Commit graph

4689 commits

Author SHA1 Message Date
Janos Follath
da6ac01963 Rename local variables 2019-08-16 13:47:29 +01:00
Janos Follath
df3b0892ce Use psa_raw_key_agreement
In PSA 1.0 raw key agreement has been moved from
psa_key_derivation_key_agreement() to its own separate function call,
called psa_raw_key_agreement().
2019-08-16 13:37:32 +01:00
Janos Follath
1239d70870 Remove calls to psa_allocate_key
In PSA 1.0 keys are allocated implicitly by other functions
(like psa_import_key) and psa_allocate_key is not needed and does not
exist anymore.
2019-08-16 13:37:32 +01:00
Janos Follath
53b8ec27a2 Make variable naming consistent 2019-08-16 13:37:32 +01:00
Janos Follath
7bb5e6b4da Update psa_create_key to PSA 1.0 2019-08-16 13:37:32 +01:00
Janos Follath
ed73b04c6e Update psa_import_key to PSA 1.0 2019-08-16 13:36:15 +01:00
Janos Follath
bd096101b5 Update psa_generator_abort to PSA 1.0 2019-08-16 11:45:55 +01:00
Janos Follath
6de99db449 Update psa_generator_read to PSA 1.0 2019-08-16 11:45:55 +01:00
Janos Follath
8dee877e8a Update psa_crypto_generator_t to PSA 1.0 2019-08-16 11:45:55 +01:00
Janos Follath
7d7ded85fb Update psa_key_agreement to PSA 1.0 2019-08-16 11:45:55 +01:00
Janos Follath
7374ee6139 Update GENERATOR_INIT macro to PSA 1.0 2019-08-16 11:45:55 +01:00
Janos Follath
3d158ebd2f Update KEYPAIR macros to PSA 1.0 2019-08-16 11:45:53 +01:00
Jaeden Amero
58f11d010b Merge branch 'development' into development-restricted
* development:
  Update crypto to a repo with latest crypto
  Update Mbed Crypto
  tls: Remove duplicate psa_util.h include
  Remove unused cryptography test files
  Remove crypto C files
  Remove files sourced from Mbed Crypto
  config: Fix Doxygen link to MBEDTLS_PARAM_FAILED
  Use mbedtls-based path for includes
  check-names: Consider crypto-sourced header files
2019-08-16 10:14:40 +01:00
Jaeden Amero
922013e46d tls: Remove duplicate psa_util.h include
Don't include psa_util.h twice. It's enough to include it once.
2019-08-15 15:44:50 +01:00
Jaeden Amero
a0aee30644 Remove crypto C files
Remove unused cryptography C files, as these are sourced from Mbed
Crypto now.
2019-08-15 15:44:50 +01:00
Gilles Peskine
4017d882dd Merge remote-tracking branch 'upstream-restricted/development-proposed' into development-restricted-proposed 2019-08-14 18:38:42 +02:00
Gilles Peskine
60b29d6bfd Merge remote-tracking branch 'upstream-restricted/pr/503' into development-restricted-proposed 2019-08-14 18:37:59 +02:00
Manuel Pégourié-Gonnard
7e821b5bcd Fix possibly-lossy conversion warning from MSVC
ssl_tls.c(4876): warning C4267: '=': conversion from 'size_t' to 'uint8_t', possible loss of data
2019-08-14 15:08:09 +01:00
Hanno Becker
d417cc945c Reintroduce length 0 check for records 2019-08-14 15:08:08 +01:00
Hanno Becker
d0b66d08bb Don't use memcpy() for 2-byte copy operation
Manual copying is slightly shorter here.
2019-08-14 15:08:08 +01:00
Hanno Becker
9eca276768 Remove integer parsing macro
If this is introduced, it should be defined in a prominent place
and put to use throughout the library, but this is left for another
time.
2019-08-14 15:08:08 +01:00
Hanno Becker
f5466258b4 Fix alignment in record header parsing routine 2019-08-14 15:08:08 +01:00
Hanno Becker
552f747216 Make sure 'record from another epoch' is displayed for next epoch
The test 'DTLS proxy: delay ChangeCipherSpec' from ssl-opt.sh
relies on this.
2019-08-14 15:08:08 +01:00
Hanno Becker
5422981052 Implement record checking API
This commit implements the record checking API

   mbedtls_ssl_check_record()

on top of the restructured incoming record stack.

Specifically, it makes use of the fact that the core processing routines

  ssl_parse_record_header()
  mbedtls_ssl_decrypt_buf()

now operate on instances of the SSL record structure mbedtls_record
instead of the previous mbedtls_ssl_context::in_xxx fields.
2019-08-14 15:08:08 +01:00
Hanno Becker
331de3df9a Mark ssl_parse_record_header() as const in SSL context 2019-08-14 15:08:08 +01:00
Hanno Becker
b0fe0eedce Remove duplicate setting of ssl->in_msgtype and ssl->in_msglen 2019-08-14 15:06:44 +01:00
Hanno Becker
44d89b2d53 Move update of in_xxx fields in ssl_get_next_record()
ssl_get_next_record() updates the legacy in_xxx fields in two places,
once before record decryption and once after. Now that record decryption
doesn't use or affect the in_xxx fields anymore, setting up the these
legacy fields can entirely be moved to the end of ssl_get_next_record(),
which is what this comit does.

This commit solely moves existing code, but doesn't yet simplify the
now partially redundant settings of the in_xxx fields. This will be
done in a separate commit.
2019-08-14 15:06:44 +01:00
Hanno Becker
8685c822c1 Move update of in_xxx fields outside of ssl_prepare_record_content()
Multiple record attributes such as content type and payload length
may change during record decryption, and the legacy in_xxx fields
in the SSL context therefore need to be updated after the record
decryption routine ssl_decrypt_buf() has been called.

After the previous commit has made ssl_prepare_record_content()
independent of the in_xxx fields, setting them can be moved
outside of ssl_prepare_record_content(), which is what this
commit does.
2019-08-14 15:06:44 +01:00
Hanno Becker
58ef0bf19f Reduce dependency of ssl_prepare_record_content() on in_xxx fields 2019-08-14 15:06:44 +01:00
Hanno Becker
d8bf8ceeb4 Move ssl_update_in_pointers() to after record hdr parsing
Previously, ssl_update_in_pointers() ensured that the in_xxx pointers
in the SSL context are set to their default state so that the record
header parsing function ssl_parse_record_header() could make use of them.
By now, the latter is independent of these pointers, so they don't need
to be setup before calling ssl_parse_record_header() anymore.
However, other parts of the messaging stack might still depend on it
(to be studied), and hence this commit does not yet reomve
ssl_update_in_pointers() entirely.
2019-08-14 15:06:06 +01:00
Hanno Becker
0183d699bf Mark DTLS replay check as const on the SSL context 2019-08-14 15:06:06 +01:00
Hanno Becker
7ae20e0f4c Move updating the internal rec ptrs to outside of rec hdr parsing
The stack maintains pointers mbedtls_ssl_context::in_xxx pointing to
various parts of the [D]TLS record header. Originally, these fields
were determined and set in ssl_parse_record_header(). By now,
ssl_parse_record_header() has been modularized to setup an instance
of the internal SSL record structure mbedtls_record, and to derive
the old in_xxx fields from that.

This commit takes a further step towards removing the in_xxx fields
by deriving them from the established record structure _outside_ of
ssl_parse_record_header() after the latter has succeeded.

One exception is the handling of possible client reconnects,
which happens in the case then ssl_parse_record_header() returns
MBEDTLS_ERR_SSL_UNEXPECTED_RECORD; since ssl_check_client_reconnect()
so far uses the in_xxx fields, they need to be derived from the
record structure beforehand.
2019-08-14 15:06:06 +01:00
Hanno Becker
605949f84c Mark ssl_decrypt_buf() as `const in the input SSL context
In fact, the SSL context is only used to access the debug callback.
2019-08-14 15:06:06 +01:00
Hanno Becker
fdf660426d Adapt ssl_prepare_record_content() to use SSL record structure 2019-08-14 15:06:06 +01:00
Hanno Becker
a31756619c Use record length from record structure when fetching content in TLS 2019-08-14 15:06:06 +01:00
Hanno Becker
f50da50c04 Use record structure when remembering offset of next record in dgram 2019-08-14 15:06:06 +01:00
Hanno Becker
4acada35f5 Use SSL record structure when skipping over unexpected record 2019-08-14 15:06:06 +01:00
Hanno Becker
519f15dbba Adapt ssl_buffer_future_record() to work with SSL record structure 2019-08-14 15:06:05 +01:00
Hanno Becker
e5e7e7833c Setup SSL record structure in ssl_parse_record_header()
This commit makes a first step towards modularizing the incoming record
processing by having it operate on instances of the structure mbedtls_record
representing SSL records.

