Commit graph

533 commits

Author SHA1 Message Date
TRodziewicz
6370dbeb1d Remove the _SSL_FALLBACK_ parts
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:49:59 +02:00
TRodziewicz
2d8800e227 Small corrections in the comments
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:49:24 +02:00
TRodziewicz
b5850c5216 Correction of too restrictive ssl cli minor check
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:49:15 +02:00
TRodziewicz
0f82ec6740 Remove the TLS 1.0 and 1.1 support
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:45:20 +02:00
Gilles Peskine
85f023b007
Merge pull request #3950 from gilles-peskine-arm/dhm_min_bitlen-bits
Enforce dhm_min_bitlen exactly
2021-04-29 14:55:30 +02:00
Mateusz Starzyk
c301bd56f0 Merge branch 'development_3.0' into drop_old_tls_options 2021-04-15 13:55:20 +02:00
Dave Rodgman
73e3e2cb1a Merge remote-tracking branch 'origin/development' into development_new
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>

Conflicts:
        include/mbedtls/check_config.h: nearby edits
	library/entropy.c: nearby edits
	programs/random/gen_random_havege.c: modification vs. removal
	programs/ssl/ssl_test_lib.h: nearby edits
	programs/test/cpp_dummy_build.cpp: nearby edits
	visualc/VS2010/mbedTLS.vcxproj: automatically generated file,
            regenerated with scripts/generate_visualc_files.pl
2021-04-07 16:31:09 +01:00
Gilles Peskine
e8a2fc8461 Enforce dhm_min_bitlen exactly, not just the byte size
In a TLS client, enforce the Diffie-Hellman minimum parameter size
set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
minimum size was rounded down to the nearest multiple of 8.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-04-01 14:20:03 +02:00
Mateusz Starzyk
5224e29f0e Drop support for RC4 TLS ciphersuites.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-16 12:49:54 +01:00
Mateusz Starzyk
a3a9984a5d Drop support for TLS record-level compression.
Remove option MBEDTLS_ZLIB_SUPPORT.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-16 12:49:51 +01:00
Mateusz Starzyk
06b07fb839 Drop support for SSLv3.
Remove options: MBEDTLS_SSL_MINOR_VERSION_0 and
MBEDTLS_SSL_PROTO_SSL3).

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-16 12:19:05 +01:00
Paul Elliott
d48d5c6615 Fix size_t and longlong specifiers for MinGW
MinGW and older windows compilers cannot cope with %zu or %lld (there is
a workaround for MinGW, but it involves linking more code, there is no
workaround for Windows compilers prior to 2013). Attempt to work around
this by defining printf specifiers for size_t per platform for the
compilers that cannot use the C99 specifiers.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-03-10 17:00:32 +00:00
Paul Elliott
3891caf1ce Misc review requested fixes
Style fixes and cast certain defines to size_t

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-03-10 17:00:32 +00:00
Paul Elliott
9f35211774 Fixes for invalid printf format specifiers
Fixes for printf format specifiers, where they have been flagged as
invalid sizes by coverity, and new build flags to enable catching these
errors when building using CMake. Note that this patch uses %zu, which
requires C99 or later.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-03-10 17:00:32 +00:00
Chris Jones
84a773f8e6 Rename ssl_internal.h to ssl_misc.h
Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-03-10 12:52:37 +00:00
Chris Jones
e2191cd789 Update includes to use library/ instead of include/mbedtls/
Simple find and replace using `#include (<|")mbedtls/(.*)_internal.h(>|")`
and `#include $1$2_internal.h$3`.

Also re-generated visualc files by running
`scripts/generate_visualc_files.pl`.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-03-10 12:52:37 +00:00
Ronald Cron
cf56a0a320 psa: Move from key handle to key identifier
Move all the PSA crypto APIs using key handles
to use key identifiers but psa_key_open() and
psa_key_close(). This is done without modifying
any test as key handles and key identifiers are
now the same.

Update the library modules using PSA crypto APIs
to get rid of key handles.

