Commit graph

274 commits

Author SHA1 Message Date
Przemyslaw Stekiel
d66387f8fa Init psa status to PSA_ERROR_CORRUPTION_DETECTED
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-02-03 09:16:41 +01:00
Przemyslaw Stekiel
b97556e8d1 mbedtls_ssl_encrypt/decrypt_buf: remove dead code
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-02-03 09:16:29 +01:00
Przemyslaw Stekiel
77aec8d181 Rename ssl_psa_status_to_mbedtls->psa_ssl_status_to_mbedtls
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 20:22:53 +01:00
Przemyslaw Stekiel
be47ecf5e2 mbedtls_ssl_get_record_expansion: use same condidion set as for non-psa build
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 17:50:00 +01:00
Przemyslaw Stekiel
89dad93a78 Rename psa_status_to_mbedtls->ssl_psa_status_to_mbedtls and add conversion for PSA_ERROR_INVALID_SIGNATURE
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:39:24 +01:00
Przemyslaw Stekiel
399ed51185 Fix condition in mbedtls_ssl_get_record_expansion
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:39:24 +01:00
Przemyslaw Stekiel
1d714479a3 mbedtls_ssl_get_record_expansion: rework switch statement for psa
As PSA_ALG_IS_AEAD( transform->psa_alg ) can't be used as switch labels (switch labels must be constant expressions, they have to be evaluated at compile time) refactor switch to "if else" statement.

Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
e88477844c Adapt the mbed tls mode: ccm or gcm or cachapoly to psa version
mode == MBEDTLS_MODE_CCM || mode == MBEDTLS_GCM || mode == MBEDTLS_CHACHAPOLY is equivalent to PSA_ALG_IS_AEAD( alg ).

Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
221b52791e ssl_msg.c: fix parm in call to mbedtls_ssl_decrypt_buf()
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
6be9cf542f Cleanup the code
Use conditional compilation for psa and mbedtls code (MBEDTLS_USE_PSA_CRYPTO).

Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
d4eab57933 Skip psa encryption/decryption for null cipher
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
ce09e7d868 Use psa_status_to_mbedtls() for psa error case
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
1fe065b235 Fix conditional compilation (MBEDTLS_USE_PSA_CRYPTO)
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
2e9711f766 mbedtls_ssl_decrypt_buf(): replace mbedtls_cipher_crypt() and mbedtls_cipher_auth_decrypt_ext() with PSA calls
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
b37fae122c mbedtls_ssl_encrypt_buf(): replace mbedtls_cipher_crypt() and mbedtls_cipher_auth_encrypt_ext() with PSA calls
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:38:28 +01:00
Przemyslaw Stekiel
ce37d11c67 mbedtls_ssl_transform_free(): fix destruction of psa keys
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:38:28 +01:00
Przemyslaw Stekiel
8f80fb9b1d Adapt in mbedtls_ssl_transform_init() and mbedtls_ssl_transform_free() after extending mbedtls_ssl_transform struct
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:38:28 +01:00
Dave Rodgman
050ad4bb50
Merge pull request #5313 from gilles-peskine-arm/missing-ret-check-mbedtls_md_hmac
Check HMAC return values
2021-12-13 10:51:27 +00:00
Gilles Peskine
ecf6bebb9c Catch failures of md_hmac operations
Declare mbedtls_md functions as MBEDTLS_CHECK_RETURN_TYPICAL, meaning that
their return values should be checked.