So far, only record encryption/decryption operate in terms of record
instances, but the rest of the parsing doesn't. In particular,
ssl_parse_record_header() operates directly on the fixed input buffer,
setting the various ssl->in_xxx pointers and fields, and only directly
before/after calling ssl_decrypt_buf() these fields a converted to/from
mbedtls_record instances.

This commit does not yet remove the ssl->in_xxx fields, but makes a step
towards extending the lifetime of mbedtls_record structure representing
incoming records, by modifying ssl_parse_record_header() to setup an
instance of mbedtls_record, and setting the ssl->in_xxx fields from that
instance. The instance so-constructed isn't used further so far, and in
particular it is not yet consolidated with the instance set up for use
in ssl_decrypt_record(). That's for a later commit.
2019-08-14 15:06:04 +01:00
Gilles Peskine
1435767d2a Merge remote-tracking branch 'upstream-public/pr/2753' into development 2019-08-14 16:00:11 +02:00
Hanno Becker
37cfe73c92 Minor documentation improvements in ssl_parse_record_header() 2019-08-14 14:45:20 +01:00
Hanno Becker
955a5c98df Check for sufficient datagram size in ssl_parse_record_header()
Previously, ssl_parse_record_header() did not check whether the current
datagram is large enough to hold a record of the advertised size. This
could lead to records being silently skipped over or backed up on the
basis of an invalid record length. Concretely, the following would happen:

1) In the case of a record from an old epoch, the record would be
   'skipped over' by setting next_record_offset according to the advertised
   but non-validated length, and only in the subsequent mbedtls_ssl_fetch_input()
   it would be noticed in an assertion failure if the record length is too
   large for the current incoming datagram.
   While not critical, this is fragile, and also contrary to the intend
   that MBEDTLS_ERR_SSL_INTERNAL_ERROR should never be trigger-able by
   external input.
2) In the case of a future record being buffered, it might be that we
   backup a record before we have validated its length, hence copying
   parts of the input buffer that don't belong to the current record.
   This is a bug, and it's by luck that it doesn't seem to have critical
   consequences.

This commit fixes this by modifying ssl_parse_record_header() to check that
the current incoming datagram is large enough to hold a record of the
advertised length, returning MBEDTLS_ERR_SSL_INVALID_RECORD otherwise.
2019-08-14 14:44:55 +01:00
Hanno Becker
d5c0f826e6 Don't send an alert when receiving a record of unknown ContentType
We don't send alerts on other instances of ill-formed records,
so why should we do it here? If we want to keep it, the alerts
should rather be sent ssl_get_next_record().
2019-08-14 14:44:36 +01:00
Hanno Becker
a8814794e9 Don't call ssl_fetch_input for record content fetch in DTLS
As explained in the previous commit, if mbedtls_ssl_fetch_input()
is called multiple times, all but the first call are equivalent to
bounds checks in the incoming datagram.
2019-08-14 14:43:46 +01:00
Hanno Becker
59be60e98b Don't call ssl_fetch_input for record hdr size check in DTLS
In DTLS, if mbedtls_ssl_fetch_input() is called multiple times without
resetting the input buffer in between, the non-initial calls are functionally
equivalent to mere bounds checks ensuring that the incoming datagram is
large enough to hold the requested data. In the interest of code-size
and modularity (removing a call to a non-const function which is logically
const in this instance), this commit replaces such a call to
mbedtls_ssl_fetch_input() by an explicit bounds check in
ssl_parse_record_header().
2019-08-14 14:41:57 +01:00
Hanno Becker
e538d8287e Move size-check for DTLS record header with CID to DTLS-only branch 2019-08-14 14:41:37 +01:00
Hanno Becker
2fddd3765e Check same-port-reconnect from client outside of record hdr parsing
Previously, `ssl_handle_possible_reconnect()` was part of
`ssl_parse_record_header()`, which was required to return a non-zero error
code to indicate a record which should not be further processed because it
was invalid, unexpected, duplicate, .... In this case, some error codes
would lead to some actions to be taken, e.g. `MBEDTLS_ERR_SSL_EARLY_MESSAGE`
to potential buffering of the record, but eventually, the record would be
dropped regardless of the precise value of the error code. The error code
`MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED` returned from
`ssl_handle_possible_reconnect()` did not receive any special treatment and
lead to silent dopping of the record - in particular, it was never returned
to the user.

In the new logic this commit introduces, `ssl_handle_possible_reconnect()` is
part of `ssl_check_client_reconnect()` which is triggered _after_
`ssl_parse_record_header()` found an unexpected record, which is already in
the code-path eventually dropping the record; we want to leave this code-path
only if a valid cookie has been found and we want to reset, but do nothing
otherwise. That's why `ssl_handle_possible_reconnect()` now returns `0` unless
a valid cookie has been found or a fatal error occurred.
2019-08-14 14:41:06 +01:00
Hanno Becker
4894873b92 Remove redundant minimum length check
Availability of sufficient incoming data should be checked when
it is needed, which is in mbedtls_ssl_fetch_input(), and this
function has the necessary bounds checks in place.
2019-08-14 14:34:49 +01:00
Hanno Becker
20016654c3 Remove unnecessary backup of explicit IV in AEAD record decryption
There is no need to hold back the explicit IV for AEAD ciphers.
2019-08-14 14:34:26 +01:00
Hanno Becker
d96a652d80 Improve documentation of mbedtls_ssl_decrypt_buf() 2019-08-14 14:34:04 +01:00
Hanno Becker
c957e3b5f8 Remove redundant length check during record header parsing
The check is in terms of the internal input buffer length and is
hence likely to be originally intended to protect against overflow
of the input buffer when fetching data from the underlying
transport in mbedtls_ssl_fetch_input(). For locality of reasoning,
it's better to perform such a check close to where it's needed,
and in fact, mbedtls_ssl_fetch_input() _does_ contain an equivalent
bounds check, too, rendering the bounds check in question redundant.
2019-08-14 14:33:39 +01:00
Hanno Becker
e2b786d40f Remove misleading comment in mbedtls_ssl_decrypt_buf()
The comment doesn't seem to relate to the code that follows.
2019-08-14 14:33:09 +01:00
Hanno Becker
47ebaa2205 Remove assertion in mbedtls_ssl_decrypt_buf()
mbedtls_ssl_decrypt_buf() asserts that the passed transform is not NULL,
but the function is only invoked in a single place, and this invocation
is clearly visible to be within a branch ensuring that the incoming
transform isn't NULL. Remove the assertion for the benefit of code-size.
2019-08-14 14:32:39 +01:00
Hanno Becker
d96e10bf23 Check architectural bound for max record payload len in one place
The previous code performed architectural maximum record length checks
both before and after record decryption. Since MBEDTLS_SSL_IN_CONTENT_LEN
bounds the maximum length of the record plaintext, it suffices to check
only once after (potential) decryption.

This must not be confused with the internal check that the record
length is small enough to make the record fit into the internal input
buffer; this is done in mbedtls_ssl_fetch_input().
2019-08-14 14:31:58 +01:00
Hanno Becker
3be264e2c3 Remove redundant length-0 checks for incoming unprotected records 2019-08-14 14:30:51 +01:00
Hanno Becker
7132c4a6c8 Update version_features.c 2019-08-06 11:25:45 +03:00
Hanno Becker
cfe457921a Introduce configuration option and API for SSL record checking 2019-08-06 10:09:08 +03:00
Gilles Peskine
41f2de9da2
Merge pull request #638 from ARMmbed/development-proposed
Merge development into development-restricted
2019-08-05 11:06:20 +02:00
Gilles Peskine
01655daeee
Merge pull request #2417 from RonEld/2734
Update soon to be expired crl
2019-08-03 13:38:14 +02:00
Hanno Becker
59c92ed89b ECP restart: Don't calculate address of sub ctx if ctx is NULL
All modules using restartable ECC operations support passing `NULL`
as the restart context as a means to not use the feature.

The restart contexts for ECDSA and ECP are nested, and when calling
restartable ECP operations from restartable ECDSA operations, the
address of the ECP restart context to use is calculated by adding
the to the address of the ECDSA restart context the offset the of
the ECP restart context.

If the ECP restart context happens to not reside at offset `0`, this
leads to a non-`NULL` pointer being passed to restartable ECP
operations from restartable ECDSA-operations; those ECP operations
will hence assume that the pointer points to a valid ECP restart
address and likely run into a segmentation fault when trying to
dereference the non-NULL but close-to-NULL address.

The problem doesn't arise currently because luckily the ECP restart
context has offset 0 within the ECDSA restart context, but we should
not rely on it.

This commit fixes the passage from restartable ECDSA to restartable ECP
operations by propagating NULL as the restart context pointer.