Programs and unit tests are updated to not use
key handles in subsequent commits, not in this
one.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron
c26f8d467a Introduce psa_key_handle_is_null inline function
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron
91e9515424 Introduce PSA_KEY_HANDLE_INIT macro
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Johan Pascal
c3ccd98a91 Check transport in the extension parser/writer
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:50 +01:00
Johan Pascal
5ef72d214f Style and typos
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:50 +01:00
Johan Pascal
275874bc47 Fix previous commit
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:50 +01:00
Johan Pascal
20c7db3a67 API modified so server side can get mki value
+ client side discards self mki if server does not support it

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:50 +01:00
Johan Pascal
adbd9449ec More minor fix
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:50 +01:00
Johan Pascal
76fdf1d60e Minor fix and improvements
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:50 +01:00
Johan Pascal
d387aa0586 style + missing cast
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:50 +01:00
Johan Pascal
77696eedac Add bound check in the client ssl_write_use_srtp_ext
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
aae4d22b16 Improve code readability
+micro optimization
+style

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
e79c1e8121 style
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
f6417ecf60 mki length feats in a uint16_t
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
43f9490a52 SRTP profiles definition use macros only
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
9bc97ca19d SRTP-DTLS protection profile configuration list not copied into ssl_config
+ improve test
+ minor style fix

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
a89ca8679f The client shall not enforce the use of client certificate with use_srtp extension
This is server's task to request it if needed

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
313d7b5d74 Add variable validation
1. Check allocation success.
2. Check parameter correctness in the use_srtp extension
in server and client.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
75870ec6a7 Change byte copy to memcpy
Change setting the mki value byte after byte with `memcpy()`.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
089c9fe9fa Improve readability
Improve readability of the code:
1. move common code to `ssl_internal.h` as `static inline`.
2. Add comments.
3. Use local variables for extension size.
4. Change function signature, by adding buffer size and output length.
5. Take server srtp profile out of the loop.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
a978804a1b Style fixes
1. Fix indentations.
2. Remove redundant whitespaces.
3. Keep short lines.
4. Grammar fixes.
5. Rephrase function description.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
ef72faf2bb Style fixes
1. Adjust to 80 colums where possible.
2. Add \ remove spaces where needed.
3. Fix alignments.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
b465539476 Add tests and code to support
1. Add DTLS-SRTP tests in `ssl-opts.sh`
2. Add logs for the tests to filter.
3. Add function to get the profile informations.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
12c6eaddd5 Fix mki issues
1. Set correct mki from the `use_srtp` extension.
2. Use mki value received from the client as the mki used by server.
3. Use `mbedtls_ssl_dtls_srtp_set_mki_value()` as a client API only.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
9d36d311e3 Fix failure in ssl-opts.sh
Return a debg message that was removed in previous commit,
Whic is searched in the ssl-opts.sh test.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
57cc70ec81 Enforce SRTP mandatory HS messages
Enforce CertificateRequest, client and server Certificates, and
CertificateVerify messages, which are mandatory in DTLS-SRTP,
as defined in RFC 5764 section 4.1

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
591f162bed support mki value
Add support mki value in the DTLS-SRTP

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
3adb9928f3 Add mki value and some review comments
1. Add check for prerequisites in check_config.h
2. Add mki value to use_srtp extension
3. address some review comments

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
701984d300 Comply with mbedtls naming rules
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
bbc057af73 Move available dtls srtp profile list to ssl_config
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
b62bb51aff Add RFC5764 - SRTP key generation during DTLS handshake
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Manuel Pégourié-Gonnard
6edfe60e0d
Merge pull request #2182 from hanno-arm/key_pwd
Add support for password protected key files to ssl_server2 and ssl_client2
2020-08-24 09:42:38 +02:00
Bence Szépkúti
1e14827beb Update copyright notices to use Linux Foundation guidance
As a result, the copyright of contributors other than Arm is now
acknowledged, and the years of publishing are no longer tracked in the
source files.

Also remove the now-redundant lines declaring that the files are part of
MbedTLS.