Do check the return values in our code. We were already doing that
everywhere for hash calculations, but not for HMAC calculations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-11 15:00:57 +01:00
Gilles Peskine
d5ba50e239 Zeroize local MAC variables
Zeroize local MAC variables used for CBC+HMAC cipher suites. In encryption,
this is just good hygiene but probably not needed for security since the
data protected by the MAC that could leak is about to be transmitted anyway.
In DTLS decryption, this could be a security issue since an adversary could
learn the MAC of data that they were trying to inject. At least with
encrypt-then-MAC, the adversary could then easily inject a datagram with
a corrected packet. TLS would still be safe since the receiver would close
the connection after the bad MAC.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-11 14:59:45 +01:00
Ronald Cron
6f135e1148 Rename MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL to MBEDTLS_SSL_PROTO_TLS1_3
As we have now a minimal viable implementation of TLS 1.3,
let's remove EXPERIMENTAL from the config option enabling
it.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 13:47:55 +01:00
Ronald Cron
7e38cba993 Add incoming ChangeCipherSpec filtering in TLS 1.3
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-09 13:40:22 +01:00
Gabor Mezei
be7b21da22
Merge branch 'development' into 3649_move_constant_time_functions_into_separate_module 2021-11-24 10:44:13 +01:00
Jerry Yu
a1a568c2f6 fix various issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-11-09 10:17:21 +08:00
Jerry Yu
1ca80f7ca5 fix comment issue
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-11-08 10:45:16 +08:00
Jerry Yu
47413c2c8f fix wrong version header for tls1.3
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-10-30 20:23:37 +08:00
Gabor Mezei
22c9a6fccc
Rename internal header constant_time.h to constant_time_internal.h
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-10-20 12:15:20 +02:00
Gabor Mezei
90437e3762
Rename constant-time functions to have mbedtls_ct prefix
Rename functions to better suite with the module name.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-10-20 11:59:27 +02:00
Gabor Mezei
765862c4f3
Move mbedtls_cf_memcmp to a new public header
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-10-19 12:22:25 +02:00
Ronald Cron
e23bba04ee
Merge pull request #4927 from yuhaoth/pr/add-tls13-serverhello-utils
TLS 1.3: ServerHello: add  utils functions used by ServerHello
Regarding the merge job, there was only one of the failure we currently encounter on almost all PR (Session resume using tickets, DTLS: openssl client test case see #5012) thus we can consider that this PR passed CI.
2021-10-11 11:01:11 +02:00
Jerry Yu
fd320e9a6e Replace zeroize with memset
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-10-08 21:52:41 +08:00
Jerry Yu
ae0b2e2a2f Rename counter_len
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-10-08 15:40:14 +08:00
Jerry Yu
c1ddeef53a fix various issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-10-08 15:40:14 +08:00
Jerry Yu
d96a5c2d86 Fix wrong usage of counter len macro
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-29 17:46:51 +08:00
gabor-mezei-arm
4602564d7a
Unify memcmp functions
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-09-28 16:33:47 +02:00
gabor-mezei-arm
9c1203fd67
Delete ssl_invasive.h due to duplicated function declarations
All function declaration provided by ssl_invasive.h is needed only for
testing purposes and all of them are provided by constant_time.h as well.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-09-28 16:28:44 +02:00
gabor-mezei-arm
1349ffde84
Move mbedtls_cf_hmac function to the constant-time module
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-09-28 16:28:44 +02:00
gabor-mezei-arm
0e7f71e1a9
Move mbedtls_cf_memcpy_offset function to the constant-time module
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-09-28 16:28:44 +02:00
gabor-mezei-arm
dee0fd33f1
Move mbedtls_cf_memcpy_if_eq function to the constant-time module
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-09-28 16:28:43 +02:00
gabor-mezei-arm
8d1d5fd204 Move mbedtls_cf_size_bool_eq function to the constant-time module
There were multiple functions called mbedtls_cf_size_bool_eq. They had exactly
the same behavior, so move the one in bignum.c and remove the other.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-09-28 16:20:07 +02:00
gabor-mezei-arm
16fc57bcc4
Move mbedtls_cf_size_mask_ge function to the constant-time module
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-09-28 16:16:14 +02:00
gabor-mezei-arm
c76227d808
Move mbedtls_cf_size_mask_lt function to the constant-time module
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-09-28 16:16:14 +02:00
gabor-mezei-arm
3733bf805a
Move mbedtls_cf_size_mask function to the constant-time module
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-09-28 16:16:14 +02:00
gabor-mezei-arm
db9a38c672
Move contatnt-time memcmp functions to the contant-time module
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-09-28 16:16:14 +02:00
gabor-mezei-arm
9fa43ce238
Rename function to have suitable name
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-09-28 16:14:47 +02:00
Jerry Yu
d9a94fe3d0 Add counter length macro
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-28 20:10:26 +08:00
Jerry Yu
957f0fa1f7 Add length macro for in_ctr
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-27 16:34:58 +08:00
Jerry Yu
92c1ca221f fix likely typos error
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-27 16:34:58 +08:00
Jerry Yu
5243142476 Add macro for length of input counter
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-27 16:34:58 +08:00
Jerry Yu
e3131ef7f3 fix various issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-27 16:34:58 +08:00
Jerry Yu
c7875b5f11 add set in/out transform utils
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-27 16:34:58 +08:00
Jerry Yu
3bf1f97a0e fix various issue on pending send alert
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-27 16:25:38 +08:00
Jerry Yu
bbd5a3fded fix pending_alert issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-27 16:25:38 +08:00
Jerry Yu
394ece6cdd Add function for set pending alert flag
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-27 16:25:38 +08:00
Jerry Yu
e7047819ee add pend fatal alert
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-27 16:25:38 +08:00
Joe Subbiani
6dd7364553 Replace instances of byte reading macros with PUT
Instances of a group of byte reading macros which are equivilant to
MBEDTLS_PUT_UINTx_yz

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-19 09:57:41 +01:00
Joe Subbiani
fbeb692dd0 Use byte reading macros in places not using a byte mask
byte shifting opertations throughout library/ were only replaced with
the byte reading macros when an 0xff mask was being used.
The byte reading macros are now more widley used, however they have not
been used in all cases of a byte shift operation, as it detracted from
the immediate readability or otherwise did not seem appropriate.

