sensitive.

No intended behavior change in this commit.
2018-10-05 14:50:21 +02:00
Andrzej Kurek 6290dae909 Disable dtls fragmentation for ClientHello messages
Set the handshake mtu to unlimited when encountering a ClienHello message and
reset it to its previous value after writing the record.
2018-10-05 08:06:01 -04:00
Gilles Peskine eeedabe25e Minor optimization in the PKCS#1v1.5 unpadding step
Rather than doing the quadratic-time constant-memory-trace on the
whole working buffer, do it on the section of the buffer where the
data to copy has to lie, which can be significantly smaller if the
output buffer is significantly smaller than the working buffer, e.g.
for TLS RSA ciphersuites (48 bytes vs MBEDTLS_MPI_MAX_SIZE).
2018-10-04 22:45:13 +02:00
Gilles Peskine 8c9440a2cb Use branch-free size comparison for the padding size
In mbedtls_rsa_rsaes_pkcs1_v15_decrypt, use size_greater_than (which
is based on bitwise operations) instead of the < operator to compare
sizes when the values being compared must not leak. Some compilers
compile < to a branch at least under some circumstances (observed with
gcc 5.4 for arm-gnueabi -O9 on a toy program).
2018-10-04 21:44:40 +02:00
Gilles Peskine a1af5c8ea2 Bleichenbacher fix: don't leak the plaintext length (step 2)
Replace memmove(to, to + offset, length) by a functionally equivalent
function that strives to make the same memory access patterns
regardless of the value of length. This fixes an information leak
through timing (especially timing of memory accesses via cache probes)
that leads to a Bleichenbacher-style attack on PKCS#1 v1.5 decryption
using the plaintext length as the observable.
2018-10-04 21:44:29 +02:00
Gilles Peskine 9265ff4ee6 Bleichenbacher fix: don't leak the plaintext length (step 1)
mbedtls_rsa_rsaes_pkcs1_v15_decrypt takes care not to reveal whether
the padding is valid or not, even through timing or memory access
patterns. This is a defense against an attack published by
Bleichenbacher. The attacker can also obtain the same information by
observing the length of the plaintext. The current implementation
leaks the length of the plaintext through timing and memory access
patterns.

This commit is a first step towards fixing this leak. It reduces the
leak to a single memmove call inside the working buffer.
2018-10-04 21:38:22 +02:00
Gilles Peskine 331d80e162 Evolve choose_int_from_mask to if_int
Make the function more robust by taking an arbitrary zero/nonzero
argument instead of insisting on zero/all-bits-one. Update and fix its
documentation.
2018-10-04 21:36:34 +02:00
Simon Butcher d2642584cb Make inclusion of stdio.h conditional in x509_crt.c
stdio.h was being included both conditionally if MBEDTLS_FS_IO was
defined, and also unconditionally, which made at least one of them
redundant.

This change removes the unconditional inclusion of stdio.h and makes it
conditional on MBEDTLS_PLATFORM_C.
2018-10-03 15:11:19 +01:00
Gilles Peskine e2a10de275 Fix a timing-based Bleichenbacher attack on PKCS#1v1.5 decryption
mbedtls_rsa_rsaes_pkcs1_v15_decrypt took care of calculating the
padding length without leaking the amount of padding or the validity
of the padding. However it then skipped the copying of the data if the
padding was invalid, which could allow an adversary to find out
whether the padding was valid through precise timing measurements,
especially if for a local attacker who could observe memory access via
cache timings.

Avoid this leak by always copying from the decryption buffer to the
output buffer, even when the padding is invalid. With invalid padding,
copy the same amount of data as what is expected on valid padding: the
minimum valid padding size if this fits in the output buffer,
otherwise the output buffer size. To avoid leaking payload data from
an unsuccessful decryption, zero the decryption buffer before copying
if the padding was invalid.
2018-10-03 01:03:05 +02:00
Gilles Peskine 5908dd4455 Minor readability improvement
Polish the beginning of mbedtls_rsa_rsaes_pkcs1_v15_decrypt a little,
to prepare for some behavior changes.
2018-10-02 22:43:06 +02:00
Jaeden Amero 3725bb2d6d rsa: pss: Enable use of big hashes with small keys
It should be valid to RSASSA-PSS sign a SHA-512 hash with a 1024-bit or
1032-bit RSA key, but with the salt size being always equal to the hash
size, this isn't possible: the key is too small.

To enable use of hashes that are relatively large compared to the key
size, allow reducing the salt size to no less than the hash size minus 2
bytes. We don't allow salt sizes smaller than the hash size minus 2
bytes because that too significantly changes the security guarantees the
library provides compared to the previous implementation which always
used a salt size equal to the hash size. The new calculated salt size
remains compliant with FIPS 186-4.

We also need to update the "hash too large" test, since we now reduce
the salt size when certain key sizes are used. We used to not support
1024-bit keys with SHA-512, but now we support this by reducing the salt
size to 62. Update the "hash too large" test to use a 1016-bit RSA key
with SHA-512, which still has too large of a hash because we will not
reduce the salt size further than 2 bytes shorter than the hash size.

The RSA private key used for the test was generated using "openssl
genrsa 1016" using OpenSSL 1.1.1-pre8.

