Commit graph

1287 commits

Author SHA1 Message Date
sander-visser
b8aa2071f6 Scope reduction to enable NULL check to protect dereferencing.
Signed-off-by: sander-visser <github@visser.se>
2020-05-06 22:05:13 +02:00
sander-visser
1abe8ee554 Expose SSL HW record acceleration error.
Fix issue with variable shadowing.

Signed-off-by: sander-visser <github@visser.se>
2020-05-06 21:29:01 +02:00
irwir
d3085ab2b8 Avoid re-assigning zero to ret variable.
Resolve #3182.

Signed-off-by: irwir <irwir@users.noreply.github.com>
2020-04-21 22:26:59 +03:00
Manuel Pégourié-Gonnard
5d318cc22b
Merge pull request #3130 from gbryant-arm/generic-psk
Clarify and simplify PSK
2020-04-14 10:54:01 +02:00
Andrzej Kurek
8ea6872889
Improve pointer calculations when resizing I/O buffers
This commit introduces two changes:
- Add in_msg and out_msg calculations for buffer upsizing. This was previously
considered as unnecessary, but renegotiation using certain ciphersuites needs
this.
- Improving the way out_msg and in_msg pointers are calculated, so that even 
if no resizing is introduced, the pointers remain the same;

New tests added:
- various renegotiation schemes with a range of MFL's and ciphersuites;
- an ssl-opt.sh test exercising two things that were problematic: renegotiation
with TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 and a server MFL that's smaller
than the one negotiated by the client.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-04-09 04:33:00 -04:00
Andrzej Kurek
90c6e84a9c
Split the maximum fragment length into two - an input and output MFL
Since the server might want to have a different maximum fragment length
for the outgoing messages than the negotiated one - introduce a new way of
computing it. This commit also adds additional ssl-opt.sh tests ensuring
that the maximum fragment lengths are set as expected. 
mbedtls_ssl_get_max_frag_len() is now a deprecated function,
being an alias to mbedtls_ssl_get_output_max_frag_len(). The behaviour
of this function is the same as before.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-04-09 04:30:34 -04:00
Guilhem Bryant
0c9b1955ca Return internal error if no PSK is found when deriving the premaster secret
Signed-off-by: Guilhem Bryant <Guilhem.Bryant@arm.com>
2020-04-08 13:06:49 +01:00
Guilhem Bryant
03d3711bb1 Fix bracket style
Signed-off-by: Guilhem Bryant <Guilhem.Bryant@arm.com>
2020-04-03 18:21:19 +01:00
Guilhem Bryant
b5f04e4d84 Properly initialise psk and psk_len
Signed-off-by: Guilhem Bryant <Guilhem.Bryant@arm.com>
2020-04-01 11:25:12 +01:00
Guilhem Bryant
61b0fe617e Initialise psk_len in mbedtls_ssl_psk_derive_premaster()
Signed-off-by: Guilhem Bryant <Guilhem.Bryant@arm.com>
2020-03-27 11:15:28 +00:00
Guilhem Bryant
82194c888d Fix bracketing style in ssl_tls.c
Signed-off-by: Guilhem Bryant <Guilhem.Bryant@arm.com>
2020-03-26 17:05:59 +00:00
Guilhem Bryant
c5285d8c40 Use internal PSK getter
Signed-off-by: Guilhem Bryant <Guilhem.Bryant@arm.com>
2020-03-25 17:47:25 +00:00
Gilles Peskine
5e7d6fd240 Merge 'mbedtls/development' into merge-crypto-unremoved-20200304
Merge the latest state of the target branch (mbedtls/development) into the
pull request to merge mbed-crypto into mbedtls.

Conflicts:

* ChangeLog: add/add conflict. Resolve by using the usual section order.
2020-03-23 18:02:07 +01:00
Gilles Peskine
eccd888717 Rename identifiers containing double-underscore
Rename identifiers containing double-underscore (`__`) to avoid `__`.
The reason to avoid double-underscore is that all identifiers
containing double-underscore are reserved in C++. Rename all such
identifiers that appear in any public header, including ssl_internal.h
which is in principle private but in practice is installed with the
public headers.