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-19 09:56:47 +01:00
Joe Subbiani
2194dc477a Replace MBEDTLS_CHAR_x with MBEDTLS_BYTE_x
The CHAR macros casted to an unsigned char which in this project
is garunteed to be 8 bits - the same as uint8_t (which BYTE casts
to) therefore, instances of CHAR have been swapped with BYTE and
the number of macros have been cut down

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-19 09:56:47 +01:00
Joe Subbiani
cd84d76e9b Add Character byte reading macros
These cast to an unsigned char rather than a uint8_t
like with MBEDTLS_BYTE_x
These save alot of space and will improve maintence by
replacing the appropriate code with MBEDTLS_CHAR_x

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-19 09:55:41 +01:00
Joe Subbiani
5ecac217f0 Prefixed macros with MBEDTLS
As per tests/scripts/check-names.sh, macros in
library/ header files should be prefixed with
MBEDTLS_
The macro functions in common.h where also indented
to comply with the same test

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-19 09:31:54 +01:00
Joe Subbiani
6f2bb0c8ef Remove trailing whitespace
Trailing white spaces causing check_files.py to fail

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-19 09:31:54 +01:00
Joe Subbiani
50dde56543 Implement byte reading macros into library/
To improve readability by saving horizontal and vertical space.
Removed unecessary & 0xFF.
Byte reading macros implemented in library/common.h, All files
containing "& 0xff" were modified.
Comments/Documentation not yet added to the macro definitions.

Fixes #4274

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-19 09:31:53 +01:00
Manuel Pégourié-Gonnard
409c8f6e1b
Merge pull request #4851 from hanno-arm/hs_msg_without_checksum
Add handshake message writing variant that doesn't update checksum
2021-08-12 11:54:10 +02:00
Hanno Becker
f3cce8b0e1 Add handshake message writing variant that doesn't update checksum
The helper `mbedtls_ssl_write_handshake_msg` writes a handshake message
and updates the handshake transcript.

With TLS 1.3, we need finer control over the checksum: updating
at message granularity is not sufficient. To allow for manual maintenance
of the checksum in those cases, refine `mbedtls_ssl_write_handshake_msg()`
into `mbedtls_ssl_write_handshake_msg_ext()` which takes a parameter
determining whether the checksum should be updated.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-07 14:29:49 +01:00
Hanno Becker
79e2d1b6f6 Fix AEAD additional data computation for TLS 1.3
The AEAD additional data (AAD) is computed differently in TLS 1.3
compared to TLS 1.2, but this change hasn't yet been reflected in
the codee, rendering the current implementation of

```
   mbedtls_ssl_{encrypt,decrypt}_buf()
```

not standard compliant.

This commit fixes this by adjusting the AAD extraction function
ssl_extract_add_data_from_record() and its call-sites.