Apart from being fragile, the previous version could also lead to
NULL pointer dereference failures in ASanDbg builds which dereferenced
the ECDSA restart context even though it's not needed to calculate the
address of the offset'ed ECP restart context.

dummy
2019-07-19 13:03:10 +01:00
Ron Eldor
991a05b411 Add support for all SHA modes in cert_write
Add support for `MBEDTLS_SHA_224` and `MBEDTLS_SHA_384` in
`cert_write`, to support generating such certificates in
`tests/data_files/Makefile`.
2019-07-14 09:17:57 +03:00
Ashley Duncan
eb33978fa8 Remove use of CMAKE_SOURCE_DIR
Remove use of CMAKE_SOURCE_DIR in case mbedtls is built from within
another CMake project. Define MBEDTLS_DIR to ${CMAKE_CURRENT_SOURCE_DIR}
in the main CMakeLists.txt file and refer to that when defining target
include paths to enable mbedtls to be built as a sub project.

Fixes #2609

Signed-off-by: Ashley Duncan <ashes.man@gmail.com>
Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
2019-07-12 10:39:21 +01:00
Ron Eldor
9eeb8611b1 Update certificates to expire in 2029
Update certificates that expire on 2021, to prolong their validity,
to make tests pass three years ahead.
2019-07-10 16:46:34 +03:00
Jaeden Amero
c510b1ab29 Merge remote-tracking branch 'origin/development' into development-restricted
* origin/development: (33 commits)
  Test with MBEDTLS_ECP_RESTARTABLE
  Allow TODO in code
  Use the docstring in the command line help
  Split _abi_compliance_command into smaller functions
  Record the commits that were compared
  Document how to build the typical argument for -s
  Allow running /somewhere/else/path/to/abi_check.py
  Warn if VLAs are used
  Remove redundant compiler flag
  Consistently spell -Wextra
  Update Mbed Crypto to contain mbed-crypto#152
  Improve compatibility with firewalled networks
  Dockerfile: apt -> apt-get
  Change Docker container to bionic
  Clean up file prologue comments
  Add docker-based test scripts
  ChangeLog: Add ChangeLog entry for #2681
  Allow declarations after statements
  CMake: Add a subdirectory build regression test
  README: Enable builds as a CMake subproject
  ...
2019-07-10 08:46:54 +01:00
Jaeden Amero
01604a334a Merge remote-tracking branch 'origin/pr/2726' into development
* origin/pr/2726:
  Warn if VLAs are used
  Remove redundant compiler flag
  Consistently spell -Wextra
  Allow declarations after statements
2019-07-10 07:55:25 +01:00
Jaeden Amero
150d7749ea Merge remote-tracking branch 'origin/pr/2719' into development
* origin/pr/2719:
  Deref pointer when using sizeof in x509_get_other_name
2019-07-10 07:55:09 +01:00
Jaeden Amero
0b8b5e3393 Merge remote-tracking branch 'origin/pr/2706' into development
* origin/pr/2706:
  Update Mbed Crypto to contain mbed-crypto#152
  CMake: Add a subdirectory build regression test
  README: Enable builds as a CMake subproject
  ChangeLog: Enable builds as a CMake subproject
  Remove use of CMAKE_SOURCE_DIR
2019-07-10 07:54:49 +01:00
Jaeden Amero
6d77d20f3a Merge remote-tracking branch 'origin/pr/2632' into development
* origin/pr/2632:
  Adapt ChangeLog
  Avoid use of large stack buffers in mbedtls_x509_write_crt_pem()
  Improve documentation of mbedtls_pem_write_buffer()
  Perform CRT writing in-place on the output buffer
  Adapt x509write_crt.c to coding style
2019-07-10 07:54:37 +01:00
Gilles Peskine
85aba47715 Consistently spell -Wextra
-W is a deprecated alias of -Wextra. Consistently use the new name.
2019-07-02 20:05:16 +02:00
Gilles Peskine
c2d56a4446 Allow declarations after statements
We officially allow C99, so don't forbid this C99 feature.
2019-06-25 18:52:06 +02:00
Ashley Duncan
3278081428 Remove use of CMAKE_SOURCE_DIR
Remove use of CMAKE_SOURCE_DIR in case mbedtls is built from within
another CMake project. Define MBEDTLS_DIR to ${CMAKE_CURRENT_SOURCE_DIR}
in the main CMakeLists.txt file and refer to that when defining target
include paths to enable mbedtls to be built as a sub project.

Fixes #2609

Signed-off-by: Ashley Duncan <ashes.man@gmail.com>
Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
2019-06-25 13:33:51 +01:00
Sébastien Duquette
661d725044 Deref pointer when using sizeof in x509_get_other_name
Fix for #2716.
2019-06-24 09:17:18 -04:00
Jaeden Amero
bd3a7464b7 Merge remote-tracking branch 'restricted/pr/573' into development-restricted
* restricted/pr/573:
  Remove redundant config.pl call
  Add a test for signing content with a long ECDSA key
  Add documentation notes about the required size of the signature buffers
  Add missing MBEDTLS_ECP_C dependencies in check_config.h
  Change size of preallocated buffer for pk_sign() calls
2019-06-24 11:40:33 +01:00
Jaeden Amero
66b7edb108 Merge remote-tracking branch 'origin/pr/2711' into development
* origin/pr/2711:
  programs: Make `make clean` clean all programs always
  ssl_tls: Enable Suite B with subset of ECP curves
  windows: Fix Release x64 configuration
  platform: Include stdarg.h where needed
  timing: Remove redundant include file
  net_sockets: Fix typo in net_would_block()
2019-06-21 14:09:10 +01:00
Jaeden Amero
fd0f65459c Merge remote-tracking branch 'origin/pr/2697' into development
* origin/pr/2697:
  Update crypto submodule
  Add all.sh component that exercises invalid_param checks
  Remove mbedtls_param_failed from programs
  Make it easier to define MBEDTLS_PARAM_FAILED as assert
  Make test suites compatible with #include <assert.h>
  Pass -m32 to the linker as well
  Don't systematically rebuild programs
2019-06-21 13:21:05 +01:00
Jaeden Amero
e2d5b9e5cc Merge remote-tracking branch 'origin/pr/2690' into development
* origin/pr/2690:
  Making version features easily ROM-able when using Arm C compiler.
2019-06-21 13:20:22 +01:00
Jaeden Amero
d431104926 ssl_tls: Enable Suite B with subset of ECP curves
Make sure the code compiles even if some curves are not defined.

Fixes #1591
2019-06-20 10:59:05 +01:00
Jaeden Amero
a180926556 timing: Remove redundant include file
There is no need to include winbase.h, as it will be pulled in by
windows.h as needed.

Fixes #2640
2019-06-20 10:51:21 +01:00
Jaeden Amero
a152e42e9b net_sockets: Fix typo in net_would_block()
Fixes #528
2019-06-20 10:48:11 +01:00
Jaeden Amero
7af080a9f9 Merge remote-tracking branch 'origin/pr/2442' into development
* origin/pr/2442:
  Correct placement of ChangeLog entry
  Improve documentation of mbedtls_x509_get_ext()
  Adapt ChangeLog
  Always return a high-level error code from X.509 module
  Obey bounds of ASN.1 substructures
2019-06-14 15:27:42 +01:00
Jaeden Amero
e1b02df515 Merge remote-tracking branch 'origin/pr/2260' into development
* origin/pr/2260:
  Update crypto submodule
  Remove heading spaces in tests/data_files/Makefile
  Re-generate library/certs.c from script
  Add new line at the end of test-ca2.key.enc
  Use strict syntax to annotate origin of test data in certs.c
  Add run to all.sh exercising !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO
  Allow DHM self test to run without MBEDTLS_PEM_PARSE_C
  ssl-opt.sh: Auto-skip tests that use files if MBEDTLS_FS_IO unset
  Document origin of hardcoded certificates in library/certs.c
  Adapt ChangeLog
  Rename server1.der to server1.crt.der
  Add DER encoded files to git tree
  Add build instructions to generate DER versions of CRTs and keys
  Document "none" value for ca_path/ca_file in ssl_client2/ssl_server2
  ssl_server2: Skip CA setup if `ca_path` or `ca_file` argument "none"
  ssl_client2: Skip CA setup if `ca_path` or `ca_file` argument "none"
  Correct white spaces in ssl_server2 and ssl_client2
  Adapt ssl_client2 to parse DER encoded test CRTs if PEM is disabled
  Adapt ssl_server2 to parse DER encoded test CRTs if PEM is disabled
2019-06-14 08:46:48 +01:00
Gilles Peskine
c7ad122f51 Make it easier to define MBEDTLS_PARAM_FAILED as assert
Introduce a new configuration option MBEDTLS_CHECK_PARAMS_ASSERT,
which is disabled by default. When this option is enabled,
MBEDTLS_PARAM_FAILED defaults to assert rather than to a call to
mbedtls_param_failed, and <assert.h> is included.