    $ openssl genrsa 1016
    Generating RSA private key, 1016 bit long modulus (2 primes)
    ..............++++++
    ....++++++
    e is 65537 (0x010001)
    -----BEGIN RSA PRIVATE KEY-----
    MIICVwIBAAKBgACu54dKTbLxUQBEQF2ynxTfDze7z2H8vMmUo9McqvhYp0zI8qQK
    yanOeqmgaA9iz52NS4JxFFM/2/hvFvyd/ly/hX2GE1UZpGEf/FnLdHOGFhmnjj7D
    FHFegEz/gtbzLp9X3fOQVjYpiDvTT0Do20EyCbFRzul9gXpdZcfaVHNLAgMBAAEC
    gYAAiWht2ksmnP01B2nF8tGV1RQghhUL90Hd4D/AWFJdX1C4O1qc07jRBd1KLDH0
    fH19WocLCImeSZooGCZn+jveTuaEH14w6I0EfnpKDcpWVAoIP6I8eSdAttrnTyTn
    Y7VgPrcobyq4WkCVCD/jLUbn97CneF7EHNspXGMTvorMeQJADjy2hF5SginhnPsk
    YR5oWawc6n01mStuLnloI8Uq/6A0AOQoMPkGl/CESZw+NYfe/BnnSeckM917cMKL
    DIKAtwJADEj55Frjj9tKUUO+N9eaEM1PH5eC7yakhIpESccs/XEsaDUIGHNjhctK
    mrbbWu+OlsVRA5z8yJFYIa7gae1mDQJABjtQ8JOQreTDGkFbZR84MbgCWClCIq89
    5R3DFZUiAw4OdS1o4ja+Shc+8DFxkWDNm6+C63g/Amy5sVuWHX2p9QI/a69Cxmns
    TxHoXm1w9Azublk7N7DgB26yqxlTfWJo+ysOFmLEk47g0ekoCwLPxkwXlYIEoad2
    JqPh418DwYExAkACcqrd9+rfxtrbCbTXHEizW7aHR+fVOr9lpXXDEZTlDJ57sRkS
    SpjXbAmylqQuKLqH8h/72RbiP36kEm5ptmw2
    -----END RSA PRIVATE KEY-----
2018-09-27 18:23:08 +01:00
Simon Butcher c86993e33c Merge remote-tracking branch 'public/pr/1970' into development 2018-09-27 09:48:54 +01:00
Janos Follath 7c025a9f50 Generalize dh_flag in mbedtls_mpi_gen_prime
Setting the dh_flag to 1 used to indicate that the caller requests safe
primes from mbedtls_mpi_gen_prime. We generalize the functionality to
make room for more flags in that parameter.
2018-09-21 16:30:07 +01:00
thomas-dee eba6c9bb50 changes requested by @hanno-arm
- renamed `mbedtls_asn1_write_any_string` to `mbedtls_asn1_write_tagged_string`
 - renamed `x509_at_oid_from_name` to `x509_attr_descr_from_name`
2018-09-19 09:10:37 +02:00
Ron Eldor 54a7c620bb Minor style changes
1. Rephrase error description.
2. fix alignment of error list.
2018-09-12 14:43:44 +03:00
Manuel Pégourié-Gonnard 1c1c20ed4d Fix some whitespace issues 2018-09-12 10:34:43 +02:00
Jaeden Amero ff215726b4 rsa: pss: Use size_t when computing signatures
Functions like `mbedtls_md_get_size()` and `mgf_mask()` work with
`size_t`. Use local variables with `size_t` to match.
2018-09-11 14:36:03 +01:00
Manuel Pégourié-Gonnard 125af948c3 Merge branch 'development-restricted' into iotssl-1260-non-blocking-ecc-restricted
* development-restricted: (578 commits)
  Update library version number to 2.13.1
  Don't define _POSIX_C_SOURCE in header file
  Don't declare and define gmtime()-mutex on Windows platforms
  Correct preprocessor guards determining use of gmtime()
  Correct documentation of mbedtls_platform_gmtime_r()
  Correct typo in documentation of mbedtls_platform_gmtime_r()
  Correct POSIX version check to determine presence of gmtime_r()
  Improve documentation of mbedtls_platform_gmtime_r()
  platform_utils.{c/h} -> platform_util.{c/h}
  Don't include platform_time.h if !MBEDTLS_HAVE_TIME
  Improve wording of documentation of MBEDTLS_PLATFORM_GMTIME_R_ALT
  Fix typo in documentation of MBEDTLS_PLATFORM_GMTIME_R_ALT
  Replace 'thread safe' by 'thread-safe' in the documentation
  Improve documentation of MBEDTLS_HAVE_TIME_DATE
  ChangeLog: Add missing renamings gmtime -> gmtime_r
  Improve documentation of MBEDTLS_HAVE_TIME_DATE
  Minor documentation improvements
  Style: Add missing period in documentation in threading.h
  Rename mbedtls_platform_gmtime() to mbedtls_platform_gmtime_r()
  Guard decl and use of gmtime mutex by HAVE_TIME_DATE and !GMTIME_ALT
  ...
2018-09-11 12:39:14 +02:00
Simon Butcher 53546ea099 Update library version number to 2.13.1 2018-09-06 19:10:26 +01:00
Simon Butcher 5d40f67138 Merge remote-tracking branch 'public/pr/1927' into development-restricted 2018-09-06 16:24:48 +01:00
Hanno Becker f5106d54eb Don't declare and define gmtime()-mutex on Windows platforms 2018-09-06 12:09:56 +01:00
Hanno Becker 323d8019bf Correct preprocessor guards determining use of gmtime()
The previous code erroneously used gmtime_r() to implement
mbedtls_platform_gmtime() in case of a non-windows, non-unix system.
2018-09-06 11:30:57 +01:00
Hanno Becker 6f70581c4a Correct POSIX version check to determine presence of gmtime_r()
Recent versions of POSIX move gmtime_r to the base.
2018-09-06 09:06:33 +01:00
Gilles Peskine a7cfdad82e Fix pk_write with an EC key to write a constant-length private value
When writing a private EC key, use a constant size for the private
value, as specified in RFC 5915. Previously, the value was written
as an ASN.1 INTEGER, which caused the size of the key to leak
about 1 bit of information on average, and could cause the value to be
1 byte too large for the output buffer.
2018-09-05 17:27:48 +02:00
Hanno Becker 7dd82b4f51 platform_utils.{c/h} -> platform_util.{c/h} 2018-09-05 16:26:04 +01:00
Hanno Becker 48a816ff26 Minor documentation improvements 2018-09-05 15:22:22 +01:00
Hanno Becker 6a739789f3 Rename mbedtls_platform_gmtime() to mbedtls_platform_gmtime_r()
For consistency, also rename MBEDTLS_PLATFORM_GMTIME_ALT to
MBEDTLS_PLATFORM_GMTIME_R_ALT.
2018-09-05 15:06:19 +01:00
Hanno Becker be2e4bddd5 Guard decl and use of gmtime mutex by HAVE_TIME_DATE and !GMTIME_ALT 2018-09-05 14:44:31 +01:00
Hanno Becker cfeb70c6b9 gmtime: Remove special treatment for IAR
Previous commits attempted to use `gmtime_s()` for IAR systems; however,
this attempt depends on the use of C11 extensions which lead to incompatibility
with other pieces of the library, such as the use of `memset()` which is
being deprecated in favor of `memset_s()` in C11.
2018-09-05 13:52:46 +01:00
Andres Amaya Garcia 94b540ac63 Avoid redefining _POSIX_C_SOURCE 2018-09-05 12:27:32 +01:00
Andres Amaya Garcia 433f911e59 Check for IAR in gmtime macros 2018-09-05 12:01:57 +01:00
Andres Amaya Garcia 3c9733a0a3 Fix typo in comment for gmtime macro defines 2018-09-05 11:52:07 +01:00
Andres Amaya Garcia ca04a01bb8 Document shorthand gmtime macros 2018-09-05 11:43:57 +01:00
Andres Amaya Garcia 209960611f Use gmtime_s() for IAR 2018-09-05 11:27:56 +01:00
Andres Amaya Garcia e9b10b21f1 Define _POSIX_C_SOURCE in threading.c before POSIX detection 2018-09-05 11:25:30 +01:00
Simon Butcher 4d075cd7d0 Update library version number to 2.13.0 2018-08-31 15:59:10 +01:00
irwir da642d98c0
Implicit _endthread call: comment changed 2018-08-31 15:14:54 +03:00
irwir e1b82ad25f
Added spaces after type casts
`(void) TimerContext;` seems more consistent with the current style than ((void) TimerContext);
No objections to changing this if necessary.
2018-08-30 11:57:09 +03:00
Simon Butcher 0bbb4fc132 Merge branch 'development' into development 2018-08-30 01:11:35 +01:00
Simon Butcher 552754a6ee Merge remote-tracking branch 'public/pr/1988' into development 2018-08-30 00:57:28 +01:00
Simon Butcher 68dbc94720 Merge remote-tracking branch 'public/pr/1951' into development 2018-08-30 00:56:56 +01:00
Ron Eldor b0ad581526 Remove the invalid input for platform module
Remove the invalid input for the platform module,
as it's not currently used in the Mbed OS platform setup \
termination code.
2018-08-29 19:06:14 +03:00
Ron Eldor 0ff4e0b824 Add platform error codes
Add error codes for the platform module, to be used by
the setup \ terminate API.
2018-08-29 18:53:20 +03:00
Hanno Becker a591c48302 Correct typo in debug message 2018-08-28 17:52:53 +01:00
Hanno Becker 83ab41c665 Correct typo in comment 2018-08-28 17:52:53 +01:00
Hanno Becker cd9dcda0a0 Add const qualifier to handshake header reading functions 2018-08-28 17:52:53 +01:00
Hanno Becker 39b8bc9aef Change wording of debug message 2018-08-28 17:52:49 +01:00
Hanno Becker ef7afdfa5a Rename another_record_in_datagram to next_record_is_in_datagram 2018-08-28 17:16:31 +01:00
Hanno Becker c573ac33dd Fix typos in debug message and comment in ssl-tls.c 2018-08-28 17:15:25 +01:00
Simon Butcher 3af567d4a7 Merge remote-tracking branch 'restricted/pr/437' into development-restricted 2018-08-28 15:33:59 +01:00
Simon Butcher 129fa82908 Merge remote-tracking branch 'restricted/pr/470' into development-restricted 2018-08-28 15:26:11 +01:00
Simon Butcher 7f85563f9b Merge remote-tracking branch 'restricted/pr/491' into development-restricted 2018-08-28 15:22:40 +01:00
Simon Butcher 9ce5160fea Merge remote-tracking branch 'public/pr/1965' into development 2018-08-28 12:34:14 +01:00
Simon Butcher 9d5a9e1213 Merge remote-tracking branch 'public/pr/1625' into development 2018-08-28 12:23:40 +01:00
Simon Butcher 14dac0953e Merge remote-tracking branch 'public/pr/1918' into development 2018-08-28 12:21:41 +01:00
Simon Butcher 1846e406c8 Merge remote-tracking branch 'public/pr/1939' into development 2018-08-28 12:19:56 +01:00
Simon Butcher 9598845d11 Merge remote-tracking branch 'public/pr/1955' into development 2018-08-28 12:00:18 +01:00
Simon Butcher 4613772dea Merge remote-tracking branch 'public/pr/1915' into development 2018-08-28 11:45:44 +01:00
Hanno Becker 0207e533b2 Style: Correct typo in ssl-tls.c 2018-08-28 10:28:28 +01:00
Hanno Becker bc2498a9ff Style: Add numerous comments indicating condition guarded by #endif 2018-08-28 10:13:29 +01:00
Hanno Becker d58477769d Style: Group buffering-related forward declarations in ssl_tls.c 2018-08-28 10:09:23 +01:00
Hanno Becker 360bef3fe3 Reordering: Document that only HS and CCS msgs are buffered 2018-08-28 10:04:33 +01:00
Hanno Becker 4f432ad44d Style: Don't use abbreviations in comments 2018-08-28 10:02:32 +01:00
Hanno Becker b8f50147ee Add explicit MBEDTLS_DEBUG_C-guard around debugging code 2018-08-28 10:01:34 +01:00
Hanno Becker f0da6670dc Style: Add braces around if-branch where else-branch has them 2018-08-28 09:55:10 +01:00
Hanno Becker ecbdf1c048 Style: Correct indentation of debug msgs in mbedtls_ssl_write_record 2018-08-28 09:54:44 +01:00
Hanno Becker 3f7b973e32 Correct typo in mbedtls_ssl_flight_transmit() 2018-08-28 09:53:25 +01:00
Hanno Becker 6e12c1ea7d Enhance debugging output 2018-08-24 14:48:08 +01:00
Hanno Becker 0e96585bdd Merge branch 'datagram_packing' into message_reordering 2018-08-24 12:16:41 +01:00
Hanno Becker 1841b0a11c Rename ssl_conf_datagram_packing() to ssl_set_datagram_packing()
The naming convention is that functions of the form mbedtls_ssl_conf_xxx()
apply to the SSL configuration.
2018-08-24 11:13:57 +01:00
Hanno Becker f4b010efc4 Limit MTU by maximum fragment length setting
By the standard (RFC 6066, Sect. 4), the Maximum Fragment Length (MFL)
extension limits the maximum record payload size, but not the maximum
datagram size. However, not inferring any limitations on the MTU when
setting the MFL means that a party has no means to dynamically inform
the peer about MTU limitations.

This commit changes the function ssl_get_remaining_payload_in_datagram()
to never return more than

MFL - { Total size of all records within the current datagram }

thereby limiting the MTU to MFL + { Maximum Record Expansion }.
2018-08-24 10:47:29 +01:00
Hanno Becker 283f5efe7d Buffering: Free future record epoch after each flight
The function ssl_free_buffered_record() frees a future epoch record, if
such is present. Previously, it was called in mbedtls_handshake_free(),
i.e. an unused buffered record would be cleared at the end of the handshake.
This commit moves the call to the function ssl_buffering_free() responsible
for freeing all buffering-related data, and which is called not only at
the end of the handshake, but at the end of every flight. In particular,
future record epochs won't be buffered across flight boundaries anymore,
and they shouldn't.
2018-08-24 09:34:47 +01:00
Hanno Becker 081bd81865 ssl_write_handshake_msg(): Always append CCS messages to flights
The previous code appended messages to flights only if their handshake type,
as derived from the first byte in the message, was different from
MBEDTLS_SSL_HS_HELLO_REQUEST. This check should only be performed
for handshake records, while CCS records should immediately be appended.
2018-08-23 19:22:26 +02:00
Hanno Becker c83d2b3e09 ssl_write_handshake_msg(): Allow alert on client-side SSLv3
In SSLv3, the client sends a NoCertificate alert in response to
a CertificateRequest if it doesn't have a CRT. This previously
lead to failure in ssl_write_handshake_msg() which only accepted
handshake or CCS records.
2018-08-23 19:22:05 +02:00
Hanno Becker 687c500da3 Return from debugging functions if SSL context is unset
The debugging functions
- mbedtls_debug_print_ret,
- mbedtls_debug_print_buf,
- mbedtls_debug_print_mpi, and
- mbedtls_debug_print_crt
return immediately if the SSL configuration bound to the
passed SSL context is NULL, has no debugging functions
configured, or if the debug threshold is below the debugging
level.
However, they do not check whether the provided SSL context
is not NULL before accessing the SSL configuration bound to it,
therefore leading to a segmentation fault if it is.
In contrast, the debugging function
- mbedtls_debug_print_msg
does check for ssl != NULL before accessing ssl->conf.