This commit was generated using the following script:

# ========================
#!/bin/sh

# Find files
find '(' -path './.git' -o -path './3rdparty' ')' -prune -o -type f -print | xargs sed -bi '

# Replace copyright attribution line
s/Copyright.*Arm.*/Copyright The Mbed TLS Contributors/I

# Remove redundant declaration and the preceding line
$!N
/This file is part of Mbed TLS/Id
P
D
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-08-19 10:35:41 +02:00
Hanno Becker
3c88c65426 Fix debug format specifier in ClientHello ciphersuite log 2020-08-14 09:59:26 +01:00
Hanno Becker
ecea07d6c3 Unify ciphersuite related debug output on client and server
The client previously reproted the offered ciphersuites through
their numerical identifier only, while the server reported them
through their name.

This commit modifies the debug output on client and server to
both use the format `ID (NAME)` for the ciphersuites.
2020-08-14 09:58:51 +01:00
Gilles Peskine
db09ef6d22 Include common.h instead of config.h in library source files
In library source files, include "common.h", which takes care of
including "mbedtls/config.h" (or the alternative MBEDTLS_CONFIG_FILE)
and other things that are used throughout the library.

FROM=$'#if !defined(MBEDTLS_CONFIG_FILE)\n#include "mbedtls/config.h"\n#else\n#include MBEDTLS_CONFIG_FILE\n#endif' perl -i -0777 -pe 's~\Q$ENV{FROM}~#include "common.h"~' library/*.c 3rdparty/*/library/*.c scripts/data_files/error.fmt scripts/data_files/version_features.fmt

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-02 11:26:57 +02:00
Ronald Cron
5ee5707521 ssl_client: Align line breaking with MBEDTLS_SSL_DEBUG_*
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-06-11 09:34:06 +02:00
Hanno Becker
e131bfec29 Return error in case of bad user configurations
This commits adds returns with the SSL_BAD_CONFIG error code
in case of bad user configurations.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-05-29 15:10:30 +02:00
Hanno Becker
261602cb34 Uniformize bounds checks using new macro
This commit uses the previously defined macro to uniformize
bounds checks in several places. It also adds bounds checks to
the ClientHello writing function that were previously missing.
Also, the functions adding extensions to the ClientHello message
can now fail if the buffer is too small or a different error
condition occurs, and moreover they take an additional buffer
end parameter to free them from the assumption that one is
writing to the default output buffer.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-05-29 15:07:00 +02:00
Ronald Cron
4c7bbe289a Remove unnecessary MBEDTLS_ECP_C preprocessor condition
The ssl_cli.c:ssl_write_supported_elliptic_curves_ext()
function is compiled only if MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C
or MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED is defined which
implies that MBEDTLS_ECP_C is defined. Thus remove the
precompiler conditions on MBEDTLS_ECP_C in its code.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-05-07 10:54:43 +02:00
Hanno Becker
b2fff6d7ed Shorten lines in library/ssl_cli.c to at most 80 characters
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-05-06 16:05:42 +02:00
Manuel Pégourié-Gonnard
28482397d3 Merge branch 'development-restricted' into prepare-rc-2.22.0-updated
* development-restricted:
  Parse HelloVerifyRequest buffer overread: add changelog entry
  Parse HelloVerifyRequest: avoid buffer overread at the start
  Parse HelloVerifyRequest: avoid buffer overread on the cookie
2020-04-09 12:17:11 +02:00
Manuel Pégourié-Gonnard
215d2e14a3 Merge remote-tracking branch 'restricted/pr/662' into development-restricted
* restricted/pr/662:
  Parse HelloVerifyRequest buffer overread: add changelog entry
  Parse HelloVerifyRequest: avoid buffer overread at the start
  Parse HelloVerifyRequest: avoid buffer overread on the cookie
2020-04-09 11:53:01 +02:00
Manuel Pégourié-Gonnard
15f30dc7e6 Merge remote-tracking branch 'public/pr/2856' into development
* public/pr/2856:
  Fix issue  #2718 (condition always false)
2020-04-06 10:15:49 +02:00
Gilles Peskine
eccd888717 Rename identifiers containing double-underscore
Rename identifiers containing double-underscore (`__`) to avoid `__`.
The reason to avoid double-underscore is that all identifiers
containing double-underscore are reserved in C++. Rename all such
identifiers that appear in any public header, including ssl_internal.h
which is in principle private but in practice is installed with the
public headers.