This fixes #2671 (no easy way to make MBEDTLS_PARAM_FAILED assert)
without breaking backward compatibility. With this change,
`config.pl full` runs tests with MBEDTLS_PARAM_FAILED set to assert,
so the tests will fail if a validation check fails, and programs don't
need to provide their own definition of mbedtls_param_failed().
2019-06-13 16:51:59 +02:00
Máté Varga
c5de4623e8 Making version features easily ROM-able when using Arm C compiler. 2019-06-12 12:26:37 +02:00
Jaeden Amero
b1c72f56b1 Update library version to 2.18.0
Increase the SO versions of libmbedx509 and libmbedtls due to the
addition of fields in publicly visible (non-opaque) structs:
  - mbedtls_ssl_config
  - mbedtls_ssl_context
  - mbedtls_x509_crt
2019-06-11 17:19:35 +01:00
k-stachowiak
c4638cc640 Change size of preallocated buffer for pk_sign() calls 2019-06-06 13:20:48 +02:00
Jaeden Amero
2de07f1dd1 ssl: Don't access non-existent encrypt_then_mac field
When MBEDTLS_SSL_ENCRYPT_THEN_MAC is enabled, but not
MBEDTLS_SSL_SOME_MODES_USE_MAC, mbedtls_ssl_derive_keys() and
build_transforms() will attempt to use a non-existent `encrypt_then_mac`
field in the ssl_transform.

    Compile [ 93.7%]: ssl_tls.c
    [Error] ssl_tls.c@865,14: 'mbedtls_ssl_transform {aka struct mbedtls_ssl_transform}' ha
s no member named 'encrypt_then_mac'
    [ERROR] ./mbed-os/features/mbedtls/src/ssl_tls.c: In function 'mbedtls_ssl_derive_keys'
:
    ./mbed-os/features/mbedtls/src/ssl_tls.c:865:14: error: 'mbedtls_ssl_transform {aka str
uct mbedtls_ssl_transform}' has no member named 'encrypt_then_mac'
         transform->encrypt_then_mac = session->encrypt_then_mac;
                  ^~

Change mbedtls_ssl_derive_keys() and build_transforms() to only access
`encrypt_then_mac` if `encrypt_then_mac` is actually present.

Add a regression test to detect when we have regressions with
configurations that do not include any MAC ciphersuites.

Fixes d56ed2491b ("Reduce size of `ssl_transform` if no MAC ciphersuite is enabled")
2019-06-05 14:09:29 +01:00
Hanno Becker
3cddba887a Improve documentation of mbedtls_x509_get_ext()
- Explain the use of explicit ASN.1 tagging for the extensions structuree
- Remove misleading comment which suggests that mbedtls_x509_get_ext()
  also parsed the header of the first extension, which is not the case.
2019-06-04 13:59:55 +01:00
Hanno Becker
6ccfb18ab1 Always return a high-level error code from X.509 module
Some functions within the X.509 module return an ASN.1 low level
error code where instead this error code should be wrapped by a
high-level X.509 error code as in the bulk of the module.

Specifically, the following functions are affected:
- mbedtls_x509_get_ext()
- x509_get_version()
- x509_get_uid()

This commit modifies these functions to always return an
X.509 high level error code.

Care has to be taken when adapting `mbetls_x509_get_ext()`:
Currently, the callers `mbedtls_x509_crt_ext()` treat the
return code `MBEDTLS_ERR_ASN1_UNEXPECTED_TAG` specially to
gracefully detect and continue if the extension structure is not
present. Wrapping the ASN.1 error with
`MBEDTLS_ERR_X509_INVALID_EXTENSIONS` and adapting the check
accordingly would mean that an unexpected tag somewhere
down the extension parsing would be ignored by the caller.

The way out of this is the following: Luckily, the extension
structure is always the last field in the surrounding structure,
so if there is some data remaining, it must be an Extension
structure, so we don't need to deal with a tag mismatch gracefully
in the first place.

We may therefore wrap the return code from the initial call to
`mbedtls_asn1_get_tag()` in `mbedtls_x509_get_ext()` by
`MBEDTLS_ERR_X509_INVALID_EXTENSIONS` and simply remove
the special treatment of `MBEDTLS_ERR_ASN1_UNEXPECTED_TAG`
in the callers `x509_crl_get_ext()` and `x509_crt_get_ext()`.

This renders `mbedtls_x509_get_ext()` unsuitable if it ever
happened that an Extension structure is optional and does not
occur at the end of its surrounding structure, but for CRTs
and CRLs, it's fine.

The following tests need to be adapted:
- "TBSCertificate v3, issuerID wrong tag"
  The issuerID is optional, so if we look for its presence
  but find a different tag, we silently continue and try
  parsing the subjectID, and then the extensions. The tag '00'
  used in this test doesn't match either of these, and the
  previous code would hence return LENGTH_MISMATCH after
  unsucessfully trying issuerID, subjectID and Extensions.
  With the new code, any data remaining after issuerID and
  subjectID _must_ be Extension data, so we fail with
  UNEXPECTED_TAG when trying to parse the Extension data.
- "TBSCertificate v3, UIDs, invalid length"
  The test hardcodes the expectation of
  MBEDTLS_ERR_ASN1_INVALID_LENGTH, which needs to be
  wrapped in MBEDTLS_ERR_X509_INVALID_FORMAT now.

Fixes #2431.
2019-06-04 13:59:48 +01:00
Hanno Becker
12f62fb82c Obey bounds of ASN.1 substructures
When parsing a substructure of an ASN.1 structure, no field within
the substructure must exceed the bounds of the substructure.
Concretely, the `end` pointer passed to the ASN.1 parsing routines
must be updated to point to the end of the substructure while parsing
the latter.

This was previously not the case for the routines
- x509_get_attr_type_and_value(),
- mbedtls_x509_get_crt_ext(),
- mbedtls_x509_get_crl_ext().
These functions kept using the end of the parent structure as the
`end` pointer and would hence allow substructure fields to cross
the substructure boundary. This could lead to successful parsing
of ill-formed X.509 CRTs.

This commit fixes this.

Care has to be taken when adapting `mbedtls_x509_get_crt_ext()`
and `mbedtls_x509_get_crl_ext()`, as the underlying function
`mbedtls_x509_get_ext()` returns `0` if no extensions are present
but doesn't set the variable which holds the bounds of the Extensions
structure in case the latter is present. This commit addresses
this by returning early from `mbedtls_x509_get_crt_ext()` and
`mbedtls_x509_get_crl_ext()` if parsing has reached the end of
the input buffer.

The following X.509 parsing tests need to be adapted:
- "TBSCertificate, issuer two inner set datas"
  This test exercises the X.509 CRT parser with a Subject name
  which has two empty `AttributeTypeAndValue` structures.
  This is supposed to fail with `MBEDTLS_ERR_ASN1_OUT_OF_DATA`
  because the parser should attempt to parse the first structure
  and fail because of a lack of data. Previously, it failed to
  obey the (0-length) bounds of the first AttributeTypeAndValue
  structure and would try to interpret the beginning of the second
  AttributeTypeAndValue structure as the first field of the first
  AttributeTypeAndValue structure, returning an UNEXPECTED_TAG error.
- "TBSCertificate, issuer, no full following string"
  This test exercises the parser's behaviour on an AttributeTypeAndValue
  structure which contains more data than expected; it should therefore
  fail with MBEDTLS_ERR_ASN1_LENGTH_MISMATCH. Because of the missing bounds
  check, it previously failed with UNEXPECTED_TAG because it interpreted
  the remaining byte in the first AttributeTypeAndValue structure as the
  first byte in the second AttributeTypeAndValue structure.
- "SubjectAltName repeated"
  This test should exercise two SubjectAltNames extensions in succession,
  but a wrong length values makes the second SubjectAltNames extension appear
  outside of the Extensions structure. With the new bounds in place, this
  therefore fails with a LENGTH_MISMATCH error. This commit adapts the test
  data to put the 2nd SubjectAltNames extension inside the Extensions
  structure, too.
2019-06-04 10:15:09 +01:00
Hanno Becker
ff552f7d56 Re-generate library/certs.c from script 2019-06-03 17:46:56 +01:00
Hanno Becker
92b4f8131c Use strict syntax to annotate origin of test data in certs.c
This allows to auto-generate them from scripts.
2019-06-03 17:46:56 +01:00
Hanno Becker
3217c8d7e8 Allow DHM self test to run without MBEDTLS_PEM_PARSE_C 2019-06-03 17:46:56 +01:00
Hanno Becker
960e588278 Document origin of hardcoded certificates in library/certs.c
All of them are copied from (former) CRT and key files in `tests/data_files`.
For files which have been regenerated since they've been copied to `certs.c`,
update the copy.

Add declarations for DER encoded test CRTs to certs.h

Add DER encoded versions of CRTs to certs.c

fix comment in certs.c

Don't use (signed) char for DER encoded certificates

Consistently use `const char *` for test CRTs regardless of encoding

Remove non-sensical and unused PW variable for DER encoded key

Provide test CRTs in PEM and DER fmt, + pick suitable per config

This commit modifies `certs.h` and `certs.c` to start following the
following pattern for the provided test certificates and files:

- Raw test data is named `NAME_ATTR1_ATTR2_..._ATTRn`

  For example, there are
     `TEST_CA_CRT_{RSA|EC}_{PEM|DER}_{SHA1|SHA256}`.