This commit makes check-names.sh pass.

```
perl -i -pe 's/\bMBEDTLS_SSL__ECP_RESTARTABLE\b/MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED/g; s/\bMBEDTLS_KEY_EXCHANGE_(_\w+)_(_\w+)\b/MBEDTLS_KEY_EXCHANGE${1}${2}/g' include/mbedtls/*.h library/*.c programs/*/*.c scripts/data_files/rename-1.3-2.0.txt tests/suites/*.function
```
2020-03-23 17:55:32 +01:00
Manuel Pégourié-Gonnard
21d1cbccda
Merge pull request #2262 from andresag01/iotssl-2544-deprecate-record-accel
Fix compilation failure when MBEDTLS_SSL_HW_RECORD_ACCEL is enabled
2020-03-16 10:37:16 +01:00
Manuel Pégourié-Gonnard
7ae6ed4435 Keep SSL context const when hw accel is disabled
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-13 11:28:58 +01:00
Andrzej Kurek
0afa2a1b65
Add I/O buffer resizing in handshake init and free
Add a conditional buffer resizing feature. Introduce tests exercising
it in various setups (serialization, renegotiation, mfl manipulations).
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-03-04 09:28:16 -05:00
Darryl Green
b33cc7688e
Add I/O buffer length fields to mbedtls_ssl_context
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
Signed-off-by: Darryl Green <darryl.green@arm.com>
2020-03-03 10:44:49 -05:00
Manuel Pégourié-Gonnard
e07bc20155 Fix compile errors with MBEDTLS_SSL_HW_RECORD_ACCEL
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-02-26 09:53:42 +01:00
Hanno Becker
9d062f9cd7 Move ssl_mac() from ssl_tls.c to ssl_msg.c 2020-02-07 11:38:03 +00:00
Hanno Becker
af752d4bd6 Remove code from ssl_tls.c & ssl_msg.c to get disjoint functionality
This commit is the final step in separating the functionality of
what was originally ssl_tls.c into both ssl_tls.c and ssl_msg.c.

So far, ssl_msg.c has been created as an identical copy of ssl_tls.c.
For each block of code in these files, this commit removes it from
precisely one of the two files, depending on where the respective
functionality belongs.

The splitting separates the following functionalities:

1) An implementation of the TLS and DTLS messaging layer, that is,
   the record layer as well as the DTLS retransmission state machine.

   This is now contained in ssl_msg.c

2) Handshake parsing and writing functions shared between client and
   server (functions specific to either client or server are implemented
   in ssl_cli.c and ssl_srv.c, respectively).

   This is remains in ssl_tls.c.
2020-02-05 16:12:24 +00:00
Hanno Becker
471c0c98f6 Rename temporary copy ssl_tls_old.c back to ssl_tls.c 2020-02-05 16:10:22 +00:00
Hanno Becker
abd9cef520 Duplicate ssl_tls.c as ssl_tls_old.c and ssl_msg.c
This commit is the first in a series of commits aiming to split
the content of ssl_tls.c in two files ssl_tls.c and ssl_msg.c.

As a first step, this commit replaces ssl_tls.c by two identical
copies ssl_tls_old.c and ssl_msg.c. Even though the file
ssl_tls_old.c will subsequently be renamed back into ssl_tls.c,
this approach retains the git history in both files.
2020-02-05 16:08:41 +00:00
Hanno Becker
89490716e9 Move ssl_get_current_mtu() to public namespace 2020-02-05 10:50:52 +00:00
Hanno Becker
533ab5f5c2 Move flight and message buffering functions to public namespace 2020-02-05 10:50:52 +00:00
Hanno Becker
40cdaa1263 Move ssl_start_renegotiation() to public namespace 2020-02-05 10:50:51 +00:00
Hanno Becker
ce5f5fdcb4 Move ssl_handshake_wrapup_free_hs_transform() to public namespace 2020-02-05 10:50:51 +00:00
Hanno Becker
786300f898 Move ssl_resend_hello_request() to public namespace 2020-02-05 10:50:51 +00:00
Hanno Becker
7e8e6a6870 Move ssl_dtls_replay_reset() to public namespace 2020-02-05 10:50:51 +00:00
Hanno Becker
43aefe2321 Move ssl_session_reset_int() to public namespace 2020-02-05 10:50:51 +00:00
Hanno Becker
3e6f8ab14a Move SSL internal pointer updating routines to public namespace 2020-02-05 10:50:51 +00:00
Hanno Becker
7876d127a9 Move ssl_check_timer() to public namespace 2020-02-05 10:50:51 +00:00
Hanno Becker
dd77229184 Move ssl_ep_len() to public namespace 2020-02-05 10:50:51 +00:00
Hanno Becker
0f57a65391 Move ssl_set_timer() to public namespace 2020-02-05 10:50:45 +00:00
Manuel Pégourié-Gonnard
c40b685837 Fix bug in record decompression
ssl_decompress_buf() was operating on data from the ssl context, but called at
a point where this data is actually in the rec structure. Call it later so
that the data is back to the ssl structure.
2020-01-24 10:44:13 +01:00
jiblime
9f25b8deff Fixes definition error when the deprecated MBEDTLS_ZLIB_SUPPORT and ENABLE_ZLIB_SUPPORT macro are defined/enabled for zlib support in mbedtls
100% tests passed, 0 tests failed out of 85

https://github.com/ARMmbed/mbedtls/blob/mbedtls-2.19.1/library/ssl_tls.c#L1842

https://github.com/ARMmbed/mbedtls/blob/mbedtls-2.19.1/library/ssl_tls.c#L1862
2020-01-24 09:34:06 +01:00
Janos Follath
73c616bdc1 Put includes in alphabetical order
The library style is to start with the includes corresponding to the
current module and then the rest in alphabetical order. Some modules
have several header files (eg. ssl_internal.h).