This commit makes check-names.sh pass.

```
perl -i -pe 's/\bMBEDTLS_SSL__ECP_RESTARTABLE\b/MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED/g; s/\bMBEDTLS_KEY_EXCHANGE_(_\w+)_(_\w+)\b/MBEDTLS_KEY_EXCHANGE${1}${2}/g' include/mbedtls/*.h library/*.c programs/*/*.c scripts/data_files/rename-1.3-2.0.txt tests/suites/*.function
```
2020-03-23 17:55:32 +01:00
Gilles Peskine
42459805ce USE_PSA_CRYPTO: don't rely on the curve encoding
Adapt to the change of encoding of elliptic curve key types in PSA
crypto. Before, an EC key type encoded the TLS curve identifier. Now
the EC key type only includes an ad hoc curve family identifier, and
determining the exact curve requires both the key type and size. This
commit moves from the old encoding and old definitions from
crypto/include/mbedtls/psa_util.h to the new encoding and definitions
from the immediately preceding crypto submodule update.
2020-01-31 14:57:43 +01:00
Janos Follath
73c616bdc1 Put includes in alphabetical order
The library style is to start with the includes corresponding to the
current module and then the rest in alphabetical order. Some modules
have several header files (eg. ssl_internal.h).

The recently added error.h includes did not respect this convention and
this commit restores it. In some cases this is not possible just by
moving the error.h declarations. This commit fixes the pre-existing
order in these instances too.
2019-12-19 10:27:57 +00:00
Janos Follath
865b3ebf84 Initialize return values to an error
Initializing the return values to an error is best practice and makes
the library more robust against programmer errors.
2019-12-16 15:15:16 +00:00
irwir
6527bd6dfc Fix issue #2718 (condition always false) 2019-11-04 19:52:26 +03:00
Gilles Peskine
b64bf0638f Parse HelloVerifyRequest: avoid buffer overread at the start
In ssl_parse_hello_verify_request, we read 3 bytes (version and cookie
length) without checking that there are that many bytes left in
ssl->in_msg. This could potentially read from memory outside of the
ssl->receive buffer (which would be a remotely exploitable
crash).
2019-09-27 14:02:44 +02:00
Gilles Peskine
b51130dd5c Parse HelloVerifyRequest: avoid buffer overread on the cookie
In ssl_parse_hello_verify_request, we print cookie_len bytes without
checking that there are that many bytes left in ssl->in_msg. This
could potentially log data outside the received message (not a big
deal) and could potentially read from memory outside of the receive
buffer (which would be a remotely exploitable crash).
2019-09-27 14:00:36 +02:00
Manuel Pégourié-Gonnard
de718b99b5 Make calc_verify() return the length as well
Simplifies ssl_compute_hash(), but unfortunately not so much the other uses.
2019-08-23 12:45:33 +03:00
Janos Follath
df3b0892ce Use psa_raw_key_agreement
In PSA 1.0 raw key agreement has been moved from
psa_key_derivation_key_agreement() to its own separate function call,
called psa_raw_key_agreement().
2019-08-16 13:37:32 +01:00
Janos Follath
1239d70870 Remove calls to psa_allocate_key
In PSA 1.0 keys are allocated implicitly by other functions
(like psa_import_key) and psa_allocate_key is not needed and does not
exist anymore.
2019-08-16 13:37:32 +01:00
Janos Follath
53b8ec27a2 Make variable naming consistent 2019-08-16 13:37:32 +01:00
Janos Follath
7bb5e6b4da Update psa_create_key to PSA 1.0 2019-08-16 13:37:32 +01:00
Janos Follath
bd096101b5 Update psa_generator_abort to PSA 1.0 2019-08-16 11:45:55 +01:00
Janos Follath
6de99db449 Update psa_generator_read to PSA 1.0 2019-08-16 11:45:55 +01:00
Janos Follath
7d7ded85fb Update psa_key_agreement to PSA 1.0 2019-08-16 11:45:55 +01:00
Janos Follath
7374ee6139 Update GENERATOR_INIT macro to PSA 1.0 2019-08-16 11:45:55 +01:00
Janos Follath
3d158ebd2f Update KEYPAIR macros to PSA 1.0 2019-08-16 11:45:53 +01:00
Hanno Becker
a0e20d04b2 Rename MBEDTLS_SSL_CID to MBEDTLS_SSL_DTLS_CONNECTION_ID
Files modified via

