Commit graph

479 commits

Author SHA1 Message Date
Hanno Becker
261602cb34 Uniformize bounds checks using new macro
This commit uses the previously defined macro to uniformize
bounds checks in several places. It also adds bounds checks to
the ClientHello writing function that were previously missing.
Also, the functions adding extensions to the ClientHello message
can now fail if the buffer is too small or a different error
condition occurs, and moreover they take an additional buffer
end parameter to free them from the assumption that one is
writing to the default output buffer.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-05-29 15:07:00 +02:00
Ronald Cron
4c7bbe289a Remove unnecessary MBEDTLS_ECP_C preprocessor condition
The ssl_cli.c:ssl_write_supported_elliptic_curves_ext()
function is compiled only if MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C
or MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED is defined which
implies that MBEDTLS_ECP_C is defined. Thus remove the
precompiler conditions on MBEDTLS_ECP_C in its code.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-05-07 10:54:43 +02:00
Hanno Becker
b2fff6d7ed Shorten lines in library/ssl_cli.c to at most 80 characters
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-05-06 16:05:42 +02:00
Manuel Pégourié-Gonnard
28482397d3 Merge branch 'development-restricted' into prepare-rc-2.22.0-updated
* development-restricted:
  Parse HelloVerifyRequest buffer overread: add changelog entry
  Parse HelloVerifyRequest: avoid buffer overread at the start
  Parse HelloVerifyRequest: avoid buffer overread on the cookie
2020-04-09 12:17:11 +02:00
Manuel Pégourié-Gonnard
215d2e14a3 Merge remote-tracking branch 'restricted/pr/662' into development-restricted
* restricted/pr/662:
  Parse HelloVerifyRequest buffer overread: add changelog entry
  Parse HelloVerifyRequest: avoid buffer overread at the start
  Parse HelloVerifyRequest: avoid buffer overread on the cookie
2020-04-09 11:53:01 +02:00
Manuel Pégourié-Gonnard
15f30dc7e6 Merge remote-tracking branch 'public/pr/2856' into development
* public/pr/2856:
  Fix issue  #2718 (condition always false)
2020-04-06 10:15:49 +02:00
Gilles Peskine
eccd888717 Rename identifiers containing double-underscore
Rename identifiers containing double-underscore (`__`) to avoid `__`.
The reason to avoid double-underscore is that all identifiers
containing double-underscore are reserved in C++. Rename all such
identifiers that appear in any public header, including ssl_internal.h
which is in principle private but in practice is installed with the
public headers.

This commit makes check-names.sh pass.

```
perl -i -pe 's/\bMBEDTLS_SSL__ECP_RESTARTABLE\b/MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED/g; s/\bMBEDTLS_KEY_EXCHANGE_(_\w+)_(_\w+)\b/MBEDTLS_KEY_EXCHANGE${1}${2}/g' include/mbedtls/*.h library/*.c programs/*/*.c scripts/data_files/rename-1.3-2.0.txt tests/suites/*.function
```
2020-03-23 17:55:32 +01:00
Gilles Peskine
42459805ce USE_PSA_CRYPTO: don't rely on the curve encoding
Adapt to the change of encoding of elliptic curve key types in PSA
crypto. Before, an EC key type encoded the TLS curve identifier. Now
the EC key type only includes an ad hoc curve family identifier, and
determining the exact curve requires both the key type and size. This
commit moves from the old encoding and old definitions from
crypto/include/mbedtls/psa_util.h to the new encoding and definitions
from the immediately preceding crypto submodule update.
2020-01-31 14:57:43 +01:00
Janos Follath
73c616bdc1 Put includes in alphabetical order
The library style is to start with the includes corresponding to the
current module and then the rest in alphabetical order. Some modules
have several header files (eg. ssl_internal.h).