The recently added error.h includes did not respect this convention and
this commit restores it. In some cases this is not possible just by
moving the error.h declarations. This commit fixes the pre-existing
order in these instances too.
2019-12-19 10:27:57 +00:00
Janos Follath
865b3ebf84 Initialize return values to an error
Initializing the return values to an error is best practice and makes
the library more robust against programmer errors.
2019-12-16 15:15:16 +00:00
Jaeden Amero
1a61d455e9
Merge pull request #2841 from k-stachowiak/improve-memory-operation-clarity
Improve clarity of a memory operation call
2019-12-09 19:54:29 +02:00
Piotr Nowicki
9926eaf695 Do not allow configuring zero-length PSK
fix error when calloc is called with size 0
2019-11-25 15:49:53 +01:00
Jaeden Amero
5d74241b54 Merge remote-tracking branch 'origin/pr/2854' into development
* origin/pr/2854:
  Shorter version of mbedtls_ssl_send_fatal_handshake_failure
  Resolve #2801 - remove repetitive assignment to ssl->in_msg (the first value was never used)
  Resolve #2800 - move declaration to avoid unused variable warning in case MBEDTLS_SSL_PROTO_DTLS was undefined
  Resolve #2717 - remove erroneous sizeof (the operator was applied to constant integer number)
2019-11-22 10:20:19 +00:00
Arto Kinnunen
7f8089b2ec Fix mbedtls_ssl_check_record usage with ext buf
Record checking fails if mbedtls_ssl_check_record() is called with
external buffer. Received record sequence number is available in the
incoming record but it is not available in the ssl contexts `in_ctr`-
variable that is used when decoding the sequence number.

To fix the problem, temporarily update ssl context `in_ctr` to
point to the received record header and restore value later.
2019-10-29 13:51:37 +02:00
irwir
6c0da64094 Shorter version of mbedtls_ssl_send_fatal_handshake_failure 2019-10-28 19:54:04 +03:00
irwir
89af51ff39 Resolve #2801 - remove repetitive assignment to ssl->in_msg (the first value was never used) 2019-09-26 21:04:56 +03:00
irwir
734f0cf65e Resolve #2800 - move declaration to avoid unused variable warning in case MBEDTLS_SSL_PROTO_DTLS was undefined 2019-09-26 21:03:24 +03:00
irwir
40883e91a6 Resolve #2717 - remove erroneous sizeof (the operator was applied to constant integer number) 2019-09-26 21:00:56 +03:00
Gilles Peskine
311f54d0ee tls_prf: support an empty master secret
In TLS, the master secret is always a key. But EAP-TLS uses the TLS
PRF to derive an IV with an empty string for the "secret" input. The
code always stored the secret into a key slot before calling the TLS
PRF, but this doesn't work when the secret is empty, since PSA Crypto
no longer supports empty keys. Add a special case for an empty secret.
2019-09-23 18:19:22 +02:00
k-stachowiak
95b68ef5ae Improve clarity of a memory operation call 2019-09-16 12:21:00 +02:00
Jaeden Amero
fa63645ec8 ssl: Remove key exporter bug workaround
It is no longer necessary to cast the randbytes to non-const when
exporting keys.
2019-09-12 15:18:25 +01:00
Hanno Becker
361b10d1c4 Fix SSL context deserialization
The SSL context maintains a set of 'out pointers' indicating the
address at which to write the header fields of the next outgoing
record. Some of these addresses have a static offset from the
beginning of the record header, while other offsets can vary
depending on the active record encryption mechanism: For example,
if an explicit IV is in use, there's an offset between the end
of the record header and the beginning of the encrypted data to
allow the explicit IV to be placed in between; also, if the DTLS
Connection ID (CID) feature is in use, the CID is part of the
record header, shifting all subsequent information (length, IV, data)
to the back.
When setting up an SSL context, the out pointers are initialized
according to the identity transform + no CID, and it is important
to keep them up to date whenever the record encryption mechanism
changes, which is done by the helper function ssl_update_out_pointers().

During context deserialization, updating the out pointers according
to the deserialized record transform went missing, leaving the out
pointers the initial state. When attemping to encrypt a record in
this state, this lead to failure if either a CID or an explicit IV
was in use. This wasn't caught in the tests by the bad luck that
they didn't use CID, _and_ used the default ciphersuite based on
ChaChaPoly, which doesn't have an explicit IV. Changing either of
this would have made the existing tests fail.

This commit fixes the bug by adding a call to ssl_update_out_pointers()
to ssl_context_load() implementing context deserialization.

Extending test coverage is left for a separate commit.
2019-08-30 12:14:25 +01:00
k-stachowiak
81053a5584 Use multipart PSA key derivation API 2019-08-17 11:43:35 +02:00
Jarno Lamsa
b7b486cfd1 Fix compiler warning
Fix a compiler warning when MBEDTLS_SHA512_C isn't defined.
2019-08-23 13:11:31 +03:00
Jarno Lamsa
8c51b7cd94 Add debug messages
Add debug messages to easier identify which condition fails
with usage restrictions in mbedtls_ssl_context_save()
2019-08-23 13:11:31 +03:00
Jarno Lamsa
c84bd24224 Add missing guards for mac usage
There were couple of cases where guards were missing when
no ciphersuites are using mac.
2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
e458869b3f Improve reability and debugability of large if
Breaking into a series of statements makes things easier when stepping through
the code in a debugger.