- Derived test data with fewer attributes, iteratively defined as one
  of the raw test data instances which suits the current configuration.

  For example,
     `TEST_CA_CRT_RSA_PEM`
  is one of `TEST_CA_CRT_RSA_PEM_SHA1` or `TEST_CA_CRT_RSA_PEM_SHA256`,
  depending on whether SHA-1 and/or SHA-256 are defined in the current
  config.

Add missing public declaration of test key password

Fix signedness and naming mismatches

Further improve structure of certs.h and certs.c

Fix definition of mbedtls_test_cas test CRTs depending on config

Remove semicolon after macro string constant in certs.c
2019-06-03 17:46:56 +01:00
Hanno Becker
e8d6afd627 Add debug line witnessing receipt of unexpected CID 2019-06-03 16:07:50 +01:00
Hanno Becker
92d30f5bcf Fix indentation in debug message in ssl_tls.c 2019-06-03 16:07:50 +01:00
Hanno Becker
8e55b0f852 Improve comment in ssl_parse_record_header() 2019-06-03 16:07:50 +01:00
Hanno Becker
615ef17b67 Allow passing NULL pointers to mbedtls_ssl_get_peer_cid()
This commit modifies mbedtls_ssl_get_peer_cid() to also allow passing
NULL pointers in the arguments for the peer's CID value and length, in
case this information is needed.

For example, some users might only be interested in whether the use of
the CID was negotiated, in which case both CID value and length pointers
can be set to NULL. Other users might only be interested in confirming
that the use of CID was negotiated and the peer chose the empty CID,
in which case the CID value pointer only would be set to NULL.
It doesn't make sense to pass a NULL pointer for the CID length but a
non-NULL pointer for the CID value, as the caller has no way of telling
the length of the returned CID - and this case is therefore forbidden.
2019-06-03 16:07:50 +01:00
Hanno Becker
a0e20d04b2 Rename MBEDTLS_SSL_CID to MBEDTLS_SSL_DTLS_CONNECTION_ID
Files modified via

sed -i 's/MBEDTLS_SSL_CID\([^_]\|$\)/MBEDTLS_SSL_DTLS_CONNECTION_ID\1/g' **/*.c **/*.h **/*.sh **/*.function
2019-06-03 16:07:50 +01:00
Hanno Becker
ebcc9137ca Consistently reference CID draft through name + URL 2019-06-03 16:07:50 +01:00
Hanno Becker
d1f203557f Slightly reorder CID debug messages during creation of transforms 2019-06-03 16:07:50 +01:00
Hanno Becker
4cac442211 Update references to CID draft to version 5 2019-06-03 16:07:50 +01:00
Hanno Becker
611ac77127 Fix mbedtls_ssl_conf_cid() to not depend on macro constant values
The previous implementation of mbedtls_ssl_conf_cid() relied on
MBEDTLS_SSL_UNEXPECTED_CID_IGNORE being defined as 1.
2019-06-03 16:07:50 +01:00
Hanno Becker
5d12467fad Remove warnings about unfinished CID implementation
The implementation is complete now.
2019-06-03 16:07:50 +01:00
Hanno Becker
8367ccc03b Allow to configure the stack's behaviour on unexpected CIDs
This commit modifies the CID configuration API mbedtls_ssl_conf_cid_len()
to allow the configuration of the stack's behaviour when receiving an
encrypted DTLS record with unexpected CID.
2019-06-03 16:07:50 +01:00
Hanno Becker
c37c96a3c5 Add specific SSL error code for unexpected CIDs
Currently, the stack silently ignores DTLS frames with an unexpected CID.
However, in a system which performs CID-based demultiplexing before passing
datagrams to the Mbed TLS stack, unexpected CIDs are a sign of something not
working properly, and users might want to know about it.

This commit introduces an SSL error code MBEDTLS_ERR_SSL_UNEXPECTED_CID
which the stack can return in response to an unexpected CID. It will
conditionally be put to use in subsequent commits.
2019-06-03 16:07:50 +01:00
Hanno Becker
b9ec44fcf6 Remove restriction on value of MBEDTLS_SSL_CID_PADDING_GRANULARITY 2019-06-03 16:07:50 +01:00
Hanno Becker
2cdc5c3cf9 Make signed to unsigned integer truncation cast explicit 2019-06-03 16:07:50 +01:00
Hanno Becker
b1aa1b3616 Allow the configuration of padding when using CID extension 2019-06-03 16:07:50 +01:00
Hanno Becker
4c3eb7c919 Set CID pointer to default value even for TLS
There are two options:
1. Don't set it, and don't use it during record protection,
   guarding the respective paths by a check whether TLS or
   DTLS is used.
2. Set it to the default value even for TLS, and avoid the
   protocol-dependent branch during record protection.

This commit picks option 2.
2019-06-03 16:07:50 +01:00
Hanno Becker
4a4af9fcbe Fix typo in comment 2019-06-03 16:07:50 +01:00
Hanno Becker
22a59fdca8 Remove indicators and warnings about unfinished CID implementation 2019-06-03 16:07:50 +01:00
Hanno Becker
05154c3897 Re-enable passing CIDs to record transforms 2019-06-03 16:07:50 +01:00
Hanno Becker
16ded98bef Don't fail on record with unexpected CID
This commit changes the stack's behaviour when facing a record
with a non-matching CID. Previously, the stack failed in this
case, while now we silently skip over the current record.
2019-06-03 16:07:50 +01:00
Hanno Becker
938489a1bc Re-enable CID comparison when decrypting CID-based records 2019-06-03 16:07:50 +01:00
Hanno Becker
ca59c2b486 Implement parsing of CID-based records
Previously, ssl_get_next_record() would fetch 13 Bytes for the
record header and hand over to ssl_parse_record_header() to parse
and validate these. With the introduction of CID-based records, the
record length is not known in advance, and parsing and validating
must happen at the same time. ssl_parse_record_header() is therefore
rewritten in the following way:
1. Fetch and validate record content type and version.
2. If the record content type indicates a record including a CID,
   adjust the record header pointers accordingly; here, we use the
   statically configured length of incoming CIDs, avoiding any
   elaborate CID parsing mechanism or dependency on the record
   epoch, as explained in the previous commit.
3. Fetch the rest of the record header (note: this doesn't actually
   fetch anything, but makes sure that the datagram fetched in the
   earlier call to ssl_fetch_input() contains enough data).
4. Parse and validate the rest of the record header as before.
2019-06-03 16:07:50 +01:00
Hanno Becker
6430faf098 Adapt record encryption/decryption routines to change of record type
This commit modifies the code surrounding the invocations of
ssl_decrypt_buf() and ssl_encrypt_buf() to deal with a change
of record content type during CID-based record encryption/decryption.
2019-06-03 16:07:50 +01:00
Hanno Becker
f9c6a4bea1 Add pointers to in/out CID fields to mbedtls_ssl_context
mbedtls_ssl_context contains pointers in_buf, in_hdr, in_len, ...
which point to various parts of the header of an incoming TLS or
DTLS record; similarly, there are pointers out_buf, ... for
outgoing records.

This commit adds fields in_cid and out_cid which point to where
the CID of incoming/outgoing records should reside, if present,
namely prior to where the record length resides.

Quoting https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-04:

   The DTLSInnerPlaintext value is then encrypted and the CID added to
   produce the final DTLSCiphertext.

        struct {
            ContentType special_type = tls12_cid; /* 25 */
            ProtocolVersion version;
            uint16 epoch;
            uint48 sequence_number;
            opaque cid[cid_length];               // New field
            uint16 length;
            opaque enc_content[DTLSCiphertext.length];
        } DTLSCiphertext;

For outgoing records, out_cid is set in ssl_update_out_pointers()
based on the settings in the current outgoing transform.

For incoming records, ssl_update_in_pointers() sets in_cid as if no
CID was present, and it is the responsibility of ssl_parse_record_header()
to update the field (as well as in_len, in_msg and in_iv) when parsing
records that do contain a CID. This will be done in a subsequent commit.

Finally, the code around the invocations of ssl_decrypt_buf()
and ssl_encrypt_buf() is adapted to transfer the CID from the
input/output buffer to the CID field in the internal record
structure (which is what ssl_{encrypt/decrypt}_buf() uses).

Note that mbedtls_ssl_in_hdr_len() doesn't need change because
it infers the header length as in_iv - in_hdr, which will account
for the CID for records using such.
2019-06-03 16:07:50 +01:00
Hanno Becker
6cbad5560d Account for additional record expansion when using CIDs
Using the Connection ID extension increases the maximum record expansion
because
- the real record content type is added to the plaintext
- the plaintext may be padded with an arbitrary number of
  zero bytes, in order to prevent leakage of information
  through package length analysis. Currently, we always
  pad the plaintext in a minimal way so that its length
  is a multiple of 16 Bytes.