The recently added error.h includes did not respect this convention and
this commit restores it. In some cases this is not possible just by
moving the error.h declarations. This commit fixes the pre-existing
order in these instances too.
2019-12-19 10:27:57 +00:00
Janos Follath
865b3ebf84 Initialize return values to an error
Initializing the return values to an error is best practice and makes
the library more robust against programmer errors.
2019-12-16 15:15:16 +00:00
irwir
6527bd6dfc Fix issue #2718 (condition always false) 2019-11-04 19:52:26 +03:00
Gilles Peskine
b64bf0638f Parse HelloVerifyRequest: avoid buffer overread at the start
In ssl_parse_hello_verify_request, we read 3 bytes (version and cookie
length) without checking that there are that many bytes left in
ssl->in_msg. This could potentially read from memory outside of the
ssl->receive buffer (which would be a remotely exploitable
crash).
2019-09-27 14:02:44 +02:00
Gilles Peskine
b51130dd5c Parse HelloVerifyRequest: avoid buffer overread on the cookie
In ssl_parse_hello_verify_request, we print cookie_len bytes without
checking that there are that many bytes left in ssl->in_msg. This
could potentially log data outside the received message (not a big
deal) and could potentially read from memory outside of the receive
buffer (which would be a remotely exploitable crash).
2019-09-27 14:00:36 +02:00
Manuel Pégourié-Gonnard
de718b99b5 Make calc_verify() return the length as well
Simplifies ssl_compute_hash(), but unfortunately not so much the other uses.
2019-08-23 12:45:33 +03:00
Janos Follath
df3b0892ce Use psa_raw_key_agreement
In PSA 1.0 raw key agreement has been moved from
psa_key_derivation_key_agreement() to its own separate function call,
called psa_raw_key_agreement().
2019-08-16 13:37:32 +01:00
Janos Follath
1239d70870 Remove calls to psa_allocate_key
In PSA 1.0 keys are allocated implicitly by other functions
(like psa_import_key) and psa_allocate_key is not needed and does not
exist anymore.
2019-08-16 13:37:32 +01:00
Janos Follath
53b8ec27a2 Make variable naming consistent 2019-08-16 13:37:32 +01:00
Janos Follath
7bb5e6b4da Update psa_create_key to PSA 1.0 2019-08-16 13:37:32 +01:00
Janos Follath
bd096101b5 Update psa_generator_abort to PSA 1.0 2019-08-16 11:45:55 +01:00
Janos Follath
6de99db449 Update psa_generator_read to PSA 1.0 2019-08-16 11:45:55 +01:00
Janos Follath
7d7ded85fb Update psa_key_agreement to PSA 1.0 2019-08-16 11:45:55 +01:00
Janos Follath
7374ee6139 Update GENERATOR_INIT macro to PSA 1.0 2019-08-16 11:45:55 +01:00
Janos Follath
3d158ebd2f Update KEYPAIR macros to PSA 1.0 2019-08-16 11:45:53 +01:00
Hanno Becker
a0e20d04b2 Rename MBEDTLS_SSL_CID to MBEDTLS_SSL_DTLS_CONNECTION_ID
Files modified via

sed -i 's/MBEDTLS_SSL_CID\([^_]\|$\)/MBEDTLS_SSL_DTLS_CONNECTION_ID\1/g' **/*.c **/*.h **/*.sh **/*.function
2019-06-03 16:07:50 +01:00
Hanno Becker
ebcc9137ca Consistently reference CID draft through name + URL 2019-06-03 16:07:50 +01:00
Hanno Becker
4cac442211 Update references to CID draft to version 5 2019-06-03 16:07:50 +01:00
Hanno Becker
79594fd0d4 Set pointer to start of plaintext at record decryption time
The SSL context structure mbedtls_ssl_context contains several pointers
ssl->in_hdr, ssl->in_len, ssl->in_iv, ssl->in_msg pointing to various
parts of the record header in an incoming record, and they are setup
in the static function ssl_update_in_pointers() based on the _expected_
transform for the next incoming record.
In particular, the pointer ssl->in_msg is set to where the record plaintext
should reside after record decryption, and an assertion double-checks this
after each call to ssl_decrypt_buf().

This commit removes the dependency of ssl_update_in_pointers() on the
expected incoming transform by setting ssl->in_msg to ssl->in_iv --
the beginning of the record content (potentially including the IV) --
and adjusting ssl->in_msg after calling ssl_decrypt_buf() on a protected
record.

