Commit graph

7377 commits

Author SHA1 Message Date
Hanno Becker
98081a09e6 Don't use uint8_t for bitfields
Fixing a build failure using armcc.
2018-08-22 13:32:50 +01:00
Hanno Becker
aa24937853 Adapt ChangeLog 2018-08-22 10:27:13 +01:00
Hanno Becker
3546201dbc Merge branch 'datagram_packing' into message_reordering 2018-08-22 10:25:40 +01:00
Hanno Becker
a67dee256d Merge branch 'iotssl-2402-basic-pmtu-adaptation' into datagram_packing 2018-08-22 10:06:38 +01:00
Manuel Pégourié-Gonnard
f47a4afea3 Fix a typo in comments 2018-08-22 10:50:30 +02:00
Manuel Pégourié-Gonnard
b8eec192f6 Implement PMTU auto-reduction in handshake 2018-08-22 10:50:30 +02:00
Hanno Becker
170e2d89da Merge branch 'iotssl-165-dtls-hs-fragmentation-new' into datagram_packing 2018-08-22 09:44:54 +01:00
Manuel Pégourié-Gonnard
68ae351dbe Fix some whitespace in documentation 2018-08-22 10:32:20 +02:00
Manuel Pégourié-Gonnard
c1d54b74ec Add tests with non-blocking I/O
Make sure we behave properly when f_send() or f_recv() return
MBEDTLS_ERR_SSL_WANT_{WRITE,READ}.
2018-08-22 10:02:59 +02:00
Manuel Pégourié-Gonnard
3d183cefb5 Allow client-side resend in proxy MTU tests
From Hanno:
When a server replies to a cookieless ClientHello with a HelloVerifyRequest,
it is supposed to reset the connection and wait for a subsequent ClientHello
which includes the cookie from the HelloVerifyRequest.
In testing environments, it might happen that the reset of the server
takes longer than for the client to replying to the HelloVerifyRequest
with the ClientHello+Cookie. In this case, the ClientHello gets lost
and the client will need retransmit. This may happen even if the underlying
datagram transport is reliable.
2018-08-22 09:56:22 +02:00
Hanno Becker
903ee3d363 Merge branch 'datagram_packing' into message_reordering 2018-08-21 17:24:17 +01:00
Hanno Becker
01315ea03a Account for future epoch records in the total buffering size
Previous commits introduced the field `total_bytes_buffered`
which is supposed to keep track of the cumulative size of
all heap allocated buffers used for the purpose of reassembly
and/or buffering of future messages.

However, the buffering of future epoch records were not reflected
in this field so far. This commit changes this, adding the length
of a future epoch record to `total_bytes_buffered` when it's buffered,
and subtracting it when it's freed.
2018-08-21 17:22:17 +01:00
Hanno Becker
a02b0b462d Add function making space for current message reassembly
This commit adds a static function ssl_buffer_make_space() which
takes a buffer size as an argument and attempts to free as many
future message bufffers as necessary to ensure that the desired
amount of buffering space is available without violating the
total buffering limit set by MBEDTLS_SSL_DTLS_MAX_BUFFERING.
2018-08-21 17:20:27 +01:00
Hanno Becker
175cb8fc69 ssl-opt.sh: Allow resend in DTLS session resumption tests, cont'd
This commit continues commit 47db877 by removing resend guards in the
ssl-opt.sh tests 'DTLS fragmenting: proxy MTU, XXX' which sometimes made
the tests fail in case the log showed a resend from the client.

See 47db877 for more information.
2018-08-21 17:00:10 +01:00
Hanno Becker
e1801399a9 Add another debug message to ssl_buffer_message()
Report if there's not enough buffering space available to reassemble
the next expected incoming message.
2018-08-21 16:51:05 +01:00
Hanno Becker
e35670528b ssl-opt.sh: Add test for reassembly after reordering 2018-08-21 16:50:43 +01:00
Hanno Becker
101bcba26f UDP proxy: Allow more than one message to be delayed
Previously, the UDP proxy could only remember one delayed message
for future transmission; if two messages were delayed in succession,
without another one being normally forwarded in between,
the message that got delayed first would be dropped.