sed -i 's/MBEDTLS_SSL_CID\([^_]\|$\)/MBEDTLS_SSL_DTLS_CONNECTION_ID\1/g' **/*.c **/*.h **/*.sh **/*.function
2019-06-03 16:07:50 +01:00
Hanno Becker
ebcc9137ca Consistently reference CID draft through name + URL 2019-06-03 16:07:50 +01:00
Hanno Becker
4cac442211 Update references to CID draft to version 5 2019-06-03 16:07:50 +01:00
Hanno Becker
79594fd0d4 Set pointer to start of plaintext at record decryption time
The SSL context structure mbedtls_ssl_context contains several pointers
ssl->in_hdr, ssl->in_len, ssl->in_iv, ssl->in_msg pointing to various
parts of the record header in an incoming record, and they are setup
in the static function ssl_update_in_pointers() based on the _expected_
transform for the next incoming record.
In particular, the pointer ssl->in_msg is set to where the record plaintext
should reside after record decryption, and an assertion double-checks this
after each call to ssl_decrypt_buf().

This commit removes the dependency of ssl_update_in_pointers() on the
expected incoming transform by setting ssl->in_msg to ssl->in_iv --
the beginning of the record content (potentially including the IV) --
and adjusting ssl->in_msg after calling ssl_decrypt_buf() on a protected
record.

Care has to be taken to not load ssl->in_msg before calling
mbedtls_ssl_read_record(), then, which was previously the
case in ssl_parse_server_hello(); the commit fixes that.
2019-06-03 16:07:50 +01:00
Hanno Becker
5a29990367 Improve structure of client-side CID extension parsing
Group configuring CID values together.
2019-06-03 14:43:16 +01:00
Hanno Becker
2262648b69 Improve debugging output of client-side CID extension parsing 2019-06-03 14:43:16 +01:00
Hanno Becker
a8373a11c0 Implement parsing of CID extension in ServerHello 2019-06-03 14:43:16 +01:00
Hanno Becker
49770ffd93 Implement writing of CID extension in ClientHello 2019-06-03 14:43:16 +01:00
Andrzej Kurek
ade9e28d9f ssl_cli.c : add explicit casting to unsigned char
Signal casting from size_t to unsigned char explicitly, so that the compiler
does not raise a warning about possible loss of data on MSVC, targeting
64-bit Windows.
2019-05-23 03:01:35 -04:00
Hanno Becker
e694c3ef3e Remove ciphersuite_info from ssl_transform
Prior to this commit, the security parameter struct `ssl_transform`
contained a `ciphersuite_info` field pointing to the information
structure for the negotiated ciphersuite. However, the only
information extracted from that structure that was used in the core
encryption and decryption functions `ssl_encrypt_buf`/`ssl_decrypt_buf`
was the authentication tag length in case of an AEAD cipher.

The present commit removes the `ciphersuite_info` field from the
`ssl_transform` structure and adds an explicit `taglen` field
for AEAD authentication tag length.

This is in accordance with the principle that the `ssl_transform`
structure should contain the raw parameters needed for the record
encryption and decryption functions to work, but not the higher-level
information that gave rise to them. For example, the `ssl_transform`
structure implicitly contains the encryption/decryption keys within
their cipher contexts, but it doesn't contain the SSL master or
premaster secrets. Likewise, it contains an explicit `maclen`, while
the status of the 'Truncated HMAC' extension -- which  determines the
value of `maclen` when the `ssl_transform` structure is created in
`ssl_derive_keys` -- is not contained in `ssl_transform`.