Care has to be taken to not load ssl->in_msg before calling
mbedtls_ssl_read_record(), then, which was previously the
case in ssl_parse_server_hello(); the commit fixes that.
2019-06-03 16:07:50 +01:00
Hanno Becker
5a29990367 Improve structure of client-side CID extension parsing
Group configuring CID values together.
2019-06-03 14:43:16 +01:00
Hanno Becker
2262648b69 Improve debugging output of client-side CID extension parsing 2019-06-03 14:43:16 +01:00
Hanno Becker
a8373a11c0 Implement parsing of CID extension in ServerHello 2019-06-03 14:43:16 +01:00
Hanno Becker
49770ffd93 Implement writing of CID extension in ClientHello 2019-06-03 14:43:16 +01:00
Andrzej Kurek
ade9e28d9f ssl_cli.c : add explicit casting to unsigned char
Signal casting from size_t to unsigned char explicitly, so that the compiler
does not raise a warning about possible loss of data on MSVC, targeting
64-bit Windows.
2019-05-23 03:01:35 -04:00
Hanno Becker
e694c3ef3e Remove ciphersuite_info from ssl_transform
Prior to this commit, the security parameter struct `ssl_transform`
contained a `ciphersuite_info` field pointing to the information
structure for the negotiated ciphersuite. However, the only
information extracted from that structure that was used in the core
encryption and decryption functions `ssl_encrypt_buf`/`ssl_decrypt_buf`
was the authentication tag length in case of an AEAD cipher.

The present commit removes the `ciphersuite_info` field from the
`ssl_transform` structure and adds an explicit `taglen` field
for AEAD authentication tag length.

This is in accordance with the principle that the `ssl_transform`
structure should contain the raw parameters needed for the record
encryption and decryption functions to work, but not the higher-level
information that gave rise to them. For example, the `ssl_transform`
structure implicitly contains the encryption/decryption keys within
their cipher contexts, but it doesn't contain the SSL master or
premaster secrets. Likewise, it contains an explicit `maclen`, while
the status of the 'Truncated HMAC' extension -- which  determines the
value of `maclen` when the `ssl_transform` structure is created in
`ssl_derive_keys` -- is not contained in `ssl_transform`.

The `ciphersuite_info` pointer was used in other places outside
the encryption/decryption functions during the handshake, and for
these functions to work, this commit adds a `ciphersuite_info` pointer
field to the handshake-local `ssl_handshake_params` structure.
2019-04-25 12:58:21 +01:00
Hanno Becker
bd5580abb1 Add further debug statements on assertion failures 2019-02-26 14:38:09 +00:00
Hanno Becker
62d58ed975 Add debug output in case of assertion failure 2019-02-26 14:38:09 +00:00
Hanno Becker
ae553dde3a Free peer's public key as soon as it's no longer needed
On constrained devices, this saves a significant amount of RAM that
might be needed for subsequent expensive operations like ECDHE.
2019-02-26 14:38:09 +00:00
Hanno Becker
a6899bb89d Adapt client-side signature verification to use raw public key
We must dispatch between the peer's public key stored as part of
the peer's CRT in the current session structure (situation until
now, and future behaviour if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is
enabled), and the sole public key stored in the handshake structure
(new, if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled).
2019-02-26 14:38:09 +00:00
Hanno Becker
be7f50866d Adapt ssl_get_ecdh_params_from_cert() to use raw public key
We must dispatch between the peer's public key stored as part of
the peer's CRT in the current session structure (situation until
now, and future behaviour if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is
enabled), and the sole public key stored in the handshake structure
(new, if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled).
2019-02-26 14:38:09 +00:00
Hanno Becker
c7d7e29b46 Adapt ssl_write_encrypted_pms() to use raw public key
We must dispatch between the peer's public key stored as part of
the peer's CRT in the current session structure (situation until
now, and future behaviour if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is
enabled), and the sole public key stored in the handshake structure
(new, if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled).
2019-02-26 14:38:09 +00:00
Hanno Becker
8273df8383 Re-classify errors on missing peer CRT
mbedtls_ssl_parse_certificate() will fail if a ciphersuite requires
a certificate, but none is provided. While it is sensible to double-
check this, failure should be reported as an internal error and not
as an unexpected message.
2019-02-26 14:38:09 +00:00
Hanno Becker
77adddc9e9 Make use of macro and helper detecting whether CertRequest allowed
This commit simplifies the client-side code for outgoing CertificateVerify
messages, and server-side code for outgoing CertificateRequest messages and
incoming CertificateVerify messages, through the use of the macro

