From 3eb8c34e6a761b3f1f5fce01e31c70b1560e70b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 9 Oct 2015 12:11:14 +0100 Subject: [PATCH 1/8] Add example program for Curve25519 Getting a lot of questions about how to use it. This will hopefully get people started. --- programs/Makefile | 5 + programs/pkey/CMakeLists.txt | 3 + programs/pkey/ecdh_curve25519.c | 237 ++++++++++++++++++++++++++++++++ 3 files changed, 245 insertions(+) create mode 100644 programs/pkey/ecdh_curve25519.c diff --git a/programs/Makefile b/programs/Makefile index 544a2d8f9..443689b1b 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -49,6 +49,7 @@ APPS = aes/aescrypt2$(EXEXT) aes/crypt_and_hash$(EXEXT) \ hash/hello$(EXEXT) hash/generic_sum$(EXEXT) \ pkey/dh_client$(EXEXT) \ pkey/dh_genprime$(EXEXT) pkey/dh_server$(EXEXT) \ + pkey/ecdh_curve25519$(EXEXT) \ pkey/ecdsa$(EXEXT) pkey/gen_key$(EXEXT) \ pkey/key_app$(EXEXT) pkey/key_app_writer$(EXEXT) \ pkey/mpi_demo$(EXEXT) pkey/pk_decrypt$(EXEXT) \ @@ -112,6 +113,10 @@ pkey/dh_server$(EXEXT): pkey/dh_server.c $(DEP) echo " CC pkey/dh_server.c" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/dh_server.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ +pkey/ecdh_curve25519$(EXEXT): pkey/ecdh_curve25519.c $(DEP) + echo " CC pkey/ecdh_curve25519.c" + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/ecdh_curve25519.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ + pkey/ecdsa$(EXEXT): pkey/ecdsa.c $(DEP) echo " CC pkey/ecdsa.c" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/ecdsa.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ diff --git a/programs/pkey/CMakeLists.txt b/programs/pkey/CMakeLists.txt index 8dc7def6e..5a37a4212 100644 --- a/programs/pkey/CMakeLists.txt +++ b/programs/pkey/CMakeLists.txt @@ -7,6 +7,9 @@ target_link_libraries(dh_genprime mbedtls) add_executable(dh_server dh_server.c) target_link_libraries(dh_server mbedtls) +add_executable(ecdh_curve25519 ecdh_curve25519.c) +target_link_libraries(ecdh_curve25519 mbedtls) + add_executable(ecdsa ecdsa.c) target_link_libraries(ecdsa mbedtls) diff --git a/programs/pkey/ecdh_curve25519.c b/programs/pkey/ecdh_curve25519.c new file mode 100644 index 000000000..aa15c4687 --- /dev/null +++ b/programs/pkey/ecdh_curve25519.c @@ -0,0 +1,237 @@ +/* + * Example ECDHE with Curve25519 program + * + * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +#if !defined(MBEDTLS_CONFIG_FILE) +#include "mbedtls/config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + +#if defined(MBEDTLS_PLATFORM_C) +#include "mbedtls/platform.h" +#else +#include +#define mbedtls_printf printf +#endif + +#if !defined(MBEDTLS_ECDH_C) || \ + !defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \ + !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) +int main( void ) +{ + mbedtls_printf( "MBEDTLS_ECDH_C and/or " + "MBEDTLS_ECP_DP_CURVE25519_ENABLED and/or " + "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C " + "not defined\n" ); + return( 0 ); +} +#else + +#include "mbedtls/entropy.h" +#include "mbedtls/ctr_drbg.h" +#include "mbedtls/ecdh.h" + +int main( int argc, char *argv[] ) +{ + int ret; + mbedtls_ecdh_context ctx_cli, ctx_srv; + mbedtls_entropy_context entropy; + mbedtls_ctr_drbg_context ctr_drbg; + unsigned char cli_to_srv[32], srv_to_cli[32]; + const char pers[] = "ecdh"; + ((void) argc); + ((void) argv); + + mbedtls_ecdh_init( &ctx_cli ); + mbedtls_ecdh_init( &ctx_srv ); + mbedtls_ctr_drbg_init( &ctr_drbg ); + + /* + * Initialize random number generation + */ + mbedtls_printf( " . Seeding the random number generator..." ); + fflush( stdout ); + + mbedtls_entropy_init( &entropy ); + if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, + (const unsigned char *) pers, + sizeof pers ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + + /* + * Client: inialize context and generate keypair + */ + mbedtls_printf( " . Setting up client context..." ); + fflush( stdout ); + + ret = mbedtls_ecp_group_load( &ctx_cli.grp, MBEDTLS_ECP_DP_CURVE25519 ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ecp_group_load returned %d\n", ret ); + goto exit; + } + + ret = mbedtls_ecdh_gen_public( &ctx_cli.grp, &ctx_cli.d, &ctx_cli.Q, + mbedtls_ctr_drbg_random, &ctr_drbg ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ecdh_gen_public returned %d\n", ret ); + goto exit; + } + + ret = mbedtls_mpi_write_binary( &ctx_cli.Q.X, cli_to_srv, 32 ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_mpi_write_binary returned %d\n", ret ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + + /* + * Server: initialize context and generate keypair + */ + mbedtls_printf( " . Setting up server context..." ); + fflush( stdout ); + + ret = mbedtls_ecp_group_load( &ctx_srv.grp, MBEDTLS_ECP_DP_CURVE25519 ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ecp_group_load returned %d\n", ret ); + goto exit; + } + + ret = mbedtls_ecdh_gen_public( &ctx_srv.grp, &ctx_srv.d, &ctx_srv.Q, + mbedtls_ctr_drbg_random, &ctr_drbg ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ecdh_gen_public returned %d\n", ret ); + goto exit; + } + + ret = mbedtls_mpi_write_binary( &ctx_srv.Q.X, srv_to_cli, 32 ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_mpi_write_binary returned %d\n", ret ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + + /* + * Server: read peer's key and generate shared secret + */ + mbedtls_printf( " . Server reading client key and computing secret..." ); + fflush( stdout ); + + ret = mbedtls_mpi_lset( &ctx_srv.Qp.Z, 1 ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_mpi_lset returned %d\n", ret ); + goto exit; + } + + ret = mbedtls_mpi_read_binary( &ctx_srv.Qp.X, cli_to_srv, 32 ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_mpi_read_binary returned %d\n", ret ); + goto exit; + } + + ret = mbedtls_ecdh_compute_shared( &ctx_srv.grp, &ctx_srv.z, + &ctx_srv.Qp, &ctx_srv.d, + mbedtls_ctr_drbg_random, &ctr_drbg ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ecdh_compute_shared returned %d\n", ret ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + + /* + * Client: read peer's key and generate shared secret + */ + mbedtls_printf( " . Client reading server key and computing secret..." ); + fflush( stdout ); + + ret = mbedtls_mpi_lset( &ctx_cli.Qp.Z, 1 ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_mpi_lset returned %d\n", ret ); + goto exit; + } + + ret = mbedtls_mpi_read_binary( &ctx_cli.Qp.X, srv_to_cli, 32 ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_mpi_read_binary returned %d\n", ret ); + goto exit; + } + + ret = mbedtls_ecdh_compute_shared( &ctx_cli.grp, &ctx_cli.z, + &ctx_cli.Qp, &ctx_cli.d, + mbedtls_ctr_drbg_random, &ctr_drbg ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ecdh_compute_shared returned %d\n", ret ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + + /* + * Verification: are the computed secret equal? + */ + mbedtls_printf( " . Checking if both computed secrets are equal..." ); + fflush( stdout ); + + ret = mbedtls_mpi_cmp_mpi( &ctx_cli.z, &ctx_srv.z ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ecdh_compute_shared returned %d\n", ret ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + + +exit: + +#if defined(_WIN32) + mbedtls_printf( " + Press Enter to exit this program.\n" ); + fflush( stdout ); getchar(); +#endif + + mbedtls_ecdh_free( &ctx_srv ); + mbedtls_ecdh_free( &ctx_cli ); + mbedtls_ctr_drbg_free( &ctr_drbg ); + mbedtls_entropy_free( &entropy ); + + return( ret != 0 ); +} +#endif /* MBEDTLS_ECDH_C && MBEDTLS_ECP_DP_CURVE25519_ENABLED && + MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */ From adeb7d8ec97beb45be4b1f370636b6a30732d6f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 9 Oct 2015 14:44:47 +0100 Subject: [PATCH 2/8] Move all KEY_EXCHANGE__ definitions in one place --- include/mbedtls/ssl.h | 20 ----------------- include/mbedtls/ssl_ciphersuites.h | 35 +++++++++++++++++++++++------- 2 files changed, 27 insertions(+), 28 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index a017ec0b1..13e5b0c8c 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -55,26 +55,6 @@ #include #endif -/* For convenience below and in programs */ -#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) -#define MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED -#endif - -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) -#define MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED -#endif - -#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -#define MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED -#endif - /* * SSL Error codes */ diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index 75d4a8a01..025de2891 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -230,7 +230,7 @@ extern "C" { #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 0xC0AF /**< TLS 1.2 */ /* Reminder: update mbedtls_ssl_premaster_secret when adding a new key exchange. - * Reminder: update MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED below. + * Reminder: update MBEDTLS_KEY_EXCHANGE__xxx below */ typedef enum { MBEDTLS_KEY_EXCHANGE_NONE = 0, @@ -246,17 +246,36 @@ typedef enum { MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, } mbedtls_key_exchange_type_t; -#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ +#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) #define MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED #endif +#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) +#define MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED +#endif + +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) +#define MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED +#endif + +#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) +#define MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED +#endif + typedef struct mbedtls_ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t; #define MBEDTLS_CIPHERSUITE_WEAK 0x01 /**< Weak ciphersuite flag */ From 4104864e545ab402fc3c9a0db8b6b3c1bca45775 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 9 Oct 2015 14:47:17 +0100 Subject: [PATCH 3/8] ECHDE-PSK does not use a certificate fixes #270 --- ChangeLog | 6 ++++++ include/mbedtls/ssl_ciphersuites.h | 1 - 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index aa96b1848..ef9b0aa94 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,12 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS 2.1.2 released 2015-10-06 +Bugfix + * Fix build error with configurations where ECDHE-PSK is the only key + exchange. Found and fix provided by Chris Hammond. #270 + += mbed TLS 2.1.2 released 2015-10-06 + Security * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer overflow of the hostname or session ticket. Found by Guido Vranken, diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index 025de2891..b322f4253 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -251,7 +251,6 @@ typedef enum { defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) #define MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED From 5df9216c9e4120d1bd1270b1ff710b22c81c05a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 22 Oct 2015 16:11:39 +0200 Subject: [PATCH 4/8] Add script to test configs with single key exchanges --- tests/scripts/curves.pl | 2 +- tests/scripts/key-exchanges.pl | 43 ++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100755 tests/scripts/key-exchanges.pl diff --git a/tests/scripts/curves.pl b/tests/scripts/curves.pl index 545b3b725..1a05b4088 100755 --- a/tests/scripts/curves.pl +++ b/tests/scripts/curves.pl @@ -32,7 +32,7 @@ for my $curve (@curves) { system( "scripts/config.pl unset $curve" ) and abort "Failed to disable $curve\n"; - system( "make mbedtls" ) and abort "Failed to build lib: $curve\n"; + system( "make lib" ) and abort "Failed to build lib: $curve\n"; system( "cd tests && make" ) and abort "Failed to build tests: $curve\n"; system( "make test" ) and abort "Failed test suite: $curve\n"; diff --git a/tests/scripts/key-exchanges.pl b/tests/scripts/key-exchanges.pl new file mode 100755 index 000000000..9e35cfa44 --- /dev/null +++ b/tests/scripts/key-exchanges.pl @@ -0,0 +1,43 @@ +#!/usr/bin/perl + +# test that all configs with only a single key exchange enabled build +# +# Usage: tests/scripts/key-exchanges.pl + +use warnings; +use strict; + +-d 'library' && -d 'include' && -d 'tests' or die "Must be run from root\n"; + +my $sed_cmd = 's/^#define \(MBEDTLS_KEY_EXCHANGE_.*_ENABLED\)/\1/p'; +my $config_h = 'include/mbedtls/config.h'; +my @kexes = split( /\s+/, `sed -n -e '$sed_cmd' $config_h` ); + +system( "cp $config_h $config_h.bak" ) and die; +sub abort { + system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n"; + die $_[0]; +} + +for my $kex (@kexes) { + system( "cp $config_h.bak $config_h" ) and die "$config_h not restored\n"; + system( "make clean" ) and die; + + print "\n******************************************\n"; + print "* Testing with key exchange: $kex\n"; + print "******************************************\n"; + + # full config with all key exchanges disabled except one + system( "scripts/config.pl full" ) and abort "Failed config full\n"; + for my $k (@kexes) { + next if $k eq $kex; + system( "scripts/config.pl unset $k" ) + and abort "Failed to disable $k\n"; + } + + system( "make lib" ) and abort "Failed to build lib: $kex\n"; +} + +system( "mv $config_h.bak $config_h" ) and die "$config_h not restored\n"; +system( "make clean" ) and die; +exit 0; From e5f3072aedf263ea36865c9e732e9bc5f0dc1dbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 22 Oct 2015 17:01:15 +0200 Subject: [PATCH 5/8] Fix #ifdef inconsistency fixes #310 Actually all key exchanges that use a certificate use signatures too, and there is no key exchange that uses signatures but no cert, so merge those two flags. --- ChangeLog | 4 +++- include/mbedtls/ssl.h | 6 +++--- include/mbedtls/ssl_ciphersuites.h | 9 +++------ include/mbedtls/ssl_internal.h | 2 +- library/ssl_cli.c | 4 ++-- library/ssl_tls.c | 12 ++++++------ 6 files changed, 18 insertions(+), 19 deletions(-) diff --git a/ChangeLog b/ChangeLog index ef9b0aa94..0ea0b5553 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,10 +1,12 @@ mbed TLS ChangeLog (Sorted per branch, date) -= mbed TLS 2.1.2 released 2015-10-06 += mbed TLS 2.2.0 released 2015-10-xx Bugfix * Fix build error with configurations where ECDHE-PSK is the only key exchange. Found and fix provided by Chris Hammond. #270 + * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or + ECHD-ECDSA if the only key exchange. Multiple reports. #310 = mbed TLS 2.1.2 released 2015-10-06 diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 13e5b0c8c..f53c8008c 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -529,7 +529,7 @@ struct mbedtls_ssl_config mbedtls_x509_crl *ca_crl; /*!< trusted CAs CRLs */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) const int *sig_hashes; /*!< allowed signature hashes */ #endif @@ -1548,7 +1548,7 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curves ); #endif /* MBEDTLS_ECP_C */ -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) /** * \brief Set the allowed hashes for signatures during the handshake. * (Default: all available hashes.) @@ -1569,7 +1569,7 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, */ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, const int *hashes ); -#endif /* MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ #if defined(MBEDTLS_X509_CRT_PARSE_C) /** diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index b322f4253..55fae0b26 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -246,6 +246,7 @@ typedef enum { MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, } mbedtls_key_exchange_type_t; +/* Key exchanges using a certificate */ #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ @@ -256,6 +257,7 @@ typedef enum { #define MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED #endif +/* Key exchanges using a PSK */ #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ @@ -263,18 +265,13 @@ typedef enum { #define MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED #endif +/* Key exchanges using a ECDHE */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) #define MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED #endif -#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -#define MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED -#endif - typedef struct mbedtls_ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t; #define MBEDTLS_CIPHERSUITE_WEAK 0x01 /**< Weak ciphersuite flag */ diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 78c748cfa..712053ed6 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -377,7 +377,7 @@ unsigned char mbedtls_ssl_hash_from_md_alg( int md ); int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ); #endif -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl, mbedtls_md_type_t md ); #endif diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 32eae0f2a..7463a48ee 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1923,7 +1923,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, unsigned char **p, unsigned char *end, @@ -1979,7 +1979,7 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, return( 0 ); } -#endif /* MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 9142be856..1e3b36387 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5800,7 +5800,7 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, } #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) /* * Set allowed/preferred hashes for handshake signatures */ @@ -6981,7 +6981,7 @@ static int ssl_preset_suiteb_ciphersuites[] = { 0 }; -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) static int ssl_preset_suiteb_hashes[] = { MBEDTLS_MD_SHA256, MBEDTLS_MD_SHA384, @@ -7097,7 +7097,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->cert_profile = &mbedtls_x509_crt_profile_suiteb; #endif -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) conf->sig_hashes = ssl_preset_suiteb_hashes; #endif @@ -7130,7 +7130,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->cert_profile = &mbedtls_x509_crt_profile_default; #endif -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) conf->sig_hashes = mbedtls_md_list(); #endif @@ -7294,7 +7294,7 @@ int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_i } #endif /* MBEDTLS_ECP_C */ -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) /* * Check if a hash proposed by the peer is in our list. * Return 0 if we're willing to use it, -1 otherwise. @@ -7313,7 +7313,7 @@ int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl, return( -1 ); } -#endif /* MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ #if defined(MBEDTLS_X509_CRT_PARSE_C) int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, From 5c2a7ca98903427f53a30dc010f48b5587375a26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 23 Oct 2015 08:48:41 +0200 Subject: [PATCH 6/8] Fix warning in some reduced configs --- library/ssl_cli.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 7463a48ee..c8f4205d3 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1923,7 +1923,9 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) -#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, unsigned char **p, unsigned char *end, @@ -1979,7 +1981,9 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, return( 0 ); } -#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ From 50bd2607b86a4f26987743c4920f598a70b6390b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 23 Oct 2015 08:53:34 +0200 Subject: [PATCH 7/8] Add -Werror to reduced configs test scripts --- tests/scripts/key-exchanges.pl | 2 +- tests/scripts/test-ref-configs.pl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/scripts/key-exchanges.pl b/tests/scripts/key-exchanges.pl index 9e35cfa44..46826c3de 100755 --- a/tests/scripts/key-exchanges.pl +++ b/tests/scripts/key-exchanges.pl @@ -35,7 +35,7 @@ for my $kex (@kexes) { and abort "Failed to disable $k\n"; } - system( "make lib" ) and abort "Failed to build lib: $kex\n"; + system( "make lib CFLAGS='-Os -Werror'" ) and abort "Failed to build lib: $kex\n"; } system( "mv $config_h.bak $config_h" ) and die "$config_h not restored\n"; diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index d1cc924bf..c3d1426eb 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -57,7 +57,7 @@ while( my ($conf, $args) = each %configs ) { system( "cp configs/$conf $config_h" ) and abort "Failed to activate $conf\n"; - system( "make" ) and abort "Failed to build: $conf\n"; + system( "make CFLAGS='-Os -Werror'" ) and abort "Failed to build: $conf\n"; system( "make test" ) and abort "Failed test suite: $conf\n"; if( $args ) From 503a5efef1947ec0194a1a49be7ba97796033439 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 23 Oct 2015 09:04:45 +0200 Subject: [PATCH 8/8] Add key-exchanges.pl to test list --- .travis.yml | 1 + tests/scripts/all.sh | 7 ++++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 1259152ad..f30a4e398 100644 --- a/.travis.yml +++ b/.travis.yml @@ -17,6 +17,7 @@ script: - tests/ssl-opt.sh -e '\(DTLS\|SCSV\).*openssl' - tests/scripts/test-ref-configs.pl - tests/scripts/curves.pl +- tests/scripts/key-exchanges.pl env: global: secure: "barHldniAfXyoWOD/vcO+E6/Xm4fmcaUoC9BeKW+LwsHqlDMLvugaJnmLXkSpkbYhVL61Hzf3bo0KPJn88AFc5Rkf8oYHPjH4adMnVXkf3B9ghHCgznqHsAH3choo6tnPxaFgOwOYmLGb382nQxfE5lUdvnM/W/psQjWt66A1+k=" diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 863ff3a4e..d96615b48 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -127,11 +127,16 @@ tests/ssl-opt.sh -f Default msg "test: compat.sh RC4, DES & NULL (full config)" # ~ 2 min tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR' -msg "test/build: curves.pl (gcc)" # ~ 5 min (?) +msg "test/build: curves.pl (gcc)" # ~ 4 min cleanup cmake -D CMAKE_BUILD_TYPE:String=Debug . tests/scripts/curves.pl +msg "test/build: key-exchanges (gcc)" # ~ 1 min +cleanup +cmake -D CMAKE_BUILD_TYPE:String=Check . +tests/scripts/key-exchanges.pl + msg "build: Unix make, -Os (gcc)" # ~ 30s cleanup CC=gcc CFLAGS='-Werror -Os' make