This commit unifies the checks by always returning immediately
if ssl == NULL.
2018-08-23 14:54:13 +01:00
Hanno Becker b309b92ee8 ssl_buffering_free_slot(): Double-check validity of slot index 2018-08-23 13:18:05 +01:00
Hanno Becker 65dc885a3b Use size_t for msg_len argument in ssl_get_reassembly_buffer_size() 2018-08-23 09:40:49 +01:00
Hanno Becker 1b20e8e46e Merge branch 'datagram_packing' into message_reordering 2018-08-22 20:36:50 +01:00
Hanno Becker 554b0af195 Fix assertion in mbedtls_ssl_write_record() 2018-08-22 20:33:41 +01:00
Hanno Becker 7428d4fe87 Merge branch 'datagram_packing' into message_reordering 2018-08-22 16:16:59 +01:00
Hanno Becker 551835d5e7 ssl_write_handshake_msg(): Always append CCS messages to flights
The previous code appended messages to flights only if their handshake type,
as derived from the first byte in the message, was different from
MBEDTLS_SSL_HS_HELLO_REQUEST. This check should only be performed
for handshake records, while CCS records should immediately be appended.
2018-08-22 16:16:25 +01:00
Hanno Becker 2c98db2478 ssl_write_handshake_msg(): Allow alert on client-side SSLv3
In SSLv3, the client sends a NoCertificate alert in response to
a CertificateRequest if it doesn't have a CRT. This previously
lead to failure in ssl_write_handshake_msg() which only accepted
handshake or CCS records.
2018-08-22 16:05:47 +01:00
Hanno Becker 635313459f Merge branch 'datagram_packing' into message_reordering 2018-08-22 16:00:57 +01:00
Hanno Becker 11682ccc78 Uniformly treat MTU as size_t 2018-08-22 14:41:02 +01:00
Hanno Becker 3546201dbc Merge branch 'datagram_packing' into message_reordering 2018-08-22 10:25:40 +01:00
Hanno Becker a67dee256d Merge branch 'iotssl-2402-basic-pmtu-adaptation' into datagram_packing 2018-08-22 10:06:38 +01:00
Manuel Pégourié-Gonnard b8eec192f6 Implement PMTU auto-reduction in handshake 2018-08-22 10:50:30 +02:00
Hanno Becker 170e2d89da Merge branch 'iotssl-165-dtls-hs-fragmentation-new' into datagram_packing 2018-08-22 09:44:54 +01:00
Andres Amaya Garcia a658d7dd9d Fix style for mbedtls_platform_gmtime() 2018-08-21 19:33:02 +01:00
Hanno Becker aa71500173 Fix bug in SSL ticket implementation removing keys of age < 1s
Fixes #1968.
2018-08-21 17:48:52 +01:00
Hanno Becker 903ee3d363 Merge branch 'datagram_packing' into message_reordering 2018-08-21 17:24:17 +01:00
Hanno Becker 01315ea03a Account for future epoch records in the total buffering size
Previous commits introduced the field `total_bytes_buffered`
which is supposed to keep track of the cumulative size of
all heap allocated buffers used for the purpose of reassembly
and/or buffering of future messages.

However, the buffering of future epoch records were not reflected
in this field so far. This commit changes this, adding the length
of a future epoch record to `total_bytes_buffered` when it's buffered,
and subtracting it when it's freed.
2018-08-21 17:22:17 +01:00
Hanno Becker a02b0b462d Add function making space for current message reassembly
This commit adds a static function ssl_buffer_make_space() which
takes a buffer size as an argument and attempts to free as many
future message bufffers as necessary to ensure that the desired
amount of buffering space is available without violating the
total buffering limit set by MBEDTLS_SSL_DTLS_MAX_BUFFERING.
2018-08-21 17:20:27 +01:00
Hanno Becker e1801399a9 Add another debug message to ssl_buffer_message()
Report if there's not enough buffering space available to reassemble
the next expected incoming message.
2018-08-21 16:51:05 +01:00
Hanno Becker 55e9e2aa6b Free future buffers if next handshake messages can't be reassembled
If the next expected handshake message can't be reassembled because
buffered future messages have already used up too much of the available
space for buffering, free those future message buffers in order to
make space for the reassembly, starting with the handshake message
that's farthest in the future.
2018-08-21 16:24:30 +01:00
Hanno Becker e605b19631 Add function to free a particular buffering slot
This commit adds a static function ssl_buffering_free_slot()
which allows to free a particular structure used to buffer
and/or reassembly some handshake message.
2018-08-21 16:24:27 +01:00
Hanno Becker 96a6c69d0c Correct bounds check in ssl_buffer_message()
The previous bounds check omitted the DTLS handshake header.
2018-08-21 16:11:09 +01:00
Hanno Becker e0b150f96b Allow limiting the total amount of heap allocations for buffering
This commit introduces a compile time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING
to mbedtls/config.h which allows the user to control the cumulative size of
all heap buffer allocated for the purpose of reassembling and buffering
handshake messages.

It is put to use by introducing a new field `total_bytes_buffered` to
the buffering substructure of `mbedtls_ssl_handshake_params` that keeps
track of the total size of heap allocated buffers for the purpose of
reassembly and buffering at any time. It is increased whenever a handshake
message is buffered or prepared for reassembly, and decreased when a
buffered or fully reassembled message is copied into the input buffer
and passed to the handshake logic layer.

This commit does not yet include future epoch record buffering into
account; this will be done in a subsequent commit.

Also, it is now conceivable that the reassembly of the next expected
handshake message fails because too much buffering space has already
been used up for future messages. This case currently leads to an
error, but instead, the stack should get rid of buffered messages
to be able to buffer the next one. This will need to be implemented
in one of the next commits.
2018-08-21 16:11:04 +01:00
Gilles Peskine ed7da59798 ctr_drbg: add comments relating the code with the NIST specification 2018-08-21 17:55:46 +03:00
Hanno Becker 2a97b0e7a3 Introduce function to return size of buffer needed for reassembly
A previous commit introduced the function ssl_prepare_reassembly_buffer()
which took a message length and a boolean flag indicating if a reassembly
bit map was needed, and attempted to heap-allocate a buffer of sufficient
size to hold both the message, its header, and potentially the reassembly
bitmap.

A subsequent commit is going to introduce a limit on the amount of heap
allocations allowed for the purpose of buffering, and this change will
need to know the reassembly buffer size before attempting the allocation.

To this end, this commit changes ssl_prepare_reassembly_buffer() into
ssl_get_reassembly_buffer_size() which solely computes the reassembly
buffer size, and performing the heap allocation manually in
ssl_buffer_message().
2018-08-21 15:47:49 +01:00
Hanno Becker e678eaa93e Reject invalid CCS records early
This commit moves the length and content check for CCS messages to
the function mbedtls_ssl_handle_message_type() which is called after
a record has been deprotected.

Previously, these checks were performed in the function
mbedtls_ssl_parse_change_cipher_spec(); however, now that
the arrival of out-of-order CCS messages is remembered
as a boolean flag, the check also has to happen when this
flag is set. Moving the length and content check to
mbedtls_ssl_handle_message_type() allows to treat both
checks uniformly.
2018-08-21 14:57:46 +01:00
Hanno Becker 47db877039 ssl_write_record: Consider setting flush variable only if unset 2018-08-21 13:32:13 +01:00
Hanno Becker 1f5a15d86d Check retval of remaining_payload_in_datagram in ssl_write_record() 2018-08-21 13:31:31 +01:00
Hanno Becker ecff205548 Remove stray bracket if MBEDTLS_ZLIB_SUPPORT is defined 2018-08-21 13:20:00 +01:00
Manuel Pégourié-Gonnard 000281e07d Fix "unused parameter" warning in small configs 2018-08-21 11:20:58 +02:00
Hanno Becker 6aeaa05a95 Merge branch 'iotssl-165-dtls-hs-fragmentation-new' into datagram_packing 2018-08-20 12:53:37 +01:00
Hanno Becker 513815a38d Fix typo in debugging output 2018-08-20 11:56:09 +01:00
Hanno Becker 4cb782d2f6 Return from ssl_load_buffered_record early if no record is buffered 2018-08-20 11:19:05 +01:00
Manuel Pégourié-Gonnard a1071a58a3 Compute record expansion at the right time
Depends on the current transform, which might change when retransmitting a
flight containing a Finished message, so compute it only after the transform
is swapped.
2018-08-20 11:56:14 +02:00
Manuel Pégourié-Gonnard 065a2a3472 Fix some typos and links in comments and doc 2018-08-20 11:09:26 +02:00
Hanno Becker 3a0aad1c9d Rename update_digest to update_hs_digest 2018-08-20 09:44:02 +01:00
Hanno Becker 4422bbb096 Whitespace fixes 2018-08-20 09:40:19 +01:00
Hanno Becker e00ae375d3 Omit debug output in ssl_load_buffered_message outside a handshake 2018-08-20 09:39:42 +01:00
Manuel Pégourié-Gonnard 6e7aaca146 Move MTU setting to SSL context, not config
This setting belongs to the individual connection, not to a configuration
shared by many connections. (If a default value is desired, that can be handled
by the application code that calls mbedtls_ssl_set_mtu().)