This commit enhances the UDP proxy to allow to delay an arbitrary
(compile-time fixed) number of messages in succession.
2018-08-21 16:50:30 +01:00
Hanno Becker
55e9e2aa6b Free future buffers if next handshake messages can't be reassembled
If the next expected handshake message can't be reassembled because
buffered future messages have already used up too much of the available
space for buffering, free those future message buffers in order to
make space for the reassembly, starting with the handshake message
that's farthest in the future.
2018-08-21 16:24:30 +01:00
Hanno Becker
e605b19631 Add function to free a particular buffering slot
This commit adds a static function ssl_buffering_free_slot()
which allows to free a particular structure used to buffer
and/or reassembly some handshake message.
2018-08-21 16:24:27 +01:00
Hanno Becker
96a6c69d0c Correct bounds check in ssl_buffer_message()
The previous bounds check omitted the DTLS handshake header.
2018-08-21 16:11:09 +01:00
Hanno Becker
e0b150f96b Allow limiting the total amount of heap allocations for buffering
This commit introduces a compile time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING
to mbedtls/config.h which allows the user to control the cumulative size of
all heap buffer allocated for the purpose of reassembling and buffering
handshake messages.

It is put to use by introducing a new field `total_bytes_buffered` to
the buffering substructure of `mbedtls_ssl_handshake_params` that keeps
track of the total size of heap allocated buffers for the purpose of
reassembly and buffering at any time. It is increased whenever a handshake
message is buffered or prepared for reassembly, and decreased when a
buffered or fully reassembled message is copied into the input buffer
and passed to the handshake logic layer.

This commit does not yet include future epoch record buffering into
account; this will be done in a subsequent commit.

Also, it is now conceivable that the reassembly of the next expected
handshake message fails because too much buffering space has already
been used up for future messages. This case currently leads to an
error, but instead, the stack should get rid of buffered messages
to be able to buffer the next one. This will need to be implemented
in one of the next commits.
2018-08-21 16:11:04 +01:00
Hanno Becker
2a97b0e7a3 Introduce function to return size of buffer needed for reassembly
A previous commit introduced the function ssl_prepare_reassembly_buffer()
which took a message length and a boolean flag indicating if a reassembly
bit map was needed, and attempted to heap-allocate a buffer of sufficient
size to hold both the message, its header, and potentially the reassembly
bitmap.

A subsequent commit is going to introduce a limit on the amount of heap
allocations allowed for the purpose of buffering, and this change will
need to know the reassembly buffer size before attempting the allocation.

To this end, this commit changes ssl_prepare_reassembly_buffer() into
ssl_get_reassembly_buffer_size() which solely computes the reassembly
buffer size, and performing the heap allocation manually in
ssl_buffer_message().
2018-08-21 15:47:49 +01:00
Hanno Becker
5bcf2b081f ssl-opt.sh: Allow spurious resend in DTLS session resumption test
When a server replies to a cookieless ClientHello with a HelloVerifyRequest,
it is supposed to reset the connection and wait for a subsequent ClientHello
which includes the cookie from the HelloVerifyRequest.
In testing environments, it might happen that the reset of the server
takes longer than for the client to replying to the HelloVerifyRequest
with the ClientHello+Cookie. In this case, the ClientHello gets lost
and the client will need retransmit. This may happen even if the underlying
datagram transport is reliable.

This commit removes a guard in the ssl-opt.sh test
'DTLS fragmenting: proxy MTU, resumed handshake' which made
the test fail in case the log showed a resend from the client.
2018-08-21 15:04:22 +01:00
Hanno Becker
e678eaa93e Reject invalid CCS records early
This commit moves the length and content check for CCS messages to
the function mbedtls_ssl_handle_message_type() which is called after
a record has been deprotected.

Previously, these checks were performed in the function
mbedtls_ssl_parse_change_cipher_spec(); however, now that
the arrival of out-of-order CCS messages is remembered
as a boolean flag, the check also has to happen when this
flag is set. Moving the length and content check to
mbedtls_ssl_handle_message_type() allows to treat both
checks uniformly.
2018-08-21 14:57:46 +01:00
Hanno Becker
47db877039 ssl_write_record: Consider setting flush variable only if unset 2018-08-21 13:32:13 +01:00
Hanno Becker
1f5a15d86d Check retval of remaining_payload_in_datagram in ssl_write_record() 2018-08-21 13:31:31 +01:00
Hanno Becker
ecff205548 Remove stray bracket if MBEDTLS_ZLIB_SUPPORT is defined 2018-08-21 13:20:00 +01:00
Hanno Becker
f61ff4e1d6 ssl_server2: Remove redundant new line 2018-08-21 13:17:47 +01:00
Manuel Pégourié-Gonnard
2f2d9020cd Add delay in test to avoid race condition
We previously observed random-looking failures from this test. I think they
were caused by a race condition where the client tries to reconnect while the
server is still closing the connection and has not yet returned to an
accepting state. In that case, the server would fail to see and reply to the
ClientHello, and the client would have to resend it.