This commit adapts the various parts of the library to account
for that additional source of record expansion.
2019-06-03 16:07:50 +01:00
Hanno Becker
ad4a137965 Add CID configuration API
Context:
The CID draft does not require that the length of CIDs used for incoming
records must not change in the course of a connection. Since the record
header does not contain a length field for the CID, this means that if
CIDs of varying lengths are used, the CID length must be inferred from
other aspects of the record header (such as the epoch) and/or by means
outside of the protocol, e.g. by coding its length in the CID itself.

Inferring the CID length from the record's epoch is theoretically possible
in DTLS 1.2, but it requires the information about the epoch to be present
even if the epoch is no longer used: That's because one should silently drop
records from old epochs, but not the entire datagrams to which they belong
(there might be entire flights in a single datagram, including a change of
epoch); however, in order to do so, one needs to parse the record's content
length, the position of which is only known once the CID length for the epoch
is known. In conclusion, it puts a significant burden on the implementation
to infer the CID length from the record epoch, which moreover mangles record
processing with the high-level logic of the protocol (determining which epochs
are in use in which flights, when they are changed, etc. -- this would normally
determine when we drop epochs).

Moreover, with DTLS 1.3, CIDs are no longer uniquely associated to epochs,
but every epoch may use a set of CIDs of varying lengths -- in that case,
it's even theoretically impossible to do record header parsing based on
the epoch configuration only.

We must therefore seek a way for standalone record header parsing, which
means that we must either (a) fix the CID lengths for incoming records,
or (b) allow the application-code to configure a callback to implement
an application-specific CID parsing which would somehow infer the length
of the CID from the CID itself.

Supporting multiple lengths for incoming CIDs significantly increases
complexity while, on the other hand, the restriction to a fixed CID length
for incoming CIDs (which the application controls - in contrast to the
lengths of the CIDs used when writing messages to the peer) doesn't
appear to severely limit the usefulness of the CID extension.

Therefore, the initial implementation of the CID feature will require
a fixed length for incoming CIDs, which is what this commit enforces,
in the following way:

In order to avoid a change of API in case support for variable lengths
CIDs shall be added at some point, we keep mbedtls_ssl_set_cid(), which
includes a CID length parameter, but add a new API mbedtls_ssl_conf_cid_len()
which applies to an SSL configuration, and which fixes the CID length that
any call to mbetls_ssl_set_cid() which applies to an SSL context that is bound
to the given SSL configuration must use.

While this creates a slight redundancy of parameters, it allows to
potentially add an API like mbedtls_ssl_conf_cid_len_cb() later which
could allow users to register a callback which dynamically infers the
length of a CID at record header parsing time, without changing the
rest of the API.
2019-06-03 16:07:50 +01:00
Hanno Becker
5903de45b6 Split mbedtls_ssl_hdr_len() in separate functions for in/out records
The function mbedtls_ssl_hdr_len() returns the length of the record
header (so far: always 13 Bytes for DTLS, and always 5 Bytes for TLS).

With the introduction of the CID extension, the lengths of record
headers depends on whether the records are incoming or outgoing,
and also on the current transform.

Preparing for this, this commit splits mbedtls_ssl_hdr_len() in two
-- so far unmodified -- functions mbedtls_ssl_in_hdr_len() and
mbedtls_ssl_out_hdr_len() and replaces the uses of mbedtls_ssl_hdr_len()
according to whether they are about incoming or outgoing records.

There is no need to change the signature of mbedtls_ssl_{in/out}_hdr_len()
in preparation for its dependency on the currently active transform,
since the SSL context is passed as an argument, and the currently
active transform is referenced from that.
2019-06-03 16:07:50 +01:00
Hanno Becker
f661c9c39c Add helper function to check validity of record content type
With the introduction of the CID feature, the stack needs to be able
to handle a change of record content type during record protection,
which in particular means that the record content type check will
need to move or be duplicated.

This commit introduces a tiny static helper function which checks
the validity of record content types, which hopefully makes it
easier to subsequently move or duplicate this check.
2019-06-03 16:07:50 +01:00
Hanno Becker
37ae952923 Move dropping of unexpected AD records to after record decryption
With the introduction of the CID extension, the record content type
may change during decryption; we must therefore re-consider every
record content type check that happens before decryption, and either
move or duplicate it to ensure it also applies to records whose
real content type is only revealed during decryption.

This commit does this for the silent dropping of unexpected
ApplicationData records in DTLS. Previously, this was caught
in ssl_parse_record_header(), returning
MBEDTLS_ERR_SSL_UNEXPECTED_RECORD which in ssl_get_next_record()
would lead to silent skipping of the record.

When using CID, this check wouldn't trigger e.g. when delayed
encrypted ApplicationData records come on a CID-based connection
during a renegotiation.

This commit moves the check to mbedtls_ssl_handle_message_type()
and returns MBEDTLS_ERR_SSL_NON_FATAL if it triggers, which leads
so silent skipover in the caller mbedtls_ssl_read_record().
2019-06-03 16:07:50 +01:00
Hanno Becker
79594fd0d4 Set pointer to start of plaintext at record decryption time
The SSL context structure mbedtls_ssl_context contains several pointers
ssl->in_hdr, ssl->in_len, ssl->in_iv, ssl->in_msg pointing to various
parts of the record header in an incoming record, and they are setup
in the static function ssl_update_in_pointers() based on the _expected_
transform for the next incoming record.
In particular, the pointer ssl->in_msg is set to where the record plaintext
should reside after record decryption, and an assertion double-checks this
after each call to ssl_decrypt_buf().

This commit removes the dependency of ssl_update_in_pointers() on the
expected incoming transform by setting ssl->in_msg to ssl->in_iv --
the beginning of the record content (potentially including the IV) --
and adjusting ssl->in_msg after calling ssl_decrypt_buf() on a protected
record.

Care has to be taken to not load ssl->in_msg before calling
mbedtls_ssl_read_record(), then, which was previously the
case in ssl_parse_server_hello(); the commit fixes that.
2019-06-03 16:07:50 +01:00
Hanno Becker
82e2a3961c Treat an invalid record after decryption as fatal
If a record exhibits an invalid feature only after successful
authenticated decryption, this is a protocol violation by the
peer and should hence lead to connection failure. The previous
code, however, would silently ignore such records. This commit
fixes this.

So far, the only case to which this applies is the non-acceptance
of empty non-AD records in TLS 1.2. With the present commit, such
records lead to connection failure, while previously, they were
silently ignored.

With the introduction of the Connection ID extension (or TLS 1.3),
this will also apply to records whose real content type -- which
is only revealed during authenticated decryption -- is invalid.
2019-06-03 16:07:50 +01:00
Hanno Becker
6e7700df17 Expain rationale for handling of consecutive empty AD records 2019-06-03 16:07:50 +01:00
Hanno Becker
76a79ab4a2 Don't allow calling CID API outside of DTLS 2019-06-03 16:07:50 +01:00
Hanno Becker
95e4bbcf6c Fix additional data calculation if CID is disabled
In contrast to other aspects of the Connection ID extension,
the CID-based additional data for MAC computations differs from
the non-CID case even if the CID length is 0, because it
includes the CID length.
2019-06-03 14:47:36 +01:00
Hanno Becker
af05ac067b Remove unnecessary empty line in ssl_tls.c 2019-06-03 14:47:36 +01:00
Hanno Becker
07dc97db8c Don't quote DTLSInnerPlaintext structure multiple times 2019-06-03 14:47:36 +01:00
Hanno Becker
d3f8c79ea0 Improve wording in ssl_build_inner_plaintext() 2019-06-03 14:47:36 +01:00
Hanno Becker
edb24f8eec Remove unnecessary whitespace in ssl_extract_add_data_from_record() 2019-06-03 14:47:36 +01:00
Hanno Becker
92fb4fa802 Reduce stack usage for additional data buffers in record dec/enc 2019-06-03 14:47:36 +01:00
Hanno Becker
c4a190bb0f Add length of CID to additional data used for record protection
Quoting the CID draft 04:

   -  Block Ciphers:

       MAC(MAC_write_key, seq_num +
           tls12_cid +                     // New input
           DTLSPlaintext.version +
           cid +                           // New input
           cid_length +                    // New input
           length_of_DTLSInnerPlaintext +  // New input
           DTLSInnerPlaintext.content +    // New input
           DTLSInnerPlaintext.real_type +  // New input
           DTLSInnerPlaintext.zeros        // New input
       )

And similar for AEAD and Encrypt-then-MAC.
2019-06-03 14:47:36 +01:00
Hanno Becker
d5aeab1e8a Improve documentation of ssl_extract_add_data_from_record() 2019-06-03 14:47:36 +01:00
Hanno Becker
43c24b8da9 Fix missing compile-time guards around CID-only constants 2019-06-03 14:47:36 +01:00
Hanno Becker
f44e55de5e Remove TODO 2019-06-03 14:47:36 +01:00
Hanno Becker
75f080f4b6 Use MBEDTLS_ namespace for internal CID length constant 2019-06-03 14:47:36 +01:00
Hanno Becker
8a7f972202 Skip copying CIDs to SSL transforms until CID feature is complete
This commit temporarily comments the copying of the negotiated CIDs
into the established ::mbedtls_ssl_transform in mbedtls_ssl_derive_keys()
until the CID feature has been fully implemented.