Please see the documentation of the code for an explanation
of how the AAD has changed from TLS 1.2 to TLS 1.3.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-02 04:52:49 +01:00
Manuel Pégourié-Gonnard
b637150dfe
Merge pull request #4730 from TRodziewicz/finish_removing_tls_1.0_and_1.1
Remove all TLS 1.0 and 1.1 instances and add some compatibility tests
2021-07-27 09:42:53 +02:00
TRodziewicz
345165c1f7 Reverting deleted macros
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-07-06 13:42:11 +02:00
TRodziewicz
302ed2bf7d Reverting the TLS 1.3 compatibility
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-07-05 16:55:27 +02:00
TRodziewicz
2abf03c551 Remove all TLS 1.0 and 1.1 instances and add some compatibility tests
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-28 14:36:37 +02:00
Hanno Becker
90d59dddf5 Remove MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:08 +01:00
Gilles Peskine
8d4e32b888
Merge pull request #4522 from mpg/fix-ssl-cf-hmac-alt-dev
Fix misuse of MD API in SSL constant-flow HMAC
2021-06-07 20:53:33 +02:00
Manuel Pégourié-Gonnard
df77624ab5
Merge pull request #4490 from TRodziewicz/Combine__SSL_<CID-TLS1_3>_PADDING_GRANULARITY_options
Combine _SSL_<CID-TLS1_3>_PADDING_GRANULARITY options
2021-06-02 13:47:48 +02:00
TRodziewicz
46cccb8f39 _SSL_DTLS_BADMAC_LIMIT config.h option removed
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-26 13:36:21 +02:00
TRodziewicz
e8dd7097c3 Combine MBEDTLS_SSL_<CID-TLS1_3>_PADDING_GRANULARITY options
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-26 13:19:08 +02:00
TRodziewicz
4ca18aae38 Corrections after the code review
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 13:38:00 +02:00
TRodziewicz
6370dbeb1d Remove the _SSL_FALLBACK_ parts
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:49:59 +02:00
TRodziewicz
2d8800e227 Small corrections in the comments
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:49:24 +02:00
TRodziewicz
ef73f01927 Removing strayed dtls1 after doing tests
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:49:04 +02:00
TRodziewicz
28126050f2 Removal of constants and functions and a new ChangeLog file
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:48:12 +02:00
TRodziewicz
0f82ec6740 Remove the TLS 1.0 and 1.1 support
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:45:20 +02:00
Manuel Pégourié-Gonnard
2213871654
Merge pull request #4489 from TRodziewicz/Remove__SSL_RECORD_CHECKING
Remove  ssl record checking
2021-05-19 13:57:51 +02:00
Manuel Pégourié-Gonnard
5ca21db813 Fix misuse of MD API in SSL constant-flow HMAC
The sequence of calls starts-update-starts-update-finish is not a
guaranteed valid way to abort an operation and start a new one. Our
software implementation just happens to support it, but alt
implementations may very well not support it.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-19 10:33:40 +02:00
Hanno Becker
d086bf0c62 Fix typo
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-15 06:14:56 +01:00
Hanno Becker
0cc4661365 Introduce helper macro for presence of stream ciphersuites
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-15 06:14:56 +01:00
Hanno Becker
fd86ca8626 Rename SOME_MODES_USE_MAC -> SOME_SUITES_USE_MAC
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-15 06:07:48 +01:00
TRodziewicz
102c89ed65 Remove the MBEDTLS_SSL_RECORD_CHECKING option
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-12 13:28:59 +02:00
Manuel Pégourié-Gonnard
dd57b2f240
Merge pull request #4445 from TRodziewicz/remove_deprecated_things_-_remainder
Remove deprecated functions and constants.
2021-05-07 10:05:30 +02:00
paul-elliott-arm
5b416e95b2
Merge pull request #3910 from hanno-arm/post_handshake_handling
Introduce helper for handling of post-handshake handshake messages in TLS <=1.2
2021-05-06 17:13:03 +01:00
Manuel Pégourié-Gonnard
cae1fd0392
Merge pull request #4187 from hanno-arm/out_ctr_update_tls
Keep pointer to TLS record sequence number static
2021-05-04 12:44:39 +02:00
Hanno Becker
f26cc72e7b Reintroduce comment on state of renegotiation after post HS message
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-01 06:17:49 +01:00
Hanno Becker
fae12cf1ef Use error corruption detection as initial return value
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-01 06:17:49 +01:00
Hanno Becker
cad3dbaf45 Add missing static qualification for post-HS HS message handler
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-01 06:17:49 +01:00
Hanno Becker
b03f88f06c Introduce helper for handling of post-handshake handshake messages
Handling the receipt of a handshake record after the initial handshake
requires non-trivial logic depending on the protocol version and the
endpoint. This logic is currently embedded in mbedtls_ssl_read().

With the introduction of support for [D]TLS 1.3, the logic will become
even more complex, since [D]TLS 1.3 drops support for renegotiation --
which in [D]TLS 1.2 is the main purpose of post-handshake handshake
messages -- but instead introduces numerous other post-handshake
handshake messages.

In order to pave the way for those changes, this commit improves
readability and maintainability of mbedtls_ssl_read() by moving
the TLS <=1.2 logic for handling post-handshake handshake messages
into a separate helper function ssl_handle_hs_message_post_handshake().