There are at least two ways in which this matters:
- per-connection settings can be adjusted if MTU estimates become available
  during the lifetime of the connection
- it is at least conceivable that a server might recognize restricted clients
  based on range of IPs and immediately set a lower MTU for them. This is much
easier to do with a per-connection setting than by maintaining multiple
near-duplicated ssl_config objects that differ only by the MTU setting.
2018-08-20 10:37:23 +02:00
Hanno Becker 0d4b376ddf Return through cleanup section in ssl_load_buffered_message() 2018-08-20 09:36:59 +01:00
Ron Eldor 34b03ef78f Remove redundant else statement
Remove `else` statement, as it is redundant. resolves #1776
2018-08-20 10:39:27 +03:00
Hanno Becker 56d5eaa96c Mark SSL ctx unused in ssl_prepare_reassembly_buffer() if !DEBUG
The SSL context is passed to the reassembly preparation function
ssl_prepare_reassembly_buffer() solely for the purpose of allowing
debugging output. This commit marks the context as unused if
debugging is disabled (through !MBEDTLS_DEBUG_C).
2018-08-17 16:52:08 +01:00
Hanno Becker b063a5ffad Update error codes 2018-08-17 16:52:08 +01:00
Hanno Becker 5f066e7aac Implement future record buffering
This commit implements the buffering of a record from the next epoch.

- The buffering substructure of mbedtls_ssl_handshake_params
  gets another field to hold a raw record (incl. header) from
  a future epoch.
- If ssl_parse_record_header() sees a record from the next epoch,
  it signals that it might be suitable for buffering by returning
  MBEDTLS_ERR_SSL_EARLY_MESSAGE.
- If ssl_get_next_record() finds this error code, it passes control
  to ssl_buffer_future_record() which may or may not decide to buffer
  the record; it does so if
  - a handshake is in progress,
  - the record is a handshake record
  - no record has already been buffered.
  If these conditions are met, the record is backed up in the
  aforementioned buffering substructure.
- If the current datagram is fully processed, ssl_load_buffered_record()
  is called to check if a record has been buffered, and if yes,
  if by now the its epoch is the current one; if yes, it copies
  the record into the (empty! otherwise, ssl_load_buffered_record()
  wouldn't have been called) input buffer.
2018-08-17 16:52:08 +01:00
Hanno Becker 37f9532081 Implement future message buffering and loading
This commit implements future handshake message buffering
and loading by implementing ssl_load_buffered_message()
and ssl_buffer_message().

Whenever a handshake message is received which is
- a future handshake message (i.e., the sequence number
  is larger than the next expected one), or which is
- a proper fragment of the next expected handshake message,
ssl_buffer_message() is called, which does the following:
- Ignore message if its sequence number is too far ahead
  of the next expected sequence number, as controlled by
  the macro constant MBEDTLS_SSL_MAX_BUFFERED_HS.
- Otherwise, check if buffering for the message with the
  respective sequence number has already commenced.
  - If not, allocate space to back up the message within
    the buffering substructure of mbedtls_ssl_handshake_params.
    If the message is a proper fragment, allocate additional
    space for a reassembly bitmap; if it is a full message,
    omit the bitmap. In any case, fall throuh to the next case.
  - If the message has already been buffered, check that
    the header is the same, and add the current fragment
    if the message is not yet complete (this excludes the
    case where a future message has been received in a single
    fragment, hence omitting the bitmap, and is afterwards
    also received as a series of proper fragments; in this
    case, the proper fragments will be ignored).

For loading buffered messages in ssl_load_buffered_message(),
the approach is the following:
- Check the first entry in the buffering window (the window
  is always based at the next expected handshake message).
  If buffering hasn't started or if reassembly is still
  in progress, ignore. If the next expected message has been
  fully received, copy it to the input buffer (which is empty,
  as ssl_load_buffered_message() is only called in this case).
2018-08-17 16:52:08 +01:00
Hanno Becker 6d97ef5a03 Use uniform treatment for future messages and proper HS fragments
This commit returns the error code MBEDTLS_ERR_SSL_EARLY_MESSAGE
for proper handshake fragments, forwarding their treatment to
the buffering function ssl_buffer_message(); currently, though,
this function does not yet buffer or reassembly HS messages, so:

! This commit temporarily disables support for handshake reassembly !
2018-08-17 16:52:08 +01:00
Hanno Becker 44650b7a74 Introduce function checking sanity of the DTLS HS header
This commit introduces helper functions
- ssl_get_hs_frag_len()
- ssl_get_hs_frag_off()
to parse the fragment length resp. fragment offset fields
in the handshake header.

Moreover, building on these helper functions, it adds a
function ssl_check_hs_header() checking the validity of
a DTLS handshake header with respect to the specification,
i.e. the indicated fragment must be a subrange of the total
handshake message, and the total handshake fragment length
(including header) must not exceed the record content size.

These checks were previously performed at a later stage during
ssl_reassemble_dtls_handshake().
2018-08-17 16:52:08 +01:00
Hanno Becker 12555c61d3 Introduce function to parse total handshake length
This commit introduces a static helper function ssl_get_hs_total_len()
parsing the total message length field in the handshake header, and
puts it to use in mbedtls_ssl_prepare_handshake_record().
2018-08-17 16:52:08 +01:00
Hanno Becker 0271f967d6 Introduce buffering structure for handshake messages
This commit introduces, but does not yet put to use, a sub-structure
of mbedtls_ssl_handshake_params::buffering that will be used for the
buffering and/or reassembly of handshake messages with handshake
sequence numbers that are greater or equal to the next expected
sequence number.
2018-08-17 16:52:08 +01:00
Hanno Becker d7f8ae2508 Introduce sub-structure of ssl_handshake_params for buffering
This commit introduces a sub-structure `buffering` within
mbedtls_ssl_handshake_params that shall contain all data
related to the reassembly and/or buffering of handshake
messages.

Currently, only buffering of CCS messages is implemented,
so the only member of this struct is the previously introduced
`seen_ccs` field.
2018-08-17 16:52:08 +01:00
Hanno Becker e25e3b7d96 Add function to check is HS msg is a proper fragment
This commit introduces a static function ssl_hs_is_proper_fragment()
to check if the current incoming handshake message is a proper fragment.
It is used within mbedtls_ssl_prepare_handshake_record() to decide whether
handshake reassembly through ssl_reassemble_dtls_handshake() is needed.

The commit changes the behavior of the library in the (unnatural)
situation where proper fragments for a handshake message are followed
by a non-fragmented version of the same message. In this case,
the previous code invoked the handshake reassembly routine
ssl_reassemble_dtls_handshake(), while with this commit, the full
handshake message is directly forwarded to the user, no altering
the handshake reassembly state -- in particular, not freeing it.
As a remedy, freeing of a potential handshake reassembly structure
is now done as part of the handshake update function
mbedtls_ssl_update_handshake_status().
2018-08-17 16:52:08 +01:00
Hanno Becker d07df86871 Make allocation of reassembly bitmap optional
This commit adds a parameter to ssl_prepare_reassembly_buffer()
allowing to disable the allocation of space for a reassembly bitmap.
This will allow this function to be used for the allocation of buffers
for future handshake messages in case these need no fragmentation.
2018-08-17 16:52:08 +01:00
Hanno Becker 56e205e2c9 Prepare handshake reassembly in separate function
This commit moves the code-path preparing the handshake
reassembly buffer, consisting of header, message content,
and reassembly bitmap, to a separate function
ssl_prepare_reassembly_buffer().
2018-08-17 16:52:08 +01:00
Hanno Becker 9e1ec22c36 Return MBEDTLS_ERR_SSL_EARLY_MESSAGE for future HS messages
This leads future HS messages to traverse the buffering
function ssl_buffer_message(), which however doesn't do
anything at the moment for HS messages. Since the error
code MBEDTLS_ERR_SSL_EARLY_MESSAGE is afterwards remapped
to MBEDTLS_ERR_SSL_CONTINUE_PROCESSING -- which is what
was returned prior to this commit when receiving a future
handshake message -- this commit therefore does not yet
introduce any change in observable behavior.
2018-08-17 16:52:08 +01:00
Hanno Becker 2ed6bcc793 Implement support for remembering CCS messages
This commit implements support for remembering out-of-order
CCS messages. Specifically, a flag is set whenever a CCS message
is read which remains until the end of a flight, and when a
CCS message is expected and a CCS message has been seen in the
current flight, a synthesized CCS record is created.
2018-08-17 16:52:08 +01:00
Hanno Becker 40f50848fa Add frame for loading and storing buffered messages
This commit introduces the frame for saving and loading
buffered messages within message reading function
mbedtls_ssl_read_record().
2018-08-17 16:52:08 +01:00
Hanno Becker e74d556b43 Introduce function to indicate if record is fully processed
This commit introduces a function ssl_record_is_in_progress()
to indicate if there is there is more data within the current
record to be processed. Further, it moves the corresponding
call from ssl_read_record_layer() to the parent function
mbedtls_ssl_read_record(). With this change, ssl_read_record_layer()
has the sole purpose of fetching and decoding a new record,
and hence this commit also renames it to ssl_get_next_record().
2018-08-17 16:52:08 +01:00
Hanno Becker 2699459529 Move call to ssl_consume_current_message()
Subsequent commits will potentially inject buffered
messages after the last incoming message has been
consumed, but before a new one is fetched. As a
preparatory step to this, this commit moves the call
to ssl_consume_current_message() from ssl_read_record_layer()
to the calling function mbedtls_ssl_read_record().
2018-08-17 16:52:08 +01:00
Hanno Becker 1097b34022 Extract message-consuming code-path to separate function
The first part of the function ssl_read_record_layer() was
to mark the previous message as consumed. This commit moves
the corresponding code-path to a separate static function
ssl_consume_current_message().
2018-08-17 16:52:08 +01:00
Hanno Becker 4162b11eb4 Make mbedtls_ssl_read_record_layer() static
This function was previously global because it was
used directly within ssl_parse_certificate_verify()
in library/ssl_srv.c. The previous commit removed
this dependency, replacing the call by a call to
the global parent function mbedtls_ssl_read_record().
This renders mbedtls_ssl_read_record_layer() internal
and therefore allows to make it static, and accordingly
rename it as ssl_read_record_layer().
2018-08-17 16:52:08 +01:00
Hanno Becker a4b143a57c Remove nested loop in mbedtls_ssl_read_record() 2018-08-17 16:52:08 +01:00
Hanno Becker 02f5907499 Correct misleading debugging output
Usually, debug messages beginning with "=> and "<="
match up and indicate entering of and returning from
functions, respectively. This commit fixes one exception
to this rule in mbedtls_ssl_read_record(), which sometimes
printed two messages of the form "<= XXX".
2018-08-17 16:52:08 +01:00
Hanno Becker 327c93b182 Add parameter to ssl_read_record() controlling checksum update
Previously, mbedtls_ssl_read_record() always updated the handshake
checksum in case a handshake record was received. While desirable
most of the time, for the CertificateVerify message the checksum
update must only happen after the message has been fully processed,
because the validation requires the handshake digest up to but
excluding the CertificateVerify itself. As a remedy, the bulk
of mbedtls_ssl_read_record() was previously duplicated within
ssl_parse_certificate_verify(), hardening maintenance in case
mbedtls_ssl_read_record() is subject to changes.