While mbedtls_ssl_decrypt_buf() and mbedtls_ssl_encrypt_buf() do
support CID-based record protection by now and can be unit tested,
the following two changes in the rest of the stack are still missing
before CID-based record protection can be integrated:
- Parsing of CIDs in incoming records.
- Allowing the new CID record content type for incoming records.
- Dealing with a change of record content type during record
  decryption.

Further, since mbedtls_ssl_get_peer_cid() judges the use of CIDs by
the CID fields in the currently transforms, this change also requires
temporarily disabling some grepping for ssl_client2 / ssl_server2
debug output in ssl-opt.sh.
2019-06-03 14:47:36 +01:00
Hanno Becker
8b3eb5ab82 Implement inner plaintext parsing/writing for CID-based connections 2019-06-03 14:47:36 +01:00
Hanno Becker
cab87e68b6 Incorporate CID into MAC computations during record protection
This commit modifies ssl_decrypt_buf() and ssl_encrypt_buf()
to include the CID into authentication data during record
protection.

It does not yet implement the new DTLSInnerPlaintext format
from https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-04
2019-06-03 14:47:36 +01:00
Hanno Becker
1c1f046804 Replace 'ingoing' -> 'incoming' in CID debug messages 2019-06-03 14:43:16 +01:00
Hanno Becker
c5f2422116 Document behaviour of mbedtls_ssl_get_peer_cid() for empty CIDs 2019-06-03 14:43:16 +01:00
Hanno Becker
5a29990367 Improve structure of client-side CID extension parsing
Group configuring CID values together.
2019-06-03 14:43:16 +01:00
Hanno Becker
2262648b69 Improve debugging output of client-side CID extension parsing 2019-06-03 14:43:16 +01:00
Hanno Becker
08556bf8fb Improve structure of ssl_parse_cid_ext()
Group configuring CID values together.
2019-06-03 14:43:16 +01:00
Hanno Becker
a34ff5b9a2 Correct compile-time guard around CID extension writing func on srv 2019-06-03 14:43:16 +01:00
Hanno Becker
b7ee0cf3f9 Make integer truncation explicit in mbedtls_ssl_set_cid() 2019-06-03 14:43:16 +01:00
Hanno Becker
b1f89cd602 Implement mbedtls_ssl_get_peer_cid() 2019-06-03 14:43:16 +01:00
Hanno Becker
4bf7465840 Copy CIDs into SSL transform if use of CID has been negotiated 2019-06-03 14:43:16 +01:00
Hanno Becker
a8373a11c0 Implement parsing of CID extension in ServerHello 2019-06-03 14:43:16 +01:00
Hanno Becker
51de2d3f69 Implement writing of CID extension in ServerHello 2019-06-03 14:43:16 +01:00
Hanno Becker
89dcc881d4 Implement parsing of CID extension in ClientHello 2019-06-03 14:43:16 +01:00
Hanno Becker
49770ffd93 Implement writing of CID extension in ClientHello 2019-06-03 14:43:16 +01:00
Hanno Becker
ca092246a7 Allow configuring own CID fields through mbedtls_ssl_get_peer_cid() 2019-06-03 14:43:16 +01:00
Hanno Becker
35c36a6760 Guard CID implementations by MBEDTLS_SSL_CID 2019-06-03 14:42:08 +01:00
Hanno Becker
f1f9a82320 Add warnings about status of implementation of CID API 2019-06-03 14:42:08 +01:00
Hanno Becker
f8542cf620 Add dummy implementations for CID API 2019-06-03 14:42:08 +01:00
Hanno Becker
f8c10269d1 Update version_features.c 2019-06-03 14:42:08 +01:00
Jaeden Amero
2ab5cf658f Merge remote-tracking branch 'origin/pr/2403' into development
* origin/pr/2403: (24 commits)
  crypto: Update to Mbed Crypto 8907b019e7
  Create seedfile before running tests
  crypto: Update to Mbed Crypto 81f9539037
  ssl_cli.c : add explicit casting to unsigned char
  Generating visualc files - let Mbed TLS take precedence over crypto
  Add a link to the seedfile for out-of-tree cmake builds
  Adjust visual studio file generation to always use the crypto submodule
  all.sh: unparallelize mingw tests
  all.sh - disable parallelization for shared target tests
  config.pl: disable PSA_ITS_FILE and PSA_CRYPTO_STORAGE for baremetal
  all.sh: unset crypto storage define in a psa full config cmake asan test
  all.sh: unset FS_IO-dependent defines for tests that do not have it
  curves.pl - change test script to not depend on the implementation
  Export the submodule flag to sub-cmakes
  Disable MBEDTLS_ECP_RESTARTABLE in full config
  Export the submodule flag to sub-makes
  Force the usage of crypto submodule
  Fix crypto submodule usage in Makefile
  Documentation rewording
  Typo fixes in documentation
  ...
2019-05-23 09:08:55 +01:00
Andrzej Kurek
ade9e28d9f ssl_cli.c : add explicit casting to unsigned char
Signal casting from size_t to unsigned char explicitly, so that the compiler
does not raise a warning about possible loss of data on MSVC, targeting
64-bit Windows.
2019-05-23 03:01:35 -04:00
Andrzej Kurek
346747cd24 Force the usage of crypto submodule
Remove all.sh tests exercising the optional usage of submodule
2019-05-23 03:01:35 -04:00
Manuel Pégourié-Gonnard
45be3d8136 Fix compile guard for static function in ssl
The guard for the definition of the function was different from the guard on
its only use - make it the same.

This has been caught by tests/scripts/key-exchanges.pl. It had not been caught
by this script in earlier CI runs, because previously USE_PSA_CRYPTO was
disabled in the builds used by this script; enabling it uncovered the issue.
2019-05-23 03:01:35 -04:00
Manuel Pégourié-Gonnard
d8167e85d6 Build from submodule by default (make, cmake)
Adapt tests in all.sh:
- tests with submodule enabled (default) no longer need to enable it
  explicitly, and no longer need runtime tests, as those are now handled by
all other test cases in this script
- tests with submodule disabled (old default) now need to disable it
  explicitly, and execute some runtime tests, as those are no longer tested
anywhere else in this script