   `MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED`

indicating whether a ciphersuite allowing CertificateRequest messages
is enabled in the configuration, as well as the helper function

   `mbedtls_ssl_ciphersuite_cert_req_allowed()`

indicating whether a particular ciphersuite allows CertificateRequest
messages.

These were already used in the client-side code to simplify the
parsing functions for CertificateRequest messages.
2019-02-26 14:38:09 +00:00
Jaeden Amero
86016a03a1 Merge remote-tracking branch 'origin/pr/2338' into development 2019-02-22 12:55:30 +00:00
Jaeden Amero
9f47f82218 Merge remote-tracking branch 'origin/pr/2391' into development 2019-02-22 10:32:44 +00:00
Hanno Becker
0a94a64bbd Add debugging output to confirm that PSA was used for ECDHE 2019-02-18 16:42:02 +00:00
Hanno Becker
c14a3bb5a6 Make variable in ssl_write_client_key_exchange() more descriptive 2019-02-18 16:42:02 +00:00
Hanno Becker
4a63ed421c Implement ClientKeyExchange writing in PSA-based ECDHE suites
- Populate the ECDH private key slot with a fresh private EC key
  designated for the correct algorithm.
- Export the public part of the ECDH private key from PSA and
  reformat it to suite the format of the ClientKeyExchange message.
- Perform the PSA-based ECDH key agreement and store the result
  as the premaster secret for the connection.
2019-02-18 16:42:01 +00:00
Hanno Becker
bb89e2727f Implement ServerKeyExchange parsing for PSA-based ECDHE suites
- Reformat the server's ECDH public key to make it suitable
  for the PSA key agreement API. Currently, the key agreement
  API needs a full SubjectPublicKeyInfo structure, while the
  TLS ServerKeyExchange message only contains a ECPoint structure.
2019-02-18 16:42:01 +00:00
Hanno Becker
b2964cbe14 SSL/TLS client: Remove old session ticket on renegotiation
Context: During a handshake, the SSL/TLS handshake logic constructs
an instance of ::mbedtls_ssl_session representing the SSL session
being established. This structure contains information such as the
session's master secret, the peer certificate, or the session ticket
issues by the server (if applicable).

During a renegotiation, the new session is constructed aside the existing
one and destroys and replaces the latter only when the renegotiation is
complete. While conceptually clear, this means that during the renegotiation,
large pieces of information such as the peer's CRT or the session ticket
exist twice in memory, even though the original versions are removed
eventually.

This commit starts removing this memory inefficiency by freeing the old
session's SessionTicket before the one for the new session is allocated.
2019-02-08 14:26:41 +00:00
Andrzej Kurek
c470b6b021 Merge development commit 8e76332 into development-psa
Additional changes to temporarily enable running tests:
ssl_srv.c and test_suite_ecdh use mbedtls_ecp_group_load instead of
mbedtls_ecdh_setup
test_suite_ctr_drbg uses mbedtls_ctr_drbg_update instead of 
mbedtls_ctr_drbg_update_ret
2019-01-31 08:20:20 -05:00
Janos Follath
3fbdadad7b SSL: Make use of the new ECDH interface
The SSL module accesses ECDH context members directly. This can't work
with the new context, where we can't make any assumption about the
implementation of the context.