This commit adds a boolean parameter to mbedtls_ssl_read_record()
indicating whether the checksum should be updated in case of a
handshake message or not. This allows using it also for
ssl_parse_certificate_verify(), manually updating the checksum
after the message has been processed.
2018-08-17 16:52:08 +01:00
Hanno Becker e1dcb03557 Don't send empty fragments of nonempty handshake messages
This for example lead to the following corner case bug:
The code attempted to piggy-back a Finished message at
the end of a datagram where precisely 12 bytes of payload
were still available. This lead to an empty Finished fragment
being sent, and when  mbedtls_ssl_flight_transmit() was called
again, it believed that it was just starting to send the
Finished message, thereby calling ssl_swap_epochs() which
had already happened in the call sending the empty fragment.
Therefore, the second call would send the 'rest' of the
Finished message with wrong epoch.
2018-08-17 16:47:58 +01:00
Hanno Becker 04da189225 Make datagram packing dynamically configurable
This commit adds a public function

   `mbedtls_ssl_conf_datagram_packing()`

that allows to allow / forbid the packing of multiple
records within a single datagram.
2018-08-17 15:45:25 +01:00
Hanno Becker 7e7721350b Fix unused variable warning in ssl_session_reset_int()
The `partial` argument is only used when DTLS and same port
client reconnect are enabled. This commit marks the variable
as unused if that's not the case.
2018-08-17 15:45:10 +01:00
Hanno Becker 0defedb488 Fix unused variable warning in mbedtls_ssl_get_max_record_payload
If neither the maximum fragment length extension nor DTLS
are used, the SSL context argument is unnecessary as the
maximum payload length is hardcoded as MBEDTLS_SSL_MAX_CONTENT_LEN.
2018-08-17 15:45:05 +01:00
Hanno Becker f29d4702f7 Reset in/out pointers on SSL session reset
If a previous session was interrupted during flushing, the out
pointers might point arbitrarily into the output buffer.
2018-08-17 15:44:57 +01:00
Hanno Becker 4ccbf064ed Minor improvements in ssl_session_reset_int() 2018-08-17 15:44:53 +01:00
Hanno Becker 2a43f6f539 Introduce function to reset in/out pointers 2018-08-17 15:44:43 +01:00
Hanno Becker b50a253a87 Move size check for records 2018-08-17 15:44:26 +01:00
Hanno Becker 67bc7c3a38 Don't immediately flush datagram after preparing a record
This commit finally enables datagram packing by modifying the
record preparation function ssl_write_record() to not always
calling mbedtls_ssl_flush_output().
2018-08-17 15:44:09 +01:00
Hanno Becker 2b1e354754 Increase record buffer pointer after preparing a record
The packing of multiple records within a single datagram works
by increasing the pointer `out_hdr` (pointing to the beginning
of the next outgoing record) within the datagram buffer, as
long as space is available and no flush was mandatory.

This commit does not yet change the code's behavior of always
flushing after preparing a record, but it introduces the logic
of increasing `out_hdr` after preparing the record, and resetting
it after the flush has been completed.
2018-08-17 15:41:02 +01:00
Hanno Becker 3b235902b8 Log calls to ssl_flight_append() in debugging output 2018-08-17 15:40:55 +01:00
Hanno Becker 04484621d0 Increment record sequence number in ssl_write_record()
Previously, the record sequence number was incremented at the
end of each successful call to mbedtls_ssl_flush_output(),
which works as long as there is precisely one such call for
each outgoing record.

When packing multiple records into a single datagram, this
property is no longer true, and instead the increment of the
record sequence number must happen after the record has been
prepared, and not after it has been dispatched.

This commit moves the code for incrementing the record sequence
number from mbedtls_ssl_flush_output() to ssl_write_record().
2018-08-17 15:40:52 +01:00
Hanno Becker 198594709b Store outgoing record sequence number outside record buffer
This commit is another step towards supporting the packing of
multiple records within a single datagram.

Previously, the incremental outgoing record sequence number was
statically stored within the record buffer, at its final place
within the record header. This slightly increased efficiency
as it was not necessary to copy the sequence number when writing
outgoing records.

When allowing multiple records within a single datagram, it is
necessary to allow the position of the current record within the
datagram buffer to be flexible; in particular, there is no static
address for the record sequence number field within the record header.

This commit introduces an additional field `cur_out_ctr` within
the main SSL context structure `mbedtls_ssl_context` to keep track
of the outgoing record sequence number independent of the buffer used
for the current record / datagram. Whenever a new record is written,
this sequence number is copied to the the address `out_ctr` of the
sequence number header field within the current outgoing record.
2018-08-17 15:40:35 +01:00
Hanno Becker 5aa4e2cedd Move deduction of internal record buffer pointers to function
The SSL/TLS module maintains a number of internally used pointers
`out_hdr`, `out_len`, `out_iv`, ..., indicating where to write the
various parts of the record header.

These pointers have to be kept in sync and sometimes need update:
Most notably, the `out_msg` pointer should always point to the
beginning of the record payload, and its offset from the pointer
`out_iv` pointing to the end of the record header is determined
by the length of the explicit IV used in the current record
protection mechanism.

This commit introduces functions deducing these pointers from
the pointers `out_hdr` / `in_hdr` to the beginning of the header
of the current outgoing / incoming record.

The flexibility gained by these functions will subsequently
be used to allow shifting of `out_hdr` for the purpose of
packing multiple records into a single datagram.
2018-08-17 15:40:24 +01:00
Hanno Becker 3136ede0e8 Compute record expansion in steps to ease readability 2018-08-17 15:28:19 +01:00
Jaeden Amero 141e767fa9 Merge remote-tracking branch 'upstream-public/pr/1942' into development
Resolve conflicts in ChangeLog
2018-08-17 14:26:51 +01:00
Manuel Pégourié-Gonnard 3879fdfece Merge remote-tracking branch 'public/pr/1955' into iotssl-165-dtls-hs-fragmentation-new
* public/pr/1955:
  Adapt ChangeLog
  Fix overly strict bounds check in ssl_parse_certificate_request()
2018-08-17 10:49:47 +02:00
Andres Amaya Garcia 248e27c487 Remove redundant statement from x509_get_current_time 2018-08-16 21:50:23 +01:00
Andres Amaya Garcia 1abb368b87 Make gmtime() configurable at compile-time 2018-08-16 21:42:09 +01:00
Hanno Becker ad17fe9c37 Fix overly strict bounds check in ssl_parse_certificate_request() 2018-08-16 15:51:34 +01:00
Manuel Pégourié-Gonnard 19c62f90e4 Add test for session resumption 2018-08-16 10:50:39 +02:00
Manuel Pégourié-Gonnard 7e89c17788 Fix two typos in comments 2018-08-16 10:01:47 +02:00
Manuel Pégourié-Gonnard b747c6cf9b Add basic first tests for MTU setting
For now, just check that it causes us to fragment. More tests are coming in
follow-up commits to ensure we respect the exact value set, including when
renegotiating.
2018-08-16 10:01:47 +02:00
Manuel Pégourié-Gonnard 637e234d9f Merge remote-tracking branch 'public/pr/1915' into iotssl-165-dtls-hs-fragmentation-new
* public/pr/1915:
  Adapt ChangeLog
  Fix mbedtls_ssl_get_record_expansion() for ChaChaPoly and CBC
2018-08-16 10:01:21 +02:00
Manuel Pégourié-Gonnard 9468ff1966 Implement support for MTU setting 2018-08-16 10:01:10 +02:00
Manuel Pégourié-Gonnard 0b1d9b2c75 Declare ssl_conf_mtu() 2018-08-16 10:01:10 +02:00
Manuel Pégourié-Gonnard 2cb17e201b Make handshake fragmentation follow max_frag_len
Note: no interop tests in ssl-opt.sh for now, as some of them make us run into
bugs in (the CI's default versions of) OpenSSL and GnuTLS, so interop tests
will be added later once the situation is clarified. <- TODO
2018-08-16 10:01:10 +02:00
Manuel Pégourié-Gonnard 28f4beab1c Start implementing fragmentation 2018-08-16 10:01:10 +02:00
Manuel Pégourié-Gonnard 87a346f64e Always save flight first, (re)send later
This will allow fragmentation to always happen in the same place, always from
a buffer distinct from ssl->out_msg, and with the same way of resuming after
returning WANT_WRITE
2018-08-16 10:01:10 +02:00
Manuel Pégourié-Gonnard 9c3a8caa92 Clarify code a bit in write_handshake_msg()
- take advantage of the fact that we're only called for first send
- put all sanity checks at the top
- rename and constify shortcut variables
- improve comments
2018-08-16 10:00:35 +02:00
Manuel Pégourié-Gonnard 31c1586893 Start separating handshake from record writing 2018-08-16 10:00:27 +02:00
Hanno Becker 7864090ec1 Reset session_in/out pointers in ssl_session_reset_int()
Fixes #1941.
2018-08-13 16:35:15 +01:00
Ron Eldor d1a4762adb Use mbedtls_printf instead of printf
Replace usages of `printf()` with `mbedtls_printf()` in `aria.c`
which were accidently merged. Fixes #1908
2018-08-13 13:49:52 +03:00
Jaeden Amero d8f41698d2 Merge remote-tracking branch 'upstream-public/pr/1598' into development
Add a Changelog entry
2018-08-10 11:23:15 +01:00
Jaeden Amero cac0c1a250 Merge remote-tracking branch 'upstream-public/pr/1378' into development 2018-08-10 10:59:53 +01:00
Andres Amaya Garcia d7177435e3 Fix check-names.sh fail with USE_GMTIME macro 2018-08-08 09:41:17 +01:00
Andres Amaya Garcia ce6eebb0b8 Use gmtime when target is not windows or posix 2018-08-07 20:26:55 +01:00
Hanno Becker 5b559ac7ab Fix mbedtls_ssl_get_record_expansion() for ChaChaPoly and CBC
`mbedtls_ssl_get_record_expansion()` is supposed to return the maximum
difference between the size of a protected record and the size of the
encapsulated plaintext.