Previous comments we stating the opposite or what the code tested for (what we
want vs what we're erroring out on) which was confusing.

Also expand a bit on the reasons for these restrictions.
2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
4ca930f8b9 Fix a typo in a comment 2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
f041f4e19c Fix MSVC warning
We know the length of the ALPN string is always less than 255, so the cast to
uint8_t is safe.
2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
9a96fd7ac3 Fix compile error in reduced configurations
Found by running scripts/baremetal.h --rom --gcc --check after adding
MBEDTLS_SSL_CONTEXT_SERIALIZATION to baremetal.h
2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
45ac1f0c92 Avoid duplication of session format header 2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
4e9370ba91 Implement config-checking header to context s11n
Modelled after the config-checking header from session s11n.

The list of relevant config flags was established by manually checking the
fields serialized in the format, and which config.h flags they depend on.
This probably deserves double-checking by reviewers.
2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
5c0e377532 Provide serialisation API only if it's enabled 2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
5ea13b854a Fix compiler warning: comparing signed to unsigned
Since the type of cid_len is unsigned but shorter than int, it gets
"promoted" to int (which is also the type of the result), unless we make the
other operand an unsigned int which then forces the expression to unsigned int
as well.
2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
9df5a82079 Actually reset the context on save as advertised
Also fix some wording in the documentation while at it.
2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
142ba736d9 Re-use buffer allocated by handshake_init()
This fixes a memory leak as well (found by running ssl-opt.sh in an Asan
build).
2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
0eb3eac023 Add setting of forced fields when deserializing 2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
c86c5df081 Add saved fields from top-level structure 2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
c2a7b891a1 Add transform (de)serialization 2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
b9dfc9fd30 Fix English in comments 2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
4b7e6b925f Add session saving/loading
For now, the header (version+format bytes) is duplicated. This might be
optimized later.
2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
4c90e858b5 Add (stub) header writing and checking
The number of meaning of the flags will be determined later, when handling the
relevant struct members. For now three bytes are reserved as an example, but
this number may change later.
2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
0ff76407d2 Add usage checks in context_load() 2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
00400c2bf6 Document internal serialisation format
This mainly follows the design document (saving all fields marked "saved" in
the main structure and the transform sub-structure) with two exceptions:

- things related to renegotiation are excluded here (there weren't quite in
  the design document as the possibility of allowing renegotiation was still
on the table, which is no longer is) - also, ssl.secure_renegotiation (which
is not guarded by MBEDTLS_SSL_RENEGOTIATION because it's used in initial
handshakes even with renegotiation disabled) is still excluded, as we don't
need it after the handshake.

- things related to Connection ID are added, as they weren't present at the
  time the design document was written.

The exact format of the header (value of the bitflag indicating compile-time
options, whether and how to merge it with the serialized session header) will
be determined later.
2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
1aaf66940e Implement usage checks in context_save()
Enforce restrictions indicated in the documentation.

This allows to make some simplifying assumptions (no need to worry about
saving IVs for CBC in TLS < 1.1, nor about saving handshake data) and
guarantees that all values marked as "forced" in the design document have the
intended values and can be skipped when serialising.

Some of the "forced" values are not checked because their value is a
consequence of other checks (for example, session_negotiated == NULL outside
handshakes). We do however check that session and transform are not NULL (even
if that's also a consequence of the initial handshake being over) as we're
going to dereference them and static analyzers may appreciate the info.
2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
96fb0ee9cf Save Hello random bytes for later use 2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
6d8f128790 Fix typos, grammar and wording in documentation 2019-08-23 12:52:29 +03:00
Manuel Pégourié-Gonnard
ac87e28bb2 Declare and document ssl_context_save()/load()
Also introduce stub definitions so that things compile and link.
2019-08-23 12:52:29 +03:00
Hanno Becker
be34e8e9c0 Remove reference to outdated compile-time option 2019-08-23 12:51:21 +03:00
Hanno Becker
f9b3303eb9 Introduce specific error for ver/cfg mismatch on deserialization
This commit introduces a new SSL error code

  `MBEDTLS_ERR_SSL_VERSION_MISMATCH`

which can be used to indicate operation failure due to a
mismatch of version or configuration.