The logic of the code is entirely unchanged.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-01 06:17:49 +01:00
TRodziewicz
85dfc4de20 Applying current changes
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-30 00:07:04 +02:00
TRodziewicz
18efb73743 Remove deprecated functions and constants.
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-29 23:12:19 +02:00
Mateusz Starzyk
c301bd56f0 Merge branch 'development_3.0' into drop_old_tls_options 2021-04-15 13:55:20 +02:00
Mateusz Starzyk
f5c535139d Remove remaining comments and strings refering to removed features.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-04-15 13:28:52 +02:00
Dave Rodgman
73e3e2cb1a Merge remote-tracking branch 'origin/development' into development_new
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>

Conflicts:
        include/mbedtls/check_config.h: nearby edits
	library/entropy.c: nearby edits
	programs/random/gen_random_havege.c: modification vs. removal
	programs/ssl/ssl_test_lib.h: nearby edits
	programs/test/cpp_dummy_build.cpp: nearby edits
	visualc/VS2010/mbedTLS.vcxproj: automatically generated file,
            regenerated with scripts/generate_visualc_files.pl
2021-04-07 16:31:09 +01:00
Mateusz Starzyk
e204dbf272 Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-16 12:49:54 +01:00
Mateusz Starzyk
5224e29f0e Drop support for RC4 TLS ciphersuites.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-16 12:49:54 +01:00
Mateusz Starzyk
a3a9984a5d Drop support for TLS record-level compression.
Remove option MBEDTLS_ZLIB_SUPPORT.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-16 12:49:51 +01:00
Mateusz Starzyk
06b07fb839 Drop support for SSLv3.
Remove options: MBEDTLS_SSL_MINOR_VERSION_0 and
MBEDTLS_SSL_PROTO_SSL3).

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-16 12:19:05 +01:00
Paul Elliott
d48d5c6615 Fix size_t and longlong specifiers for MinGW
MinGW and older windows compilers cannot cope with %zu or %lld (there is
a workaround for MinGW, but it involves linking more code, there is no
workaround for Windows compilers prior to 2013). Attempt to work around
this by defining printf specifiers for size_t per platform for the
compilers that cannot use the C99 specifiers.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-03-10 17:00:32 +00:00
Paul Elliott
3891caf1ce Misc review requested fixes
Style fixes and cast certain defines to size_t

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-03-10 17:00:32 +00:00
Paul Elliott
9f35211774 Fixes for invalid printf format specifiers
Fixes for printf format specifiers, where they have been flagged as
invalid sizes by coverity, and new build flags to enable catching these
errors when building using CMake. Note that this patch uses %zu, which
requires C99 or later.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-03-10 17:00:32 +00:00
Chris Jones
84a773f8e6 Rename ssl_internal.h to ssl_misc.h
Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-03-10 12:52:37 +00:00
Chris Jones
e2191cd789 Update includes to use library/ instead of include/mbedtls/
Simple find and replace using `#include (<|")mbedtls/(.*)_internal.h(>|")`
and `#include $1$2_internal.h$3`.

Also re-generated visualc files by running
`scripts/generate_visualc_files.pl`.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-03-10 12:52:37 +00:00
Hanno Becker
12078f4c22 Keep pointer to TLS record sequence number static
The field `cur_out_ctr` in the SSL context keeps track of the
record sequence number for the next outgoing record.

For TLS, this sequence number is implicit and not transmitted
on the wire, while for DTLS, it's part of of the record header.

For DTLS, the position of the record sequence number of the next
outgoing record in that record's header is tracked in the pointer
`out_ctr`. This pointer moves forward along with other pointers
such as `out_hdr` or `out_msg` within the outgoing data buffer
`out_buf` as multiple records are written in the same datagram.

For TLS, the `out_ctr` pointer is logically superfluous, but
for some reason, we're still maintaining it by having it point
to the 8 Bytes prior to the header of the next outgoing record,
and always copying `cur_out_ctr` to this position prior to
encrypting an outgoing record.

After a record has been prepared for writing in `ssl_write_record()`,
the `out_xxx` pointers (except for `out_buf`, which is static),
are shifted forward so that they point to the header and content
of the next outgoing record. This is used only in DTLS in order
to stack multiple records into a single datagram, but the shifting
is happening for TLS as well. However, it has little effect in TLS
because we're always flushing immediately after writing, and afterwards
reset the `out_xxx` pointers.

While the present code works as-is, it is wrong to shift `out_ctr`
in the case of TLS, because it makes `out_ctr` point to the last 8
Bytes of the ciphertext of the last outgoing record. Should we ever
aim to prepare more than one protected record in `out_buf` before
dispatching it to the underlying transport, the superfluous copying
of `cur_out_ctr` to `out_buf` will corrupt the last 8 bytes of the
last record.

This commit aims to fix this problem in the minimal possible way,
by simply not shifting `out_ctr` after a record has been written.
It does deliberately not attempt to remove `out_ctr` for TLS altogether,
because any change in the messaging layer is hard to review, and
we're going to replace it soon anyhow.