It had the following two bugs:
(1) It did not consider the new ChaChaPoly ciphersuites, returning
    the error code #MBEDTLS_ERR_SSL_INTERNAL_ERROR in this case.
(2) It did not correctly estimate the maximum record expansion in case
    of CBC ciphersuites in (D)TLS versions 1.1 and higher, in which
    case the ciphertext is prefixed by an explicit IV.

This commit fixes both bugs.
2018-08-03 10:07:35 +01:00
k-stachowiak 9f7798ed3f Revert change of a return variable name 2018-07-31 16:52:32 +02:00
Ron Eldor 1b9b217abf enforce input and output of ccm selftest on stack
In `mbedtls_ccm_self_test()`, enforce input and output
buffers sent to the ccm API to be contigous and aligned,
by copying the test vectors to buffers on the stack.
2018-07-30 11:29:26 +03:00
Angus Gratton 608a487b9c Fix memory leak in ecp_mul_comb() if ecp_precompute_comb() fails
In ecp_mul_comb(), if (!p_eq_g && grp->T == NULL) and then ecp_precompute_comb() fails (which can
happen due to OOM), then the new array of points T will be leaked (as it's newly allocated, but
hasn't been asigned to grp->T yet).

Symptom was a memory leak in ECDHE key exchange under low memory conditions.
2018-07-27 09:15:34 +10:00
Jaeden Amero 193c86425e Update version to 2.12.0 2018-07-25 15:42:26 +01:00
Simon Butcher 37b9fd5df6 Merge remote-tracking branch 'restricted/pr/490' into development 2018-07-24 23:40:37 +01:00
Simon Butcher 2c92949e0a Merge remote-tracking branch 'public/pr/1198' into development 2018-07-24 17:20:17 +01:00
Simon Butcher c88c627fba Merge remote-tracking branch 'public/pr/1658' into development 2018-07-24 17:19:10 +01:00
Ron Eldor 9ab746c7c9 Add selftests
Add selftests for key wrapping
2018-07-24 16:43:20 +01:00
Ron Eldor cb349ac279 Implement the KW and KWP algorithm
1. Add kw to the Makefiles
2. Implement the algorithms as defined in SP800-38F, and RFC 3394.
2018-07-24 16:43:20 +01:00
Ron Eldor 466a57fbbe Key wrapping API definition
Define the Key Wrapping API
2018-07-24 16:43:20 +01:00
Simon Butcher dad05b7fc9 Merge remote-tracking branch 'public/pr/1844' into development 2018-07-24 13:05:09 +01:00
k-stachowiak c9a5f02eab Move comment to a separate line 2018-07-24 13:53:31 +02:00
Simon Butcher 116ac43d00 Merge remote-tracking branch 'public/pr/1852' into development 2018-07-24 12:18:59 +01:00
k-stachowiak 463928a74b Fix code formatting 2018-07-24 12:50:59 +02:00
Simon Butcher fced1f2fb3 Merge remote-tracking branch 'public/pr/1854' into development 2018-07-24 10:26:46 +01:00
Brian J Murray ca2ea4e217 Fix issue if salt = NULL and salt_len !=0 in mbedtls_hkdf_extract() 2018-07-23 10:34:47 -07:00
Ron Eldor bb4bbbbbb4 Resolve PR review comments
Address review comments:
1. add `mbedtls_cipher_init()` after freeing context, in test code
2. style comments
3. set `ctx->iv_size = 0` in case `IV == NULL && iv_len == 0`
2018-07-23 18:18:35 +01:00
Ron Eldor 4e64e0b922 Fix after PR comments
1. Don't set IV onECB
2. Fix style issues
3. reduce number of tests
2018-07-23 18:18:32 +01:00
Ron Eldor 7b01244b99 Add tests for mbedtls_cipher_crypt API
1. Add tests for 'mbedtls_cipher_crypt()' API
2. Resolves #1091, by ignoring IV when the cipher mode is MBEDTLS_MODE_ECB
2018-07-23 18:02:09 +01:00
Angus Gratton 1a7a17e548 Check for invalid short Alert messages
(Short Change Cipher Spec & Handshake messages are already checked for.)
2018-07-20 23:09:29 +01:00
Angus Gratton 34817929ea TLSv1.2: Treat zero-length fragments as invalid, unless they are application data
TLS v1.2 explicitly disallows other kinds of zero length fragments (earlier standards
don't mention zero-length fragments at all).
2018-07-20 23:09:29 +01:00
Angus Gratton b512bc1d29 CBC mode: Allow zero-length message fragments (100% padding)
Fixes https://github.com/ARMmbed/mbedtls/issues/1632
2018-07-20 23:09:29 +01:00
Simon Butcher 922bd1efb2 Merge remote-tracking branch 'public/pr/1752' into development 2018-07-20 14:33:18 +01:00
Simon Butcher df15356259 Merge remote-tracking branch 'public/pr/1663' into development 2018-07-19 19:48:10 +01:00
k-stachowiak 21feae58cb Update change log 2018-07-11 17:34:55 +02:00
k-stachowiak a47911cb70 Fix memory leak in ssl_setup 2018-07-11 17:26:07 +02:00
Dawid Drozd 0e2c07e83e
Remove unnecessary mark as unused #1098
`ret` is used always at line 1305 in statement:
`if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen ) ) == 0 )`
2018-07-11 15:16:53 +02:00
Manuel Pégourié-Gonnard 8744a02357 Clarify a few comments
The "+" sign could be misinterpreted as addition.
2018-07-11 12:30:40 +02:00
Simon Butcher e7aeef09ee Merge remote-tracking branch 'public/pr/536' into development 2018-07-10 15:24:26 +01:00
Simon Butcher 32b074720e Merge remote-tracking branch 'public/pr/1737' into development 2018-07-10 14:57:50 +01:00
Simon Butcher cdbb2f2168 Merge remote-tracking branch 'public/pr/1563' into development 2018-07-10 12:49:26 +01:00
Simon Butcher 6331cb0607 Fix some whitespace issues in ChangeLog and CMakeLists.txt
Stray tab in library/CMakeLists.txt and incorrect formatting in ChangeLog.
2018-07-10 11:48:42 +01:00
Simon Butcher d21bd31759 Merge remote-tracking branch 'public/pr/1567' into development 2018-07-10 11:43:06 +01:00
Manuel Pégourié-Gonnard 6a25cfae2a Avoid debug message that might leak length
The length to the debug message could conceivably leak through the time it
takes to print it, and that length would in turn reveal whether padding was
correct or not.
2018-07-10 11:15:36 +02:00
k-stachowiak a5fbfd7cd8 Enable snprintf on FreeBSD 2018-07-08 13:22:11 +01:00
Brian J Murray a61d123e0e Minor changes to comments in hkdf.c 2018-07-06 10:02:39 -07:00
Manuel Pégourié-Gonnard 7b42030b5d Add counter-measure to cache-based Lucky 13
The basis for the Lucky 13 family of attacks is for an attacker to be able to
distinguish between (long) valid TLS-CBC padding and invalid TLS-CBC padding.
Since our code sets padlen = 0 for invalid padding, the length of the input to
the HMAC function, and the location where we read the MAC, give information
about that.

A local attacker could gain information about that by observing via a
cache attack whether the bytes at the end of the record (at the location of
would-be padding) have been read during MAC verification (computation +
comparison).

Let's make sure they're always read.
2018-07-05 14:44:49 +02:00
Manuel Pégourié-Gonnard 1cc1fb0599 Fix Lucky 13 cache attack on MD/SHA padding
The basis for the Lucky 13 family of attacks is for an attacker to be able to
distinguish between (long) valid TLS-CBC padding and invalid TLS-CBC padding.
Since our code sets padlen = 0 for invalid padding, the length of the input to
the HMAC function gives information about that.

Information about this length (modulo the MD/SHA block size) can be deduced
from how much MD/SHA padding (this is distinct from TLS-CBC padding) is used.
If MD/SHA padding is read from a (static) buffer, a local attacker could get
information about how much is used via a cache attack targeting that buffer.