This commit makes use of the new functions to avoid accessing ECDH
members directly. The only members that are still accessed directly are
the group ID and the point format and they are independent from the
implementation.
2018-12-06 12:22:46 +00:00
Hanno Becker
520224e577 Rename ssl_conf_has_[raw_]_psk to ssl_conf_has_static_[raw_]psk
This is to differentiate the function from the functions relevant
on the server-side, which also need to take into the PSK callback.
2018-11-21 21:12:58 +00:00
Hanno Becker
afd311ee12 Skip PMS generation on client if opaque PSK is used
For opaque PSKs, the PSK-to-MS expansion is performed atomatically
on the PSA-side.
2018-11-21 21:12:58 +00:00
Hanno Becker
dfab8e221a Allow opaque PSKs in pure-PSK ciphersuites only
In contrast, RSA-PSK, ECDHE-PSK and DHE-PSK are explicitly excluded
for the moment.
2018-11-21 21:12:58 +00:00
Hanno Becker
2e4f616708 Don't suggest the use of a PSK suite if no PSK configured on client 2018-11-21 21:12:58 +00:00
Simon Butcher
de13963d66 Merge remote-tracking branch 'restricted/pr/520' into development-restricted-proposed 2018-11-12 14:30:16 +00:00
Manuel Pégourié-Gonnard
c37423fa76 Fix misleading sub-state name and comments
The enum constant had 'ske' in its name while this was a sub-state of the
"write client key exchange" state; corresponding issue in the comment.
2018-10-16 10:28:17 +02:00
Hanno Becker
8df10232cf Add explicit unsigned-to-signed integer conversion
The previous code triggered a compiler warning because of a comparison
of a signed and an unsigned integer.

The conversion is safe because `len` is representable by 16-bits,
hence smaller than the maximum integer.
2018-10-10 15:48:39 +01:00
Hanno Becker
0c161d1956 Fix bounds check in ssl_parse_server_psk_hint()
In the previous bounds check `(*p) > end - len`, the computation
of `end - len` might underflow if `end` is within the first 64KB
of the address space (note that the length `len` is controlled by
the peer). In this case, the bounds check will be bypassed, leading
to `*p` exceed the message bounds by up to 64KB when leaving
`ssl_parse_server_psk_hint()`. In a pure PSK-based handshake,
this doesn't seem to have any consequences, as `*p*` is not accessed
afterwards. In a PSK-(EC)DHE handshake, however, `*p` is read from
in `ssl_parse_server_ecdh_params()` and `ssl_parse_server_dh_params()`
which might lead to an application crash of information leakage.
2018-10-08 13:40:50 +01:00
Manuel Pégourié-Gonnard
1c1c20ed4d Fix some whitespace issues 2018-09-12 10:34:43 +02:00
Manuel Pégourié-Gonnard
125af948c3 Merge branch 'development-restricted' into iotssl-1260-non-blocking-ecc-restricted
* development-restricted: (578 commits)
  Update library version number to 2.13.1
  Don't define _POSIX_C_SOURCE in header file
  Don't declare and define gmtime()-mutex on Windows platforms
  Correct preprocessor guards determining use of gmtime()
  Correct documentation of mbedtls_platform_gmtime_r()
  Correct typo in documentation of mbedtls_platform_gmtime_r()
  Correct POSIX version check to determine presence of gmtime_r()
  Improve documentation of mbedtls_platform_gmtime_r()
  platform_utils.{c/h} -> platform_util.{c/h}
  Don't include platform_time.h if !MBEDTLS_HAVE_TIME
  Improve wording of documentation of MBEDTLS_PLATFORM_GMTIME_R_ALT
  Fix typo in documentation of MBEDTLS_PLATFORM_GMTIME_R_ALT
  Replace 'thread safe' by 'thread-safe' in the documentation
  Improve documentation of MBEDTLS_HAVE_TIME_DATE
  ChangeLog: Add missing renamings gmtime -> gmtime_r
  Improve documentation of MBEDTLS_HAVE_TIME_DATE
  Minor documentation improvements
  Style: Add missing period in documentation in threading.h
  Rename mbedtls_platform_gmtime() to mbedtls_platform_gmtime_r()
  Guard decl and use of gmtime mutex by HAVE_TIME_DATE and !GMTIME_ALT
  ...
2018-09-11 12:39:14 +02:00
Simon Butcher
552754a6ee Merge remote-tracking branch 'public/pr/1988' into development 2018-08-30 00:57:28 +01:00
Simon Butcher
68dbc94720 Merge remote-tracking branch 'public/pr/1951' into development 2018-08-30 00:56:56 +01:00
Simon Butcher
9d5a9e1213 Merge remote-tracking branch 'public/pr/1625' into development 2018-08-28 12:23:40 +01:00
Hanno Becker
bc2498a9ff Style: Add numerous comments indicating condition guarded by #endif 2018-08-28 10:13:29 +01:00
Hanno Becker
327c93b182 Add parameter to ssl_read_record() controlling checksum update
Previously, mbedtls_ssl_read_record() always updated the handshake
checksum in case a handshake record was received. While desirable
most of the time, for the CertificateVerify message the checksum
update must only happen after the message has been fully processed,
because the validation requires the handshake digest up to but
excluding the CertificateVerify itself. As a remedy, the bulk
of mbedtls_ssl_read_record() was previously duplicated within
ssl_parse_certificate_verify(), hardening maintenance in case
mbedtls_ssl_read_record() is subject to changes.