The `ciphersuite_info` pointer was used in other places outside
the encryption/decryption functions during the handshake, and for
these functions to work, this commit adds a `ciphersuite_info` pointer
field to the handshake-local `ssl_handshake_params` structure.
2019-04-25 12:58:21 +01:00
Hanno Becker
bd5580abb1 Add further debug statements on assertion failures 2019-02-26 14:38:09 +00:00
Hanno Becker
62d58ed975 Add debug output in case of assertion failure 2019-02-26 14:38:09 +00:00
Hanno Becker
ae553dde3a Free peer's public key as soon as it's no longer needed
On constrained devices, this saves a significant amount of RAM that
might be needed for subsequent expensive operations like ECDHE.
2019-02-26 14:38:09 +00:00
Hanno Becker
a6899bb89d Adapt client-side signature verification to use raw public key
We must dispatch between the peer's public key stored as part of
the peer's CRT in the current session structure (situation until
now, and future behaviour if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is
enabled), and the sole public key stored in the handshake structure
(new, if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled).
2019-02-26 14:38:09 +00:00
Hanno Becker
be7f50866d Adapt ssl_get_ecdh_params_from_cert() to use raw public key
We must dispatch between the peer's public key stored as part of
the peer's CRT in the current session structure (situation until
now, and future behaviour if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is
enabled), and the sole public key stored in the handshake structure
(new, if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled).
2019-02-26 14:38:09 +00:00
Hanno Becker
c7d7e29b46 Adapt ssl_write_encrypted_pms() to use raw public key
We must dispatch between the peer's public key stored as part of
the peer's CRT in the current session structure (situation until
now, and future behaviour if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is
enabled), and the sole public key stored in the handshake structure
(new, if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled).
2019-02-26 14:38:09 +00:00
Hanno Becker
8273df8383 Re-classify errors on missing peer CRT
mbedtls_ssl_parse_certificate() will fail if a ciphersuite requires
a certificate, but none is provided. While it is sensible to double-
check this, failure should be reported as an internal error and not
as an unexpected message.
2019-02-26 14:38:09 +00:00
Hanno Becker
77adddc9e9 Make use of macro and helper detecting whether CertRequest allowed
This commit simplifies the client-side code for outgoing CertificateVerify
messages, and server-side code for outgoing CertificateRequest messages and
incoming CertificateVerify messages, through the use of the macro

   `MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED`

indicating whether a ciphersuite allowing CertificateRequest messages
is enabled in the configuration, as well as the helper function

   `mbedtls_ssl_ciphersuite_cert_req_allowed()`

indicating whether a particular ciphersuite allows CertificateRequest
messages.

These were already used in the client-side code to simplify the
parsing functions for CertificateRequest messages.
2019-02-26 14:38:09 +00:00
Jaeden Amero
86016a03a1 Merge remote-tracking branch 'origin/pr/2338' into development 2019-02-22 12:55:30 +00:00
Jaeden Amero
9f47f82218 Merge remote-tracking branch 'origin/pr/2391' into development 2019-02-22 10:32:44 +00:00
Hanno Becker
0a94a64bbd Add debugging output to confirm that PSA was used for ECDHE 2019-02-18 16:42:02 +00:00
Hanno Becker
c14a3bb5a6 Make variable in ssl_write_client_key_exchange() more descriptive 2019-02-18 16:42:02 +00:00
Hanno Becker
4a63ed421c Implement ClientKeyExchange writing in PSA-based ECDHE suites
- Populate the ECDH private key slot with a fresh private EC key
  designated for the correct algorithm.
- Export the public part of the ECDH private key from PSA and
  reformat it to suite the format of the ClientKeyExchange message.
- Perform the PSA-based ECDH key agreement and store the result
  as the premaster secret for the connection.
2019-02-18 16:42:01 +00:00