Let's get rid of this buffer. Now the only buffer used is the internal MD/SHA
one, which is always read fully by the process() function.
2018-07-05 10:47:00 +02:00
Manuel Pégourié-Gonnard c8c12b6007 Add NULL pointer check for consistency
Most other functions in this module have a similar check.
2018-07-02 13:09:39 +02:00
Manuel Pégourié-Gonnard 78d7e8cbc7 Rename internal variable for consistency 2018-07-02 12:33:14 +02:00
Ron Eldor ab8d58cb2d Move definition of MBEDTLS_CIPHER_MODE_STREAM
Move definition of `MBEDTLS_CIPHER_MODE_STREAM` to header file
(`mbedtls_cipher_internal.h`), because it is used by more than
one file. Raised by TrinityTonic in #1719
2018-07-01 10:20:43 +03:00
k-stachowiak dcae78a7a9 Make a buffer limit more specific 2018-06-28 16:32:54 +02:00
k-stachowiak 470dfbabb9 Simplify OID tag parsing in x509_get_cert_ext( ) 2018-06-28 16:23:39 +02:00
Simon Butcher 034e1398f0 Merge remote-tracking branch 'public/pr/1621' into development 2018-06-28 12:09:15 +01:00
Simon Butcher 4b6b08e7d2 Merge remote-tracking branch 'public/pr/1006' into development 2018-06-28 12:08:59 +01:00
Simon Butcher 1d97cab5f5 Merge remote-tracking branch 'public/pr/1645' into development 2018-06-28 12:06:16 +01:00
Simon Butcher bea00bd89c Merge remote-tracking branch 'public/pr/1783' into development 2018-06-28 12:04:19 +01:00
Simon Butcher 6665b67ddf Merge remote-tracking branch 'public/pr/1390' into development 2018-06-27 10:51:47 +01:00
Nicholas Wilson 2682edf205 Fix build using -std=c99
In each place where POSIX/GNU functions are used, the file must declare
that it wants POSIX functionality before including any system headers.
2018-06-25 12:00:26 +01:00
Nicholas Wilson 512b4ee9c7 Use gmtime_r to fix thread-safety issue, and use mbedtls_time on Windows 2018-06-25 11:59:54 +01:00
niisato 8ee2422ef8 about a issue Replace "new" variable #1782 2018-06-25 19:05:48 +09:00
irwir e931d0efe5 Replace Windows API threading with CRT functions 2018-06-24 01:58:37 +03:00
Andres Amaya Garcia bf7fe4f3f0 Replace check with APPLE with CMAKE_SYSTEM_NAME 2018-06-21 20:21:38 +01:00
Andres Amaya Garcia 5b92352374 Document ssl_write_real() behaviour in detail 2018-06-21 19:23:21 +01:00
Ron Eldor 755bb6af5f Add ecc extensions only if ecc ciphersuite is used
Fix compliancy to RFC4492. ECC extensions should be included
only if ec ciphersuites are used. Interoperability issue with
bouncy castle. #1157
2018-06-21 16:35:26 +03:00
Andres Amaya Garcia e3402ce44f Enable APPLE_BUILD in makefile if using system ar 2018-06-20 10:43:21 +01:00
Manuel Pégourié-Gonnard 95e2ecae95 Fix IAR warning
The IAR compiler doesn't like it when we assign an int to an enum variable.

"C:\builds\ws\mbedtls-restricted-pr\library\ecp.c",509  Error[Pe188]:
          enumerated type mixed with another type
2018-06-20 10:29:47 +02:00
Manuel Pégourié-Gonnard 79d9b50421 Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted
* development: (180 commits)
  Change the library version to 2.11.0
  Fix version in ChangeLog for fix for #552
  Add ChangeLog entry for clang version fix. Issue #1072
  Compilation warning fixes on 32b platfrom with IAR
  Revert "Turn on MBEDTLS_SSL_ASYNC_PRIVATE by default"
  Fix for missing len var when XTS config'd and CTR not
  ssl_server2: handle mbedtls_x509_dn_gets failure
  Fix harmless use of uninitialized memory in ssl_parse_encrypted_pms
  SSL async tests: add a few test cases for error in decrypt
  Fix memory leak in ssl_server2 with SNI + async callback
  SNI + SSL async callback: make all keys async
  ssl_async_resume: free the operation context on error
  ssl_server2: get op_name from context in ssl_async_resume as well
  Clarify "as directed here" in SSL async callback documentation
  SSL async callbacks documentation: clarify resource cleanup
  Async callback: use mbedtls_pk_check_pair to compare keys
  Rename mbedtls_ssl_async_{get,set}_data for clarity
  Fix copypasta in the async callback documentation
  SSL async callback: cert is not always from mbedtls_ssl_conf_own_cert
  ssl_async_set_key: detect if ctx->slots overflows
  ...
2018-06-20 09:46:17 +02:00
Philippe Antoine 21f73b57ed Coding style
Commit to be squashed
2018-06-20 08:13:24 +02:00
Andres Amaya Garcia c51d613eac Ensure crosscompiling with make works in Mac OS X 2018-06-19 17:25:42 +01:00
Manuel Pégourié-Gonnard 2e58e8ee34 Implement ChachaPoly mode in TLS 2018-06-19 12:12:47 +02:00
Manuel Pégourié-Gonnard ce66d5e8e1 Declare ChaCha-Poly ciphersuites
Prefer them over AES-GCM as they have better performance and fewer side
channel considerations in software implementations.
2018-06-19 12:11:38 +02:00
Manuel Pégourié-Gonnard f57bf8b467 Define specific mode for ChachaPoly
The TLS layer is checking for mode, such as GCM, CCM, CBC, STREAM. ChachaPoly
needs to have its own mode, even if it's used just one cipher, in order to
allow consistent handling of mode in the TLS layer.
2018-06-19 11:32:48 +02:00
Manuel Pégourié-Gonnard a18034a8e2 Adjust to added fields in cipher_base_t
This is a follow-up to the previous merge commit: two fields were added in the
merged development branch
2018-06-19 11:32:01 +02:00
Manuel Pégourié-Gonnard 0dadba2b58 Merge branch 'development' into iotssl-2257-chacha-poly-primitives
* development: (182 commits)
  Change the library version to 2.11.0
  Fix version in ChangeLog for fix for #552
  Add ChangeLog entry for clang version fix. Issue #1072
  Compilation warning fixes on 32b platfrom with IAR
  Revert "Turn on MBEDTLS_SSL_ASYNC_PRIVATE by default"
  Fix for missing len var when XTS config'd and CTR not
  ssl_server2: handle mbedtls_x509_dn_gets failure
  Fix harmless use of uninitialized memory in ssl_parse_encrypted_pms
  SSL async tests: add a few test cases for error in decrypt
  Fix memory leak in ssl_server2 with SNI + async callback
  SNI + SSL async callback: make all keys async
  ssl_async_resume: free the operation context on error
  ssl_server2: get op_name from context in ssl_async_resume as well
  Clarify "as directed here" in SSL async callback documentation
  SSL async callbacks documentation: clarify resource cleanup
  Async callback: use mbedtls_pk_check_pair to compare keys
  Rename mbedtls_ssl_async_{get,set}_data for clarity
  Fix copypasta in the async callback documentation
  SSL async callback: cert is not always from mbedtls_ssl_conf_own_cert
  ssl_async_set_key: detect if ctx->slots overflows
  ...
2018-06-19 11:13:50 +02:00
Simon Butcher 2fcd3e4441 Change the library version to 2.11.0
* Change the Mbed TLS library version to 2.11.0
 * Increase the soversion of libmbedcrypto
 * Increase the soversion of libmbedtls
2018-06-18 14:39:06 +01:00
Angus Gratton d8213d00db Let MBEDTLS_SSL_MAX_CONTENT_LEN to be split into outward & inward sizes
For the situation where the mbedTLS device has limited RAM, but the
other end of the connection doesn't support the max_fragment_length
extension. To be spec-compliant, mbedTLS has to keep a 16384 byte
incoming buffer. However the outgoing buffer can be made smaller without
breaking spec compliance, and we save some RAM.

See comments in include/mbedtls/config.h for some more details.

(The lower limit of outgoing buffer size is the buffer size used during
handshake/cert negotiation. As the handshake is half-duplex it might
even be possible to store this data in the "incoming" buffer during the
handshake, which would save even more RAM - but it would also be a lot
hackier and error-prone. I didn't really explore this possibility, but
thought I'd mention it here in case someone sees this later on a mission
to jam mbedTLS into an even tinier RAM footprint.)
2018-06-18 20:51:51 +10:00
Manuel Pégourié-Gonnard c7bc9e122f Fix a few typos 2018-06-18 10:30:30 +02:00
Simon Butcher cbe248a3f5 Merge remote-tracking branch 'public/pr/1727' into development 2018-06-17 17:37:29 +01:00
Simon Butcher 1f91575546 Merge remote-tracking branch 'public/pr/1681' into development 2018-06-17 17:35:54 +01:00
Simon Butcher 2711ad7505 Merge remote-tracking branch 'public/pr/1736' into development 2018-06-17 17:34:55 +01:00
Simon Butcher 600c5e6d20 Compilation warning fixes on 32b platfrom with IAR
Fix compilation warnings with IAR toolchain, on 32 bit platform.
Reported by rahmanih in #683