This commit adds a boolean parameter to mbedtls_ssl_read_record()
indicating whether the checksum should be updated in case of a
handshake message or not. This allows using it also for
ssl_parse_certificate_verify(), manually updating the checksum
after the message has been processed.
2018-08-17 16:52:08 +01:00
Manuel Pégourié-Gonnard
3879fdfece Merge remote-tracking branch 'public/pr/1955' into iotssl-165-dtls-hs-fragmentation-new
* public/pr/1955:
  Adapt ChangeLog
  Fix overly strict bounds check in ssl_parse_certificate_request()
2018-08-17 10:49:47 +02:00
Hanno Becker
ad17fe9c37 Fix overly strict bounds check in ssl_parse_certificate_request() 2018-08-16 15:51:34 +01:00
Manuel Pégourié-Gonnard
87a346f64e Always save flight first, (re)send later
This will allow fragmentation to always happen in the same place, always from
a buffer distinct from ssl->out_msg, and with the same way of resuming after
returning WANT_WRITE
2018-08-16 10:01:10 +02:00
Manuel Pégourié-Gonnard
31c1586893 Start separating handshake from record writing 2018-08-16 10:00:27 +02:00
Jaeden Amero
cac0c1a250 Merge remote-tracking branch 'upstream-public/pr/1378' into development 2018-08-10 10:59:53 +01:00
Simon Butcher
df15356259 Merge remote-tracking branch 'public/pr/1663' into development 2018-07-19 19:48:10 +01:00
Ron Eldor
755bb6af5f Add ecc extensions only if ecc ciphersuite is used
Fix compliancy to RFC4492. ECC extensions should be included
only if ec ciphersuites are used. Interoperability issue with
bouncy castle. #1157
2018-06-21 16:35:26 +03:00
Manuel Pégourié-Gonnard
79d9b50421 Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted
* development: (180 commits)
  Change the library version to 2.11.0
  Fix version in ChangeLog for fix for #552
  Add ChangeLog entry for clang version fix. Issue #1072
  Compilation warning fixes on 32b platfrom with IAR
  Revert "Turn on MBEDTLS_SSL_ASYNC_PRIVATE by default"
  Fix for missing len var when XTS config'd and CTR not
  ssl_server2: handle mbedtls_x509_dn_gets failure
  Fix harmless use of uninitialized memory in ssl_parse_encrypted_pms
  SSL async tests: add a few test cases for error in decrypt
  Fix memory leak in ssl_server2 with SNI + async callback
  SNI + SSL async callback: make all keys async
  ssl_async_resume: free the operation context on error
  ssl_server2: get op_name from context in ssl_async_resume as well
  Clarify "as directed here" in SSL async callback documentation
  SSL async callbacks documentation: clarify resource cleanup
  Async callback: use mbedtls_pk_check_pair to compare keys
  Rename mbedtls_ssl_async_{get,set}_data for clarity
  Fix copypasta in the async callback documentation
  SSL async callback: cert is not always from mbedtls_ssl_conf_own_cert
  ssl_async_set_key: detect if ctx->slots overflows
  ...
2018-06-20 09:46:17 +02:00
Angus Gratton
d8213d00db Let MBEDTLS_SSL_MAX_CONTENT_LEN to be split into outward & inward sizes
For the situation where the mbedTLS device has limited RAM, but the
other end of the connection doesn't support the max_fragment_length
extension. To be spec-compliant, mbedTLS has to keep a 16384 byte
incoming buffer. However the outgoing buffer can be made smaller without
breaking spec compliance, and we save some RAM.