It is put to use in the implementation of `mbedtls_ssl_session_load()`
to signal the attempt to de-serialize a session which has been serialized
in a build of Mbed TLS using a different version or configuration.
2019-08-23 12:51:21 +03:00
Hanno Becker
3e08866e06 Use def'n consts for bits in config-identifier of serialized data 2019-08-23 12:51:21 +03:00
Hanno Becker
dc28b6c5e1 Note that ver+fmt bytes in serialized data must not be removed 2019-08-23 12:51:21 +03:00
Hanno Becker
50b596666d Improve doc'n of config-identifying bitfield in serialized session 2019-08-23 12:51:21 +03:00
Hanno Becker
f37d91830a Session serialization: Fail with BAD_INPUT_DATA if buffer too small 2019-08-23 12:51:21 +03:00
Hanno Becker
94ef3b35f4 Encode relevant parts of the config in serialized session header
This commit makes use of the added space in the session header to
encode the state of those parts of the compile-time configuration
which influence the structure of the serialized session in the
present version of Mbed TLS. Specifically, these are
- the options which influence the presence/omission of fields
  from mbedtls_ssl_session (which is currently shallow-copied
  into the serialized session)
- the setting of MBEDTLS_X509_CRT_PARSE_C, which determines whether
  the serialized session contains a CRT-length + CRT-value pair after
  the shallow-copied mbedtls_ssl_session instance.
- the setting of MBEDTLS_SSL_SESSION_TICKETS, which determines whether
  the serialized session contains a session ticket.
2019-08-23 12:51:21 +03:00
Hanno Becker
f878707b8f Add configuration identifier to serialized SSL sessions
This commit adds space for two bytes in the header of serizlied
SSL sessions which can be used to determine the structure of the
remaining serialized session in the respective version of Mbed TLS.

Specifically, if parts of the session depend on whether specific
compile-time options are set or not, the setting of these options
can be encoded in the added space.

This commit doesn't yet make use of the fields.
2019-08-23 12:51:21 +03:00
Hanno Becker
a835da5cb1 Add Mbed TLS version to SSL sessions
The format of serialized SSL sessions depends on the version and the
configuration of Mbed TLS; attempts to restore sessions established
in different versions and/or configurations lead to undefined behaviour.

This commit adds an 3-byte version header to the serialized session
generated and cleanly fails ticket parsing in case a session from a
non-matching version of Mbed TLS is presented.
2019-08-23 12:51:21 +03:00
Manuel Pégourié-Gonnard
f743c03ea7 Add new ABI-independent format for serialization 2019-08-23 12:50:17 +03:00
Manuel Pégourié-Gonnard
51a0bfd9bc Fix bug in cert digest serialisation
This bug was present since cert digest had been introduced, which highlights
the need for testing.

While at it, fix a bug in the comment explaining the format - this was
introduced by me copy-pasting to hastily from current baremetal, that has a
different format (see next PR in the series for the same in development).
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard
686adb4d54 Normalize spelling to serialiZation
We have explicit recommendations to use US spelling for technical writing, so
let's apply this to code as well for uniformity. (My fingers tend to prefer UK
spelling, so this needs to be fixed in many places.)

sed -i 's/\([Ss]eriali\)s/\1z/g' **/*.[ch] **/*.function **/*.data ChangeLog
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard
a3d831b9e6 Add test for session_load() from small buffers
This uncovered a bug that led to a double-free (in practice, in general could
be free() on any invalid value): initially the session structure is loaded
with `memcpy()` which copies the previous values of pointers peer_cert and
ticket to heap-allocated buffers (or any other value if the input is
attacker-controlled). Now if we exit before we got a chance to replace those
invalid values with valid ones (for example because the input buffer is too
small, or because the second malloc() failed), then the next call to
session_free() is going to call free() on invalid pointers.

This bug is fixed in this commit by always setting the pointers to NULL right
after they've been read from the serialised state, so that the invalid values
can never be used.

(An alternative would be to NULL-ify them when writing, which was rejected
mostly because we need to do it when reading anyway (as the consequences of
free(invalid) are too severe to take any risk), so doing it when writing as
well is redundant and a waste of code size.)

Also, while thinking about what happens in case of errors, it became apparent
to me that it was bad practice to leave the session structure in an
half-initialised state and rely on the caller to call session_free(), so this
commit also ensures we always clear the structure when loading failed.
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard
26f982f50e Improve save API by always updating olen
This allows callers to discover what an appropriate size is. Otherwise they'd
have to either try repeatedly, or allocate an overly large buffer (or some
combination of those).

Adapt documentation an example usage in ssl_client2.
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard
b5e4e0a395 Add mbedtls_ssl_get_session_pointer()
Avoid useless copy with mbedtls_ssl_get_session() before serialising.

Used in ssl_client2 for testing and demonstrating usage, but unfortunately
that means mbedtls_ssl_get_session() is no longer tested, which will be fixed
in the next commit.
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard
35eb802103 Add support for serialisation session with ticket
On client side, this is required for the main use case where of serialising a
session for later resumption, in case tickets are used.

On server side, this doesn't change much as ticket_len will always be 0.