This is based on work by Ron Eldor in PR #750, some of which was independently
fixed by Azim Khan and already merged in PR #1646.
2018-06-17 17:24:56 +01:00
Simon Butcher 2dbecc04cc Merge remote-tracking branch 'public/pr/1602' into development 2018-06-15 20:15:00 +01:00
Simon Butcher 66a8903f4a Fix for missing len var when XTS config'd and CTR not
The AES XTS self-test was using a variable len, which was declared only when CTR
was enabled. Changed the declaration of len to be conditional on CTR and XTS.
2018-06-15 18:20:29 +01:00
Simon Butcher 5f57f1e3cc Merge remote-tracking branch 'public/pr/1270' into development 2018-06-15 14:17:31 +01:00
Simon Butcher 675590519a Merge remote-tracking branch 'public/pr/1602' into development 2018-06-15 14:13:14 +01:00
Jaeden Amero ff2f493432 config: List cipher modes in alphabetical order
Keeping the cipher modes list in alphabetical order makes it easier to
find things. Move OFB and XTS to their appropriate locations in the
list.
2018-06-14 11:42:27 +01:00
Simon Butcher 6ac1cf6f5f Merge remote-tracking branch 'public/pr/1182' into development 2018-06-14 10:33:29 +01:00
Simon Butcher c1bf1aaee5 Merge remote-tracking branch 'public/pr/1555' into development 2018-06-14 10:24:56 +01:00
Simon Butcher 73a4b80475 Merge remote-tracking branch 'public/pr/1672' into development 2018-06-14 10:24:02 +01:00
Simon Butcher 2ff0e52087 Fix missing preprocessor condition in AES self-test
The AES OFB self-test made use of a variable `offset` but failed to have a
preprocessor condition around it, so unless CTR and CBC were enabled, the
variable would be undeclared.
2018-06-14 09:57:07 +01:00
Philippe Antoine c03059db42 Simplify code in mbedtls_x509_csr_parse 2018-06-14 07:35:11 +02:00
Gilles Peskine 0a8352b4c2 Fix harmless use of uninitialized memory in ssl_parse_encrypted_pms
In ssl_parse_encrypted_pms, some operational failures from
ssl_decrypt_encrypted_pms lead to diff being set to a value that
depended on some uninitialized unsigned char and size_t values. This didn't
affect the behavior of the program (assuming an implementation with no
trap values for size_t) because all that matters is whether diff is 0,
but Valgrind rightfully complained about the use of uninitialized
memory. Behave nicely and initialize the offending memory.
2018-06-13 18:21:25 +02:00
Jaeden Amero 8cfc75f603 aes: xts: Fix style issues with gf128mul 2018-06-13 12:13:58 +01:00
Jaeden Amero 5f0b06aeda aes: xts: Fix description of gf128mul
THe function `mbedtls_gf128mul_x_ble()` doesn't multiply by x, x^4, and
x^8. Update the function description to properly describe what the function
does.
2018-06-13 12:13:58 +01:00
Jaeden Amero c653990ed5 cipher: Add wrappers for AES-XTS
AES-XTS does not support multipart use as it can only operate on an entire
sector at a time.
2018-06-13 12:13:56 +01:00
Jaeden Amero 21d79cf947 aes: Add self test for AES-XTS 2018-06-13 12:05:04 +01:00
Jaeden Amero cd9fc5e541 aes: xts: Rename iv to data_unit
XTS doesn't have an IV, it has a "Data Unit". Rename iv for parity with the
XTS standard.
2018-06-13 12:05:04 +01:00
Jaeden Amero d82cd860b2 aes: xts: Rewrite to avoid use of goto
The flow was a bit hard to follow with the `goto` everywhere. Rewrite the
XTS implementation to avoid the use of `goto`.
2018-06-13 12:05:04 +01:00
Jaeden Amero 0a8b02087a aes: xts: Enforce NIST SP 800-38E data unit size
NIST SP 800-38E requites the data unit size be limited to at most 2^20 AES
blocks in size. Enforce this restriction.
2018-06-13 12:05:04 +01:00
Jaeden Amero 5162b932a2 aes: Use length instead of bits_length in XTS
mbedtls_aes_crypt_xts() currently takes a `bits_length` parameter, unlike
the other block modes. Change the parameter to accept a bytes length
instead, as the `bits_length` parameter is not actually ever used in the
current implementation.
2018-06-13 12:05:04 +01:00
Jaeden Amero 9366feb504 aes: xts: Add new context structure
Add a new context structure for XTS. Adjust the API for XTS to use the new
context structure, including tests suites and the benchmark program. Update
Doxgen documentation accordingly.
2018-06-13 12:05:04 +01:00
Jaeden Amero e9ecf00007 aes: Remove AES-XEX
AES-XEX is a building block for other cryptographic standards and not yet a
standard in and of itself. We'll just provide the standardized AES-XTS
algorithm, and not AES-XEX. The AES-XTS algorithm and interface provided
can be used to perform the AES-XEX algorithm when the length of the input
is a multiple of the AES block size.
2018-06-13 12:03:29 +01:00
Jaeden Amero 010c2cb456 gf128mul: Inline instead of making a new module 2018-06-13 12:03:29 +01:00
Jaeden Amero 97cc3b1354 gf128mul: Remove the jump table
If we're unlucky with memory placement, gf128mul_table_bbe may spread over
two cache lines and this would leak b >> 63 to a cache timing attack.
Instead, take an approach that is less likely to make different memory
loads depending on the value of b >> 63 and is also unlikely to be compiled
to a condition.
2018-06-13 12:03:29 +01:00
Aorimn 5f77801ac3 Implement AES-XTS mode
XTS mode is fully known as "xor-encrypt-xor with ciphertext-stealing".
This is the generalization of the XEX mode.
This implementation is limited to an 8-bits (1 byte) boundary, which
doesn't seem to be what was thought considering some test vectors [1].

This commit comes with tests, extracted from [1], and benchmarks.
Although, benchmarks aren't really nice here, as they work with a buffer
of a multiple of 16 bytes, which isn't a challenge for XTS compared to
XEX.

[1] http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSTestVectors.zip
2018-06-13 12:03:27 +01:00
Aorimn 380162c34c Double perf for AES-XEX
As seen from the first benchmark run, AES-XEX was running pourly (even
slower than AES-CBC). This commit doubles the performances of the
current implementation.
2018-06-13 12:02:30 +01:00
Aorimn 8bb817a4c1 Add AES-XEX to the version features 2018-06-13 12:02:29 +01:00
Aorimn 9bbe3632e4 Rename exported symbols to please check-names.sh
Exported symbols seem to need the "mbedtls_" prefix, which has been
added to be128 and gf128mul_x_ble.
2018-06-13 12:01:50 +01:00
Aorimn 0089d36ae5 Implement AES-XEX mode
XEX mode, known as "xor-encrypt-xor", is the simple case of the XTS
mode, known as "XEX with ciphertext stealing". When the buffers to be
encrypted/decrypted have a length divisible by the length of a standard
AES block (16), XTS is exactly like XEX.
2018-06-13 11:56:03 +01:00
Aorimn b053658f95 Add 2 files for multiplication in GF(128)
Multiplication in GF(128) is required by the AES-XEX mode for computing
X in the XEX formula from
https://en.wikipedia.org/wiki/Disk_encryption_theory#Xor-encrypt-xor_.28XEX.29
2018-06-13 11:56:03 +01:00
Manuel Pégourié-Gonnard 558da9c3fe Make SSL error code more generic
It's undesirable to have users of the SSL layer check for an error code
specific to a lower-level layer, both out of general layering principles, and
also because if we later make another crypto module gain resume capabilities,
we would need to change the contract again (checking for a new module-specific
error code).
2018-06-13 12:02:12 +02:00
Andres Amaya Garcia 1d9375919a Conditionally assign APPLE_BUILD var in makefile 2018-06-13 10:05:43 +01:00
Andres Amaya Garcia c471cd7e0a Autodetect if running on OS X in makefile 2018-06-13 09:28:04 +01:00
Roberto Vargas 7decfe8c1e Convert mbedtls_free and mbedtls_calloc into functions
When MBEDTLS_PLATFORM_MEMORY is defined but MBEDTLS_PLATFORM_FREE_MACRO or
MBEDTLS_PLATFORM_CALLOC_MACRO are not defined then the actual functions
used to allocate and free memory are stored in function pointers.
These pointers are exposed to the caller, and it means that the caller
and the library have to share a data section.

In TF-A, we execute in a very constrained environment, where some images
are executed from ROM and other images are executed from SRAM. The
images that are executed from ROM cannot be modified. The SRAM size
is very small and we are moving libraries to the ROM that can be shared
between the different SRAM images.  These SRAM images could import all the
symbols used in mbedtls, but it would create an undesirable hard binary
dependency between the different images. For this reason, all the library
functions in ROM are accesed using a jump table whose base address is
known, allowing the images to execute with different versions of the ROM.

This commit changes the function pointers to actual functions,
so that the SRAM images only have to use the new exported symbols
(mbedtls_calloc and mbedtls_free) using the jump table. In
our scenario, mbedtls_platform_set_calloc_free is called from
mbedtls_memory_buffer_alloc_init which initializes the function pointers
to the internal buffer_alloc_calloc and buffer_alloc_free functions.

No functional changes to mbedtls_memory_buffer_alloc_init.

Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-06-13 09:17:59 +01:00
Manuel Pégourié-Gonnard da19f4c79f Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted
Summary of merge conflicts:

include/mbedtls/ecdh.h -> documentation style
include/mbedtls/ecdsa.h -> documentation style
include/mbedtls/ecp.h -> alt style, new error codes, documentation style
include/mbedtls/error.h -> new error codes
library/error.c -> new error codes (generated anyway)
library/ecp.c:
    - code of an extracted function was changed
library/ssl_cli.c:
    - code addition on one side near code change on the other side
      (ciphersuite validation)
library/x509_crt.c -> various things
    - top fo file: helper structure added near old zeroize removed
    - documentation of find_parent_in()'s signature: improved on one side,
      added arguments on the other side
    - documentation of find_parent()'s signature: same as above
    - verify_chain(): variables initialised later to give compiler an
      opportunity to warn us if not initialised on a code path
    - find_parent(): funcion structure completely changed, for some reason git
      tried to insert a paragraph of the old structure...
    - merge_flags_with_cb(): data structure changed, one line was fixed with a
      cast to keep MSVC happy, this cast is already in the new version
    - in verify_restratable(): adjacent independent changes (function
      signature on one line, variable type on the next)
programs/ssl/ssl_client2.c:
    - testing for IN_PROGRESS return code near idle() (event-driven):
      don't wait for data in the the socket if ECP_IN_PROGRESS
tests/data_files/Makefile: adjacent independent additions
tests/suites/test_suite_ecdsa.data: adjacent independent additions
tests/suites/test_suite_x509parse.data: adjacent independent additions

* development: (1059 commits)
  Change symlink to hardlink to avoid permission issues
  Fix out-of-tree testing symlinks on Windows
  Updated version number to 2.10.0 for release
  Add a disabled CMAC define in the no-entropy configuration
  Adapt the ARIA test cases for new ECB function
  Fix file permissions for ssl.h
  Add ChangeLog entry for PR#1651
  Fix MicroBlaze register typo.
  Fix typo in doc and copy missing warning
  Fix edit mistake in cipher_wrap.c
  Update CTR doc for the 64-bit block cipher
  Update CTR doc for other 128-bit block ciphers
  Slightly tune ARIA CTR documentation
  Remove double declaration of mbedtls_ssl_list_ciphersuites
  Update CTR documentation
  Use zeroize function from new platform_util
  Move to new header style for ALT implementations
  Add ifdef for selftest in header file
  Fix typo in comments
  Use more appropriate type for local variable
  ...
2018-06-13 09:52:54 +02:00