See comments in include/mbedtls/config.h for some more details.

(The lower limit of outgoing buffer size is the buffer size used during
handshake/cert negotiation. As the handshake is half-duplex it might
even be possible to store this data in the "incoming" buffer during the
handshake, which would save even more RAM - but it would also be a lot
hackier and error-prone. I didn't really explore this possibility, but
thought I'd mention it here in case someone sees this later on a mission
to jam mbedTLS into an even tinier RAM footprint.)
2018-06-18 20:51:51 +10:00
Simon Butcher
5f57f1e3cc Merge remote-tracking branch 'public/pr/1270' into development 2018-06-15 14:17:31 +01:00
Manuel Pégourié-Gonnard
558da9c3fe Make SSL error code more generic
It's undesirable to have users of the SSL layer check for an error code
specific to a lower-level layer, both out of general layering principles, and
also because if we later make another crypto module gain resume capabilities,
we would need to change the contract again (checking for a new module-specific
error code).
2018-06-13 12:02:12 +02:00
Manuel Pégourié-Gonnard
da19f4c79f Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted
Summary of merge conflicts:

include/mbedtls/ecdh.h -> documentation style
include/mbedtls/ecdsa.h -> documentation style
include/mbedtls/ecp.h -> alt style, new error codes, documentation style
include/mbedtls/error.h -> new error codes
library/error.c -> new error codes (generated anyway)
library/ecp.c:
    - code of an extracted function was changed
library/ssl_cli.c:
    - code addition on one side near code change on the other side
      (ciphersuite validation)
library/x509_crt.c -> various things
    - top fo file: helper structure added near old zeroize removed
    - documentation of find_parent_in()'s signature: improved on one side,
      added arguments on the other side
    - documentation of find_parent()'s signature: same as above
    - verify_chain(): variables initialised later to give compiler an
      opportunity to warn us if not initialised on a code path
    - find_parent(): funcion structure completely changed, for some reason git
      tried to insert a paragraph of the old structure...
    - merge_flags_with_cb(): data structure changed, one line was fixed with a
      cast to keep MSVC happy, this cast is already in the new version
    - in verify_restratable(): adjacent independent changes (function
      signature on one line, variable type on the next)
programs/ssl/ssl_client2.c:
    - testing for IN_PROGRESS return code near idle() (event-driven):
      don't wait for data in the the socket if ECP_IN_PROGRESS
tests/data_files/Makefile: adjacent independent additions
tests/suites/test_suite_ecdsa.data: adjacent independent additions
tests/suites/test_suite_x509parse.data: adjacent independent additions

* development: (1059 commits)
  Change symlink to hardlink to avoid permission issues
  Fix out-of-tree testing symlinks on Windows
  Updated version number to 2.10.0 for release
  Add a disabled CMAC define in the no-entropy configuration
  Adapt the ARIA test cases for new ECB function
  Fix file permissions for ssl.h
  Add ChangeLog entry for PR#1651
  Fix MicroBlaze register typo.
  Fix typo in doc and copy missing warning
  Fix edit mistake in cipher_wrap.c
  Update CTR doc for the 64-bit block cipher
  Update CTR doc for other 128-bit block ciphers
  Slightly tune ARIA CTR documentation
  Remove double declaration of mbedtls_ssl_list_ciphersuites
  Update CTR documentation
  Use zeroize function from new platform_util
  Move to new header style for ALT implementations
  Add ifdef for selftest in header file
  Fix typo in comments
  Use more appropriate type for local variable
  ...
2018-06-13 09:52:54 +02:00
Philippe Antoine
b5b254300e Fix undefined shifts
- in x509_profile_check_pk_alg
- in x509_profile_check_md_alg
- in x509_profile_check_key