I believe logs of failing runs are compatible with this interpretation:
- the proxy logs show the new ClientHello and the server's closing Alert are
  sent the same millisecond.
- the client logs show the server's closing Alert is received after the new
  handshake has been started (discarding message from wrong epoch).

The attempted fix is for the client to wait a bit before reconnecting, which
should vastly enhance the probability of the server reaching its accepting
state before the client tries to reconnect. The value of 1 second is arbitrary
but should be more than enough even on loaded machines.

The test was run locally 100 times in a row on a slightly loaded machine (an
instance of all.sh running in parallel) without any failure after this fix.
2018-08-21 12:17:54 +02:00
Manuel Pégourié-Gonnard
661103595e Try to further clarify documentation 2018-08-21 11:55:40 +02:00
Manuel Pégourié-Gonnard
000281e07d Fix "unused parameter" warning in small configs 2018-08-21 11:20:58 +02:00
Manuel Pégourié-Gonnard
f2f1d40d6d Improve wording in ChangeLog and documentation 2018-08-21 09:53:22 +02:00
Manuel Pégourié-Gonnard
6151298395 Add missing requires_gnutls guards 2018-08-21 09:40:07 +02:00
Hanno Becker
6aeaa05a95 Merge branch 'iotssl-165-dtls-hs-fragmentation-new' into datagram_packing 2018-08-20 12:53:37 +01:00
Hanno Becker
f362c297fa ssl-opt.sh Add dependency on gnutls in two fragmentation tests 2018-08-20 12:40:23 +01:00
Hanno Becker
4e1a9c17f2 ssl-opt.sh: Preserve proxy log, too, if --preserve-logs is specified 2018-08-20 12:22:09 +01:00
Hanno Becker
513815a38d Fix typo in debugging output 2018-08-20 11:56:09 +01:00
Hanno Becker
4cb782d2f6 Return from ssl_load_buffered_record early if no record is buffered 2018-08-20 11:19:05 +01:00
Manuel Pégourié-Gonnard
a1071a58a3 Compute record expansion at the right time
Depends on the current transform, which might change when retransmitting a
flight containing a Finished message, so compute it only after the transform
is swapped.
2018-08-20 11:56:14 +02:00
Manuel Pégourié-Gonnard
4532329397 Add proxy-enforcement to a MTU test 2018-08-20 11:52:24 +02:00
Hanno Becker
9829315235 Add missing dependency in ssl-opt.sh 2018-08-20 11:18:34 +02:00
Hanno Becker
58e9dc3d4b Allow GNUTLS_NEXT_CLI / GNUTLS_NEXT_SERV to be unset in ssl-opt.sh 2018-08-20 11:18:15 +02:00
Manuel Pégourié-Gonnard
050dd6ad35 Improve documentation of ssl_set_mtu(). 2018-08-20 11:16:40 +02:00
Manuel Pégourié-Gonnard
065a2a3472 Fix some typos and links in comments and doc 2018-08-20 11:09:26 +02:00
Manuel Pégourié-Gonnard
02f3a8a921 Adjust timeout values for 3d test
Use the same values as other 3d tests: this makes the test hopefully a bit
faster than the default values, while not increasing the failure rate.

While at it:
- adjust "needs_more_time" setting for 3d interop tests (we can't set the
  timeout values for other implementations, so the test might be slow)
- fix some supposedly DTLS 1.0 test that were using dtls1_2 on the command
  line
2018-08-20 10:54:25 +02:00
Hanno Becker
caf8741891 Fix typo in documentation of UDP proxy argument 'delay_cli' 2018-08-20 09:45:51 +01:00
Hanno Becker
3a0aad1c9d Rename update_digest to update_hs_digest 2018-08-20 09:44:02 +01:00
Hanno Becker
4422bbb096 Whitespace fixes 2018-08-20 09:40:19 +01:00
Hanno Becker
e00ae375d3 Omit debug output in ssl_load_buffered_message outside a handshake 2018-08-20 09:39:42 +01:00
Manuel Pégourié-Gonnard
6e7aaca146 Move MTU setting to SSL context, not config
This setting belongs to the individual connection, not to a configuration
shared by many connections. (If a default value is desired, that can be handled
by the application code that calls mbedtls_ssl_set_mtu().)

There are at least two ways in which this matters:
- per-connection settings can be adjusted if MTU estimates become available
  during the lifetime of the connection
- it is at least conceivable that a server might recognize restricted clients
  based on range of IPs and immediately set a lower MTU for them. This is much
easier to do with a per-connection setting than by maintaining multiple
near-duplicated ssl_config objects that differ only by the MTU setting.
2018-08-20 10:37:23 +02:00