The shifting happens in the helper routine mbedtls_ssl_update_out_pointers,
which assumed correctness of `out_hdr` for the beginning of the record header
of the next outgoing record, and derives the other `out_xxx` variables.
We remove the update of `out_ctr` from this function in the case of TLS,
and instead move the proper initialization of `out_ctr` to
`out_buf == initial_out_hdr - 8` to the function
mbedtls_ssl_reset_in_out_pointers().

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-03-02 15:50:47 +00:00
Janos Follath
3aae5d4ed7
Merge pull request #781 from mpg/cipher-auth-crypt-restricted
Fix buffer overflow with NIST-KW in cipher layer
2020-12-07 12:58:36 +00:00
Manuel Pégourié-Gonnard
f5cf71e14a Stop using deprecated functions in the library
all.sh -k '*deprecated*' now passes again

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-03 12:25:10 +01:00
Christian von Arnim
883d304785
Fix: Add missing arguments to debug message.
Signed-off-by: Christian von Arnim <christian.von-arnim@isw.uni-stuttgart.de>
2020-12-02 10:13:02 +01:00
Hanno Becker
a817ea449a Check presence of DTLS timers only once
Mbed TLS requires users of DTLS to configure timer callbacks
needed to implement the wait-and-retransmit logic of DTLS.

Previously, the presence of these timer callbacks was checked
at every invocation of `mbedtls_ssl_fetch_input()`, so lowest
layer of the messaging stack interfacing with the underlying
transport.

This commit removes this recurring check and instead checks the
presence of timers once at the beginning of the handshake.

The main rationale for this change is that it is a step towards
separating the various layers of the messaging stack more cleanly:
datagram layer, record layer, message layer, retransmission layer.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-10-20 15:29:14 +01:00
Manuel Pégourié-Gonnard
6d6f8a4b97 Clarify descriptions of constant-flow helpers
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-09-28 09:51:41 +02:00
Manuel Pégourié-Gonnard
822b3729e7 Remove last use of non-bit operations
According to https://www.bearssl.org/ctmul.html even single-precision
multiplication is not constant-time on some older platforms.

An added benefit of the new code is that it removes the somewhat mysterious
constant 0x1ff - which was selected because at that point the maximum value of
padlen was 256. The new code is perhaps a bit more readable for that reason.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-09-18 12:11:22 +02:00
Manuel Pégourié-Gonnard
2a59fb45b5 Add explicit cast when truncating values
MSVC complains about it otherwise.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-09-18 12:11:22 +02:00
Manuel Pégourié-Gonnard
6e2a9a7faa Factor repeated code in ssl_cf functions
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-09-18 12:11:21 +02:00
Manuel Pégourié-Gonnard
2ddec4306f Use bit operations for constant-flow padding check
The previous code used comparison operators >= and == that are quite likely to
be compiled to branches by some compilers on some architectures (with some
optimisation levels).

For example, take the following function:

void old_update( size_t data_len, size_t *padlen )
{
    *padlen  *= ( data_len >= *padlen + 1 );
}

With Clang 3.8, let's compile it for the Arm v6-M architecture:

% clang --target=arm-none-eabi -march=armv6-m -Os foo.c -S -o - |
    sed -n '/^old_update:$/,/\.size/p'

old_update:
        .fnstart
@ BB#0:
        .save   {r4, lr}
        push    {r4, lr}
        ldr     r2, [r1]
        adds    r4, r2, #1
        movs    r3, #0
        cmp     r4, r0
        bls     .LBB0_2
@ BB#1:
        mov     r2, r3
.LBB0_2:
        str     r2, [r1]
        pop     {r4, pc}
.Lfunc_end0:
        .size   old_update, .Lfunc_end0-old_update

We can see an unbalanced secret-dependant branch, resulting in a total
execution time depends on the value of the secret (here padlen) in a
straightforward way.

The new version, based on bit operations, doesn't have this issue:

new_update:
        .fnstart
@ BB#0:
        ldr     r2, [r1]
        subs    r0, r0, #1
        subs    r0, r0, r2
        asrs    r0, r0, #31
        bics    r2, r0
        str     r2, [r1]
        bx      lr
.Lfunc_end1:
        .size   new_update, .Lfunc_end1-new_update

(As a bonus, it's smaller and uses less stack.)

While there's no formal guarantee that the version based on bit operations in
C won't be translated using branches by the compiler, experiments tend to show
that's the case [1], and it is commonly accepted knowledge in the practical
crypto community that if we want to sick to C, bit operations are the safest
bet [2].