and in ssl_cli.c : unsigned char gets promoted to signed integer
2018-06-06 14:27:12 +02:00
Philippe Antoine
747fd53938 Fixes different off by ones 2018-06-05 16:13:10 +02:00
Darryl Green
11999bb72e Fix minor code style issues 2018-05-15 09:21:57 +01:00
Jaeden Amero
a331e0f0af Merge remote-tracking branch 'upstream-restricted/pr/421' into development-proposed 2018-05-04 14:39:24 +01:00
Andrzej Kurek
03bac448db Change accepted ciphersuite versions when parsing server hello
Accept only ciphersuites for version chosen by the server
2018-04-25 05:06:07 -04:00
Gilles Peskine
ca1d742904 mbedtls_ssl_get_key_exchange_md_tls1_2: return hashlen
In mbedtls_ssl_get_key_exchange_md_tls1_2, add an output parameter for
the hash length. The code that calls this function can currently do
without it, but it will need the hash length in the future, when
adding support for a third-party callback to calculate the signature
of the hash.
2018-04-24 11:53:22 +02:00
Mohammad Azim Khan
1d3b508b82 Same ciphersuite validation in server and client hello 2018-04-20 18:54:18 +01:00
Gilles Peskine
f2b76cd45c Merge remote-tracking branch 'upstream-restricted/pr/461' into development-restricted-proposed 2018-04-19 17:41:39 +02:00
Andres Amaya Garcia
1f6301b3c8 Rename mbedtls_zeroize to mbedtls_platform_zeroize 2018-04-17 10:00:21 -05:00
Andres Amaya Garcia
e32df087fb Remove individual copies of mbedtls_zeroize()
This commit removes all the static occurrencies of the function
mbedtls_zeroize() in each of the individual .c modules. Instead the
function has been moved to utils.h that is included in each of the
modules.
2018-04-17 09:19:05 -05:00
Krzysztof Stachowiak
94d49978eb Improve comments style 2018-04-05 14:48:55 +02:00
Krzysztof Stachowiak
cd09fc812d Remove a redundant test 2018-04-05 14:48:18 +02:00
Krzysztof Stachowiak
73b183c3bb Add buffer size check before cert_type_len read 2018-04-05 10:20:09 +02:00
Gilles Peskine
f15a8beacf Merge remote-tracking branch 'upstream-public/pr/1256' into development-proposed 2018-03-22 21:51:53 +01:00
Krzysztof Stachowiak
bc231cc9b0 Add a missing buffer size check 2018-03-20 14:09:53 +01:00
Krzysztof Stachowiak
bc145f7978 Correct buffer size check
Further in the code the next field from the binary buffer is read. The
check contained an off by one error.
2018-03-20 11:19:50 +01:00
Jaeden Amero
d1fedc55d7 Merge remote-tracking branch 'upstream-public/pr/1440' into development-proposed 2018-03-15 08:23:35 +00:00
Jaeden Amero
95ad522ecc Merge remote-tracking branch 'upstream-public/pr/1439' into development-proposed 2018-03-15 08:23:10 +00:00
Krzysztof Stachowiak
5224a7544c Prevent arithmetic overflow on bounds check 2018-03-13 11:31:38 +01:00
Krzysztof Stachowiak
740b218386 Add bounds check before length read 2018-03-13 11:31:14 +01:00
Krzysztof Stachowiak
027f84c69f Prevent arithmetic overflow on bounds check 2018-03-13 11:29:24 +01:00
Krzysztof Stachowiak
a1098f81c2 Add bounds check before signature length read 2018-03-13 11:28:49 +01:00
Gilles Peskine
d5f7d24e84 Merge branch 'pr_1064' into development-proposed 2018-03-13 00:08:05 +01:00