This unblocks testing the functions by using them in ssl_client2, which will
be done in the next commit.
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard
a3e7c65101 Move session save/load function to ssl_tls.c
This finishes making these functions public. Next step is to get them tested,
but there's currently a blocker for that, see next commit (and the commit
after it for tests).
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard
8faa70e810 Use more specific name in debug message for testing
While 'session hash' is currently unique, so suitable to prove that the
intended code path has been taken, it's a generic enough phrase that in the
future we might add other debug messages containing it in completely unrelated
code paths. In order to future-proof the accuracy of the test, let's use a
more specific string.
2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
d91efa47c0 Fix alignment issues 2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
47e33e11f7 Clarify comment about TLS versions
The previous comment used "TLS" as a shortcut for "TLS 1.0/1.1" which was
confusing. This partially reflected the names of the calc_verify/finished that
go ssl, tls (for 1.0/1.1) tls_shaxxx (for 1.2), but still it's clearer to be
explicit in the comment - and perhaps in the long term the function names
could be clarified instead.
2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
7fa1407adb Remove redundant debug message.
Two consecutive messages (ie no branch between them) at the same level are not
needed, so only keep the one that has the most information.
2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
6fa57bfae5 Remove 'session' input from populate_tranform()
When using this function to deserialize, it's not a problem to have a session
structure as input as we'll have one around anyway (most probably freshly
deserialised).

However for tests it's convenient to be able to build a transform without
having a session structure around.

Also, removing this structure from parameters makes the function signature
more uniform, the only exception left being the ssl param at the end that's
hard to avoid for now.
2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
31d3ef11f5 Fix typo in comment 2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
a7505d18eb Enforce promise to not use whole ssl context
Configs with no DEBUG_C are used for example in test-ref-configs.pl, which also
runs parts of compat.sh or ssl-opt.sh on them, so the added 'ssl = NULL'
statements will be exercised in those tests at least.
2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
c864f6a209 Partially rm 'ssl' input from populate_transform() 2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
9b108c242d Remove "handshake" input from populate_transform() 2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
344460c913 Work around bug in key exporter API
https://github.com/ARMmbed/mbedtls/issues/2759
2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
cba40d92bd Start refining parameters of populate_transform()
Parameters 'handshake' and 'ssl' will be replaced with more fine-grained
inputs in follow-up commits.
2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
d73b47fe2e Move compress_buf allocation to derive_keys 2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
040a9517b5 Move handling of randbytes to derive_keys() 2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
de718b99b5 Make calc_verify() return the length as well
Simplifies ssl_compute_hash(), but unfortunately not so much the other uses.
2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
0d56aaac7b Constify ssl_context param of calc_verify() 2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
de047adfb4 Improve signature of ssl_compute_master()
Make it more explicit what's used. Unfortunately, we still need ssl as a
parameter for debugging, and because calc_verify wants it as a parameter (for
all TLS versions except SSL3 it would actually only need handshake, but SSL3
also accesses session_negotiate).

It's also because of calc_verify that we can't make it const yet, but see next
commit.
2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
85680c49ef Reduce indentation in ssl_compute_master()
Exit earlier when there's noting to do.