Adapt documentation in Readme: remove the section "building with submodule"
and replace it with a new section before the other building sections.
Purposefully don't document how to build not from the submodule, as that
option is going away soon.
2019-05-23 03:01:35 -04:00
Ron Eldor
5aebeeb5f4 Set next sequence of subject_alt_names to NULL
Set the next sequence of the subject_alt_name to NULL when deleting
sequence on failure in `get_subject_alt_name()`.
Found by Philippe Antoine. Credit to OSS-Fuzz.
2019-05-22 16:50:24 +03:00
Jaeden Amero
31d1432233 Merge remote-tracking branch 'origin/pr/2530' into development
* origin/pr/2530: (27 commits)
  Style fix
  Fix test data
  Update test data
  Add some negative test cases
  Fix minor issues
  Add ChangeLog entry about listing all SAN
  Check that SAN is not malformed when parsing
  Documentation fixes
  Fix ChangeLog entry
  Fail in case critical crt policy not supported
  Update SAN parsing documentation
  change the type of hardware_module_name member
  Change mbedtls_x509_subject_alternative_name
  Add length checking in certificate policy parsing
  Rephrase x509_crt extension member description
  Rephrase changeLog entries
  Remove redundant memset()
  Propogate error when parsing SubjectAltNames
  Tidy up style in x509_info_subject_alt_name
  Print unparseable SubjectAlternativeNames
  ...
2019-05-20 18:02:25 +01:00
Jaeden Amero
9ebcf9b00a Merge remote-tracking branch 'origin/pr/2538' into development
* origin/pr/2538:
  Remove unneeded whitespaces
  Fix mingw CI failures
  Initialize psa_crypto in ssl test
  Fix missing tls version test failures
  Fix typo
  Fix ChangeLog entry location
  Add changeLog entry
  Add test for export keys functionality
  Add function to retrieve the tls_prf type
  Add tests for the public tls_prf API
  Add public API for tls_prf
  Add eap-tls key derivation in the examples.
  Add ChangeLog entry
  Add an extra key export function
  Have the temporary buffer allocated dynamically
  Zeroize secret data in the exit point
  Add a single exit point in key derivation function
2019-05-20 10:58:36 +01:00
Ron Eldor
6aeae9e962 Style fix
Add whitespace before parenthesis.
2019-05-20 12:00:36 +03:00
Ron Eldor
a291391775 Fix minor issues
1. Typo fix.
2. Change byte by byte coipy to `memcpy`.
3. Remove parenthesis in switch cases.
2019-05-16 16:17:38 +03:00
Ron Eldor
dbbd96652c Check that SAN is not malformed when parsing
Add a call to `mbedtls_x509_parse_subject_alt_name()` during
certificate parsing, to verify the certificate is not malformed.
2019-05-15 15:46:03 +03:00
Ron Eldor
c8b5f3f520 Documentation fixes
Rephrase documentation of the SAN to make it clearer.
2019-05-15 15:15:55 +03:00
Ron Eldor
d2f25f7ea8 Fix missing tls version test failures
Add checks for tls_prf tests with the relevant tls version configuration.
2019-05-15 14:54:22 +03:00
Ron Eldor
0810f0babd Fix typo
Fix typo `returnn` -> `return`
2019-05-15 13:58:13 +03:00
Ron Eldor
cf28009839 Add function to retrieve the tls_prf type
Add `tls_prf_get_type()` static function that returns the
`mbedtls_tls_prf_types` according to the used `tls_prf` function.
2019-05-15 13:57:39 +03:00
Ron Eldor
51d3ab544f Add public API for tls_prf
Add a public API for key derivation, introducing an enum for `tls_prf`
type.
2019-05-15 13:53:02 +03:00
Ron Eldor
b7fd64ce2b Add eap-tls key derivation in the examples.
Add support for eap-tls key derivation functionality,
in `ssl_client2` and `ssl_server2` reference applications.
2019-05-15 13:41:42 +03:00
Ron Eldor
f5cc10d93b Add an extra key export function
Add an additional function `mbedtls_ssl_export_keys_ext_t()`
for exporting key, that adds additional information such as
the used `tls_prf` and the random bytes.
2019-05-15 13:38:39 +03:00
Ron Eldor
3b350856ff Have the temporary buffer allocated dynamically
Change `tmp` buffer to be dynamically allocated, as it is now
dependent on external label given as input, in `tls_prf_generic()`.
2019-05-15 13:38:39 +03:00
Ron Eldor
a9f9a73920 Zeroize secret data in the exit point
Zeroize the secret data in `mbedtls_ssl_derive_keys()`
in the single exit point.
2019-05-15 13:38:39 +03:00
Ron Eldor
e699270908 Add a single exit point in key derivation function
Add a single exit point in `mbedtls_ssl_derive_keys()`.
2019-05-15 13:38:39 +03:00
Ron Eldor
8b0c3c91e6 Fail in case critical crt policy not supported
In case the certificate policy is not of type `AnyPolicy`
set the returned error code to `MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE`
and continue parsing. If the extension is critical, return error anyway,
unless `MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION` is configured.
Fail parsing on any other error.
2019-05-15 12:20:00 +03:00
Ron Eldor
f05f594acb change the type of hardware_module_name member
Change the type of `hardware_module_name` struct from
`mbedtls_x509_name` to a unique struct, to distinguish it from the
named data type.
2019-05-13 19:23:08 +03:00
Ron Eldor
890819a597 Change mbedtls_x509_subject_alternative_name
Make `mbedtls_x509_subject_alternative_name` to be a single item
rather than a list. Adapt the subject alternative name parsing function,
to receive a signle `mbedtls_x509_buf` item from the subject_alt_names
sequence of the certificate.
2019-05-13 19:23:07 +03:00
Ron Eldor
0806379e3e Add length checking in certificate policy parsing
Change the extension parsing to `policy_end` and verify that
the policy and qualifiers length don't exceed the end of the extension.
2019-05-13 16:38:39 +03:00
Janos Follath
293c3dae6d Remove redundant memset()
The preceding calloc() already zeroizes that memory area, therfore the
memset() is not necessary. Compilers are likely to optimize this out,
but it still can be confusing to readers.
2019-05-10 15:53:03 +01:00
Janos Follath
6c379b4b80 Propogate error when parsing SubjectAltNames
The previous behaviour of mbedtls_x509_parse_subject_alternative_name()
was to silently ignore errors coming from x509_get_other_name(). The
current commit fixes it and returns with an error.
2019-05-10 14:17:16 +01:00
Janos Follath
2f0ec1e3bf Tidy up style in x509_info_subject_alt_name 2019-05-10 11:06:31 +01:00
Janos Follath
22f605fbab Print unparseable SubjectAlternativeNames
In x509_info_subject_alt_name() we silently dropped names that we
couldn't parse because they are not supported or are malformed. (Being
malformed might mean damaged file, but can be a sign of incompatibility
between applications.)

This commit adds code notifying the user that there is something, but
we can't parse it.
2019-05-10 10:57:44 +01:00
Janos Follath
ab23cd1eae Remove unneeded checks from x509_get_other_name
Lengths are aleady checked in mbedtls_asn1_get_len() which is called in
mbedtls_asn1_get_tag(), therefore it is not necessary to check
the lengths explicitly afterwards.

Also with the previous flow data was left in the output buffer on some
errors.
2019-05-09 15:05:30 +01:00
Ron Eldor
74d9acc144 Add support for certificate policies extension
Add support for certificate policies, as defined in rfc 5280.
Currently support only `anyPolicy` policy.
2019-05-07 17:05:45 +03:00
Ron Eldor
b2dc3fa72e Suppport otherName of type hardware module name
Add support of parsing of subject alternative name, of type otherName.
Currently supports only hardware module name, as defined in rfc 4108.
2019-05-07 17:04:57 +03:00
Jack Lloyd
5d9c9636fa Add support for RSA PKCSv1.5 signatures using RIPEMD-160 2019-05-06 12:15:17 -04:00
Hanno Becker
67d42597a9 Avoid use of large stack buffers in mbedtls_x509_write_crt_pem()
This commit rewrites mbedtls_x509write_crt_pem() to not use
a statically size stack buffer to temporarily store the DER
encoded form of the certificate to be written.

This is not necessary because the DER-to-PEM conversion
accepts overlapping input and output buffers.
2019-05-04 08:13:23 +01:00
Hanno Becker
def4305168 Perform CRT writing in-place on the output buffer
The CRT writing routine mbedtls_x509write_crt_der() prepares the TBS
(to-be-signed) part of the CRT in a temporary stack-allocated buffer,
copying it to the actual output buffer at the end of the routine.

This comes at the cost of a very large stack buffer. Moreover, its size
must be hardcoded to an upper bound for the lengths of all CRTs to be
written through the routine. So far, this upper bound was set to 2Kb, which
isn't sufficient some larger certificates, as was reported e.g. in #2631.

This commit fixes this by changing mbedtls_x509write_crt_der() to write
the certificate in-place in the output buffer, thereby avoiding the use
of a statically sized stack buffer for the TBS.

Fixes #2631.
2019-05-04 07:54:36 +01:00
Hanno Becker
6ad3fd105c Adapt x509write_crt.c to coding style
Avoid lines longer than 80 characters and fix indentation.
2019-05-04 07:38:39 +01:00
Jaeden Amero
75d9a333ce Merge remote-tracking branch 'origin/pr/1633' into development
* origin/pr/1633: (26 commits)
  Fix uninitialized variable access in debug output of record enc/dec
  Adapt PSA code to ssl_transform changes
  Ensure non-NULL key buffer when building SSL test transforms
  Catch errors while building SSL test transforms
  Use mbedtls_{calloc|free}() in SSL unit test suite
  Improve documentation of mbedtls_record
  Adapt record length value after encryption
  Alternative between send/recv transform in SSL record test suite
  Fix memory leak on failure in test_suite_ssl
  Rename ssl_decrypt_buf() to mbedtls_ssl_decrypt_buf() in comment
  Add record encryption/decryption tests for ARIA to SSL test suite
  Improve documentation of mbedtls_ssl_transform
  Double check that record expansion is as expected during decryption
  Move debugging output after record decryption
  Add encryption/decryption tests for small records
  Add tests for record encryption/decryption
  Reduce size of `ssl_transform` if no MAC ciphersuite is enabled
  Remove code from `ssl_derive_keys` if relevant modes are not enabled
  Provide standalone version of `ssl_decrypt_buf`
  Provide standalone version of `ssl_encrypt_buf`
  ...
2019-05-02 09:08:43 +01:00
Jaeden Amero
4e952f6ebd Regenerate errors.c
Autogenerate errors.c There are changes in error.c due to updating the
crypto submodule to a version that no longer has the SSL, X.509, or net
modules. The errors are correctly sourced from Mbed TLS and not Mbed
Crypto, but they do move around within the file due to how the error
generator script is written.
2019-04-30 16:47:36 +01:00
Hanno Becker
1f10d7643f Fix uninitialized variable access in debug output of record enc/dec 2019-04-26 13:34:37 +01:00
Hanno Becker
22bf145599 Adapt PSA code to ssl_transform changes 2019-04-25 12:58:21 +01:00
Hanno Becker
78f839df94 Adapt record length value after encryption 2019-04-25 12:58:21 +01:00
Hanno Becker
b2ca87d289 Rename ssl_decrypt_buf() to mbedtls_ssl_decrypt_buf() in comment 2019-04-25 12:58:21 +01:00