[1] https://github.com/mpg/ct/blob/master/results
[2] https://github.com/veorq/cryptocoding

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-09-18 12:10:33 +02:00
Janos Follath
d2ce916b58 Merge branch 'development-restricted' 2020-08-26 14:15:34 +01:00
Janos Follath
d4ac4e037b
Merge pull request #736 from mpg/cf-varpos-copy-dev-restricted
Constant-flow copy of HMAC from variable position
2020-08-25 14:35:55 +01:00
Gilles Peskine
ed19762a22
Merge pull request #3574 from makise-homura/e2k_support
Support building on e2k (Elbrus) architecture
2020-08-25 09:46:36 +02:00
makise-homura
af9513bb48 A different approach of signed-to-unsigned comparison
Suggsted by @hanno-arm

Signed-off-by: makise-homura <akemi_homura@kurisa.ch>
2020-08-24 23:42:49 +03:00
Manuel Pégourié-Gonnard
ba6fc9796a Fix a typo in a comment
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-24 12:59:55 +02:00
Dan Handley
abccfc1684 Merge development into development-restricted
* development:
  Update copyright notices to use Linux Foundation guidance
  Undef ASSERT before defining it to ensure that no previous definition has sneaked in through included files.
  Add ChangeLog entry for X.509 CN-type vulnerability
  Improve documentation of cn in x509_crt_verify()
  Fix comparison between different name types
  Add test: DNS names should not match IP addresses
  Remove obsolete buildbot reference in compat.sh
  Fix misuse of printf in shell script
  Fix added proxy command when IPv6 is used
  Simplify test syntax
  Fix logic error in setting client port
  ssl-opt.sh: include test name in log files
  ssl-opt.sh: remove old buildbot-specific condition
  ssl-opt.sh: add proxy to all DTLS tests

Signed-off-by: Dan Handley <dan.handley@arm.com>
2020-08-20 11:07:12 +01:00
Manuel Pégourié-Gonnard
de1cf2c5e1 Make mbedtls_ssl_cf_memcpy_offset() constant-flow
all.sh component test_valgrind_constant_flow is now passing.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-20 10:22:41 +02:00
Manuel Pégourié-Gonnard
7fe2c5f086 Add mbedtls_ssl_cf_memcpy_offset() with tests
The tests are supposed to be failing now (in all.sh component
test_memsan_constant_flow), but they don't as apparently MemSan doesn't
complain when the src argument of memcpy() is uninitialized, see
https://github.com/google/sanitizers/issues/1296

The next commit will add an option to test constant flow with valgrind, which
will hopefully correctly flag the current non-constant-flow implementation.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-19 11:56:02 +02:00
Manuel Pégourié-Gonnard
3c31afaca6 Use temporary buffer to hold the peer's HMAC
This paves the way for a constant-flow implementation of HMAC checking, by
making sure that the comparison happens at a constant address. The missing
step is obviously to copy the HMAC from the secret offset to this temporary
buffer with constant flow, which will be done in the next few commits.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-19 11:56:01 +02:00
Bence Szépkúti
1e14827beb Update copyright notices to use Linux Foundation guidance
As a result, the copyright of contributors other than Arm is now
acknowledged, and the years of publishing are no longer tracked in the
source files.

Also remove the now-redundant lines declaring that the files are part of
MbedTLS.

This commit was generated using the following script:

# ========================
#!/bin/sh

# Find files
find '(' -path './.git' -o -path './3rdparty' ')' -prune -o -type f -print | xargs sed -bi '

# Replace copyright attribution line
s/Copyright.*Arm.*/Copyright The Mbed TLS Contributors/I

# Remove redundant declaration and the preceding line
$!N
/This file is part of Mbed TLS/Id
P
D
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-08-19 10:35:41 +02:00
makise-homura
0be6aa9957 Get back -Wsign-compare and fix sources according to it
Signed-off-by: makise-homura <akemi_homura@kurisa.ch>
2020-08-18 23:52:53 +03:00
Gilles Peskine
e900b59703
Merge pull request #719 from gabor-mezei-arm/689_zeroising_of_plaintext_buffers
Zeroising of plaintext buffers in mbedtls_ssl_read()
2020-08-12 18:51:42 +02:00
Manuel Pégourié-Gonnard
f009542747 Add missing const for consistency
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-27 09:34:10 +02:00
Manuel Pégourié-Gonnard
e747843903 Fix a whitespace issue
Co-authored-by: Janos Follath <janos.follath@arm.com>
2020-07-27 09:34:10 +02:00
Manuel Pégourié-Gonnard
e0765f35d5 Use int ret = MBEDTLS_ERROR_CORRUPTION_DETECTED; idiom
Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
2020-07-27 09:34:10 +02:00
Manuel Pégourié-Gonnard
44c9fdde6e Check errors from the MD layer
Could be out-of-memory for some functions, accelerator issues for others.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-22 11:31:20 +02:00
Manuel Pégourié-Gonnard
9713e13e68 Remove unnecessary cast
This is C, not C++, casts between void * and other pointer types are free.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-22 11:31:19 +02:00
Manuel Pégourié-Gonnard
baccf803ad Improve some comments and internal documentation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-22 11:31:19 +02:00
Manuel Pégourié-Gonnard
ed0e86428d Factor repeated condition to its own macro
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-22 11:31:19 +02:00
Manuel Pégourié-Gonnard
7a8b1e6b71 Implement cf_hmac() actually with constant flow
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-22 11:31:18 +02:00
gabor-mezei-arm
a321413807
Zeroising of plaintext buffers to erase unused application data from memory
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-07-15 14:14:41 +02:00
Manuel Pégourié-Gonnard
65a6fa3e26 Make cf_hmac() STATIC_TESTABLE
The test function now depends on MBEDTLS_TEST_HOOKS, which is enabled by
config.py full, and since there are already components in all.sh exercising
the full config, this test function is sill exercised even with this new
dependency.

Since this is the first time a test function depends on MBEDTLS_TEST_HOOKS,
fix a bug in check-names.sh that wasn't apparent so far: headers from
library/*.h were not considered when looking for macro definitions. This
became apparent because MBEDTLS_STATIC_TESTABLE is defined in library/common.h
and started being used in library/ssl_msg.c, so was flagged as a likely typo.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-15 12:26:21 +02:00
Manuel Pégourié-Gonnard
8aa29e382f Use existing implementation of cf_hmac()
Just move code from ssl_decrypt_buf() to the new cf_hmac() function and then
call cf_hmac() from there.

This makes the new cf_hmac() function used, opening the door for making it
static in the next commit. It also validates that its interface works for
using it in ssl_decrypt_buf().

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-15 12:26:21 +02:00
Manuel Pégourié-Gonnard
045f094c81 Add dummy constant-flow HMAC function with tests
The dummy implementation is not constant-flow at all for now, it's just
here as a starting point and a support for developing the tests and putting
the infrastructure in place.

Depending on the implementation strategy, there might be various corner cases
depending on where the lengths fall relative to block boundaries. So it seems
safer to just test all possible lengths in a given range than to use only a
few randomly-chosen values.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-15 12:25:52 +02:00
Manuel Pégourié-Gonnard
2df1f1f16f Factor repeated preprocessor condition to a macro
The condition is a complex and repeated a few times. There were already some
inconsistencies in the repetitions as some of them forgot about DES.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-09 12:13:31 +02:00
Manuel Pégourié-Gonnard
527b87890d
Merge pull request #3454 from gilles-peskine-arm/include-common-h-development
Include common.h from all library source files
2020-07-03 09:44:18 +02:00
Gilles Peskine
db09ef6d22 Include common.h instead of config.h in library source files
In library source files, include "common.h", which takes care of
including "mbedtls/config.h" (or the alternative MBEDTLS_CONFIG_FILE)
and other things that are used throughout the library.

FROM=$'#if !defined(MBEDTLS_CONFIG_FILE)\n#include "mbedtls/config.h"\n#else\n#include MBEDTLS_CONFIG_FILE\n#endif' perl -i -0777 -pe 's~\Q$ENV{FROM}~#include "common.h"~' library/*.c 3rdparty/*/library/*.c scripts/data_files/error.fmt scripts/data_files/version_features.fmt

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-02 11:26:57 +02:00
Manuel Pégourié-Gonnard
f4e3fc9133 Use starts/finish around Lucky 13 dummy compressions
Fixes #3246

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-15 11:55:53 +02:00
Hanno Becker
f486e28694 Document precondition of nonce-generating function in ssl_msg.c
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-06-04 13:33:08 +01:00
Hanno Becker
15952814d8 Improve documentation of nonce-generating function in ssl_msg.c
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-06-04 13:31:46 +01:00
Hanno Becker
1cda2667af Spell out check for non-zero'ness
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-06-04 13:28:44 +01:00
Hanno Becker
16bf0e2346 Fix debug print of explicit IV
The previous version attempted to write the explicit IV from
the destination buffer before it has been written there.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-06-04 13:27:34 +01:00
Hanno Becker
7cca3589cb Fix indentation in debug statement in ssl_msg.c
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-06-04 13:27:22 +01:00