For a small diff, review with 'git show -w'.
2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
9951b712bd Start extracting ssl_compute_master()
For now just moving code around, not changing indentation. Calling convention
and signature are going to be adjusted in upcoming commits.
2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
8d2805c784 Fix signature of ssl_set_transform_prfs() 2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
1b00c4f5b3 Start extraction ssl_set_handshake_prfs()
For now just moving code around, will improve signature in the next commit.
2019-08-23 12:45:33 +03:00
Manuel Pégourié-Gonnard
e59ae23868 Start splitting populate_transform() out of derive_keys()
This is currently a dummy, just introducing the new name.
2019-08-23 12:45:33 +03:00
Jaeden Amero
beec142010 Merge remote-tracking branch 'origin/pr/2790' into development
* origin/pr/2790: (40 commits)
  Fix possibly-lossy conversion warning from MSVC
  Reintroduce length 0 check for records
  Don't use memcpy() for 2-byte copy operation
  Remove integer parsing macro
  Fix alignment in record header parsing routine
  Don't disallow 'record from another epoch' log msg in proxy ref test
  Make sure 'record from another epoch' is displayed for next epoch
  Implement record checking API
  Mark ssl_parse_record_header() as `const` in SSL context
  Make mbedtls_ssl_in_hdr_len() CID-unaware
  Remove duplicate setting of ssl->in_msgtype and ssl->in_msglen
  Move update of in_xxx fields in ssl_get_next_record()
  Move update of in_xxx fields outside of ssl_prepare_record_content()
  Reduce dependency of ssl_prepare_record_content() on in_xxx fields
  Move ssl_update_in_pointers() to after record hdr parsing
  Mark DTLS replay check as `const` on the SSL context
  Move updating the internal rec ptrs to outside of rec hdr parsing
  Mark ssl_decrypt_buf() as `const in the input SSL context
  Adapt ssl_prepare_record_content() to use SSL record structure
  Use record length from record structure when fetching content in TLS
  ...
2019-08-22 11:09:15 +01:00
Jaeden Amero
9a09f511b5 Merge remote-tracking branch 'origin/pr/2781' into development
* origin/pr/2781:
  Documentation fixes according to review
  Remove unused label in ssl_client2/ssl_server2
  Add missing word in documentation of mbedtls_ssl_check_record()
  cli/srv ex: Add dbg msg if record checking gives inconsistent result
  Fix minor issues in documentation of mbedtls_ssl_check_record()
  State that record checking is DTLS only and doesn't check content type
  Update version_features.c
  Pass dgrams to mbedtls_ssl_check_record in ssl_client2/server2
  Add IO wrappers to ssl_server2 as interm's between NET and SSL layer
  Add IO wrappers to ssl_client2 as interm's between NET and SSL layer
  Introduce configuration option and API for SSL record checking
2019-08-22 11:08:52 +01:00
Janos Follath
da6ac01963 Rename local variables 2019-08-16 13:47:29 +01:00
Janos Follath
1239d70870 Remove calls to psa_allocate_key
In PSA 1.0 keys are allocated implicitly by other functions
(like psa_import_key) and psa_allocate_key is not needed and does not
exist anymore.
2019-08-16 13:37:32 +01:00
Janos Follath
53b8ec27a2 Make variable naming consistent 2019-08-16 13:37:32 +01:00
Janos Follath
ed73b04c6e Update psa_import_key to PSA 1.0 2019-08-16 13:36:15 +01:00
Janos Follath
bd096101b5 Update psa_generator_abort to PSA 1.0 2019-08-16 11:45:55 +01:00
Janos Follath
6de99db449 Update psa_generator_read to PSA 1.0 2019-08-16 11:45:55 +01:00
Janos Follath
8dee877e8a Update psa_crypto_generator_t to PSA 1.0 2019-08-16 11:45:55 +01:00
Janos Follath
7374ee6139 Update GENERATOR_INIT macro to PSA 1.0 2019-08-16 11:45:55 +01:00
Jaeden Amero
922013e46d tls: Remove duplicate psa_util.h include
Don't include psa_util.h twice. It's enough to include it once.
2019-08-15 15:44:50 +01:00
Manuel Pégourié-Gonnard
7e821b5bcd Fix possibly-lossy conversion warning from MSVC
ssl_tls.c(4876): warning C4267: '=': conversion from 'size_t' to 'uint8_t', possible loss of data
2019-08-14 15:08:09 +01:00
Hanno Becker
d417cc945c Reintroduce length 0 check for records 2019-08-14 15:08:08 +01:00
Hanno Becker
d0b66d08bb Don't use memcpy() for 2-byte copy operation
Manual copying is slightly shorter here.
2019-08-14 15:08:08 +01:00
Hanno Becker
9eca276768 Remove integer parsing macro
If this is introduced, it should be defined in a prominent place
and put to use throughout the library, but this is left for another
time.
2019-08-14 15:08:08 +01:00
Hanno Becker
f5466258b4 Fix alignment in record header parsing routine 2019-08-14 15:08:08 +01:00
Hanno Becker
552f747216 Make sure 'record from another epoch' is displayed for next epoch
The test 'DTLS proxy: delay ChangeCipherSpec' from ssl-opt.sh
relies on this.
2019-08-14 15:08:08 +01:00
Hanno Becker
5422981052 Implement record checking API
This commit implements the record checking API

   mbedtls_ssl_check_record()

on top of the restructured incoming record stack.

Specifically, it makes use of the fact that the core processing routines

  ssl_parse_record_header()
  mbedtls_ssl_decrypt_buf()

now operate on instances of the SSL record structure mbedtls_record
instead of the previous mbedtls_ssl_context::in_xxx fields.
2019-08-14 15:08:08 +01:00
Hanno Becker
331de3df9a Mark ssl_parse_record_header() as const in SSL context 2019-08-14 15:08:08 +01:00
Hanno Becker
b0fe0eedce Remove duplicate setting of ssl->in_msgtype and ssl->in_msglen 2019-08-14 15:06:44 +01:00
Hanno Becker
44d89b2d53 Move update of in_xxx fields in ssl_get_next_record()
ssl_get_next_record() updates the legacy in_xxx fields in two places,
once before record decryption and once after. Now that record decryption
doesn't use or affect the in_xxx fields anymore, setting up the these
legacy fields can entirely be moved to the end of ssl_get_next_record(),
which is what this comit does.

This commit solely moves existing code, but doesn't yet simplify the
now partially redundant settings of the in_xxx fields. This will be
done in a separate commit.
2019-08-14 15:06:44 +01:00
Hanno Becker
8685c822c1 Move update of in_xxx fields outside of ssl_prepare_record_content()
Multiple record attributes such as content type and payload length
may change during record decryption, and the legacy in_xxx fields
in the SSL context therefore need to be updated after the record
decryption routine ssl_decrypt_buf() has been called.

After the previous commit has made ssl_prepare_record_content()
independent of the in_xxx fields, setting them can be moved
outside of ssl_prepare_record_content(), which is what this
commit does.
2019-08-14 15:06:44 +01:00
Hanno Becker
58ef0bf19f Reduce dependency of ssl_prepare_record_content() on in_xxx fields 2019-08-14 15:06:44 +01:00
Hanno Becker
d8bf8ceeb4 Move ssl_update_in_pointers() to after record hdr parsing
Previously, ssl_update_in_pointers() ensured that the in_xxx pointers
in the SSL context are set to their default state so that the record
header parsing function ssl_parse_record_header() could make use of them.
By now, the latter is independent of these pointers, so they don't need
to be setup before calling ssl_parse_record_header() anymore.
However, other parts of the messaging stack might still depend on it
(to be studied), and hence this commit does not yet reomve
ssl_update_in_pointers() entirely.
2019-08-14 15:06:06 +01:00
Hanno Becker
0183d699bf Mark DTLS replay check as const on the SSL context 2019-08-14 15:06:06 +01:00
Hanno Becker
7ae20e0f4c Move updating the internal rec ptrs to outside of rec hdr parsing
The stack maintains pointers mbedtls_ssl_context::in_xxx pointing to
various parts of the [D]TLS record header. Originally, these fields
were determined and set in ssl_parse_record_header(). By now,
ssl_parse_record_header() has been modularized to setup an instance
of the internal SSL record structure mbedtls_record, and to derive
the old in_xxx fields from that.

This commit takes a further step towards removing the in_xxx fields
by deriving them from the established record structure _outside_ of
ssl_parse_record_header() after the latter has succeeded.

One exception is the handling of possible client reconnects,
which happens in the case then ssl_parse_record_header() returns
MBEDTLS_ERR_SSL_UNEXPECTED_RECORD; since ssl_check_client_reconnect()
so far uses the in_xxx fields, they need to be derived from the
record structure beforehand.
2019-08-14 15:06:06 +01:00
Hanno Becker
605949f84c Mark ssl_decrypt_buf() as `const in the input SSL context
In fact, the SSL context is only used to access the debug callback.
2019-08-14 15:06:06 +01:00
Hanno Becker
fdf660426d Adapt ssl_prepare_record_content() to use SSL record structure 2019-08-14 15:06:06 +01:00
Hanno Becker
a31756619c Use record length from record structure when fetching content in TLS 2019-08-14 15:06:06 +01:00
Hanno Becker
f50da50c04 Use record structure when remembering offset of next record in dgram 2019-08-14 15:06:06 +01:00
Hanno Becker
4acada35f5 Use SSL record structure when skipping over unexpected record 2019-08-14 15:06:06 +01:00
Hanno Becker
519f15dbba Adapt ssl_buffer_future_record() to work with SSL record structure 2019-08-14 15:06:05 +01:00
Hanno Becker
e5e7e7833c Setup SSL record structure in ssl_parse_record_header()
This commit makes a first step towards modularizing the incoming record
processing by having it operate on instances of the structure mbedtls_record
representing SSL records.

So far, only record encryption/decryption operate in terms of record
instances, but the rest of the parsing doesn't. In particular,
ssl_parse_record_header() operates directly on the fixed input buffer,
setting the various ssl->in_xxx pointers and fields, and only directly
before/after calling ssl_decrypt_buf() these fields a converted to/from
mbedtls_record instances.

This commit does not yet remove the ssl->in_xxx fields, but makes a step
towards extending the lifetime of mbedtls_record structure representing
incoming records, by modifying ssl_parse_record_header() to setup an
instance of mbedtls_record, and setting the ssl->in_xxx fields from that
instance. The instance so-constructed isn't used further so far, and in
particular it is not yet consolidated with the instance set up for use
in ssl_decrypt_record(). That's for a later commit.
2019-08-14 15:06:04 +01:00
Hanno Becker
37cfe73c92 Minor documentation improvements in ssl_parse_record_header() 2019-08-14 14:45:20 +01:00
Hanno Becker
955a5c98df Check for sufficient datagram size in ssl_parse_record_header()
Previously, ssl_parse_record_header() did not check whether the current
datagram is large enough to hold a record of the advertised size. This
could lead to records being silently skipped over or backed up on the
basis of an invalid record length. Concretely, the following would happen:

1) In the case of a record from an old epoch, the record would be
   'skipped over' by setting next_record_offset according to the advertised
   but non-validated length, and only in the subsequent mbedtls_ssl_fetch_input()
   it would be noticed in an assertion failure if the record length is too
   large for the current incoming datagram.
   While not critical, this is fragile, and also contrary to the intend
   that MBEDTLS_ERR_SSL_INTERNAL_ERROR should never be trigger-able by
   external input.
2) In the case of a future record being buffered, it might be that we
   backup a record before we have validated its length, hence copying
   parts of the input buffer that don't belong to the current record.
   This is a bug, and it's by luck that it doesn't seem to have critical
   consequences.

This commit fixes this by modifying ssl_parse_record_header() to check that
the current incoming datagram is large enough to hold a record of the
advertised length, returning MBEDTLS_ERR_SSL_INVALID_RECORD otherwise.
2019-08-14 14:44:55 +01:00
Hanno Becker
d5c0f826e6 Don't send an alert when receiving a record of unknown ContentType
We don't send alerts on other instances of ill-formed records,
so why should we do it here? If we want to keep it, the alerts
should rather be sent ssl_get_next_record().
2019-08-14 14:44:36 +01:00