Commit graph

4225 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
68e3dff3f1 Add parameter validation XTS setkey functions 2018-12-18 12:22:40 +01:00
Hanno Becker
6640b0d9a3 Undo deprecation of MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH 2018-12-18 09:53:14 +00:00
Hanno Becker
a034369eca Undo deprecation of MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH 2018-12-18 09:53:11 +00:00
Hanno Becker
938f9e9bdb Undo deprecation of MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
Merging MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH and
MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH is an API break.
2018-12-18 09:50:57 +00:00
Hanno Becker
3214215b1e Update errors.c 2018-12-17 13:26:42 +00:00
Hanno Becker
d2f3a00062 Introduce single BLOWFISH error code for bad input data
Deprecate the old specific error codes
* MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH
* MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH
2018-12-17 13:26:37 +00:00
Hanno Becker
4c029d09be Introduce single CAMELLIA error code for bad input data
Deprecate the old specific error codes
* MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
* MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
2018-12-17 13:26:33 +00:00
Hanno Becker
2f47550018 Introduce single ARIA error code for bad input data
Deprecate the old specific error codes
* MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH
* MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH
2018-12-17 13:26:28 +00:00
Manuel Pégourié-Gonnard
e451be5d04 Update version_features.c 2018-12-11 12:28:56 +01:00
Manuel Pégourié-Gonnard
44c5d58d05 Document AES functions and fix free() functions 2018-12-11 12:28:56 +01:00
Manuel Pégourié-Gonnard
0e9cddbf1a Introduce generic validation macros
Avoid duplicating source code for each module.
2018-12-11 12:28:56 +01:00
Simon Butcher
4c37db6d87 Remove the library provided function of MBEDTLS_PARAM_FAILED
The function called through the macro MBEDTLS_PARAM_FAILED() must be supplied by
users and makes no sense as a library function, apart from debug and test.
2018-12-11 12:28:56 +01:00
Simon Butcher
5201e414aa Add optional parameter validation to the AES module
This adds additional and optional parameter validation to the AES module that
can be used by enabling the MBEDTLS_CHECK_PARAMS config.h option.
2018-12-11 12:28:56 +01:00
Simon Butcher
b4868034dd Add initial options and support for parameter validation
This function adds the additional config.h option of MBEDTLS_CHECK_PARAMS which
allows additional validation of parameters passed to the library.
2018-12-11 12:28:56 +01:00
Jaeden Amero
01b34fb316 Merge remote-tracking branch 'upstream-public/pr/2267' into development 2018-12-07 16:17:12 +00:00
Jaeden Amero
52ed0b9030 Merge remote-tracking branch 'upstream-public/pr/2101' into development 2018-12-07 16:15:31 +00:00
Janos Follath
683c582530 Clarify alternative ECP calling conventions
Function calls to alternative implementations have to follow certain
rules in order to preserve correct functionality. To avoid accidentally
breaking these rules we state them explicitly in the ECP module for
ourselves and every contributor to see.
2018-12-07 13:13:30 +00:00
Janos Follath
af6f2694a4 Fix ECC hardware double initialization
We initialized the ECC hardware before calling
mbedtls_ecp_mul_shortcuts(). This in turn calls
mbedtls_ecp_mul_restartable(), which initializes and frees the hardware
too. This issue has been introduced by recent changes and caused some
accelerators to hang.

We move the initialization after the mbedtle_ecp_mul_shortcuts() calls
to avoid double initialization.
2018-12-07 11:03:47 +00:00
Jaeden Amero
e1b1a2c979 Merge remote-tracking branch 'upstream-public/pr/2181' into development 2018-12-06 16:11:49 +00:00
Jaeden Amero
5b46fe774b Merge remote-tracking branch 'upstream-public/pr/2157' into development 2018-12-06 16:06:57 +00:00
Jaeden Amero
bc1cf5cd36 Merge remote-tracking branch 'upstream-public/pr/2131' into development 2018-12-06 16:04:55 +00:00
Jaeden Amero
a04617ec18 Merge remote-tracking branch 'upstream-public/pr/2125' into development 2018-12-06 16:02:31 +00:00
Jaeden Amero
c27e3420b9 Merge remote-tracking branch 'upstream-public/pr/2117' into development 2018-12-06 15:59:32 +00:00
Jaeden Amero
41722ec29e Merge remote-tracking branch 'upstream-public/pr/1958' into development 2018-12-06 15:53:56 +00:00
Janos Follath
3fbdadad7b SSL: Make use of the new ECDH interface
The SSL module accesses ECDH context members directly. This can't work
with the new context, where we can't make any assumption about the
implementation of the context.

This commit makes use of the new functions to avoid accessing ECDH
members directly. The only members that are still accessed directly are
the group ID and the point format and they are independent from the
implementation.
2018-12-06 12:22:46 +00:00
Janos Follath
948f4bedcc Debug: Add functions for ECDH contexts
The SSL module accesses ECDH context members directly to print debug
information. This can't work with the new context, where we can't make
assumptions about the implementation of the context. This commit adds
new debug functions to complete the encapsulation of the ECDH context
and work around the problem.
2018-12-06 12:22:46 +00:00
Janos Follath
5a3e1bfda0 ECDH: Make the implementation use the new context
The functionality from public API functions are moved to
`xxx_internal()` functions. The public API functions are modified to do
basic parameter validation and dispatch the call to the right
implementation.

There is no intended change in behaviour when
`MBEDTLS_ECDH_LEGACY_CONTEXT` is enabled.
2018-12-06 12:22:18 +00:00
Jaeden Amero
5dfca1e1bd Update library version to 2.15.1 2018-12-01 18:44:29 +00:00
Janos Follath
f61e486179 ECDH: Add mbedtls_ecdh_setup()
In the future we want to support alternative ECDH implementations. We
can't make assumptions about the structure of the context they might
use, and therefore shouldn't access the members of
`mbedtls_ecdh_context`.

Currently the lifecycle of the context can't be done without direct
manipulation. This commit adds `mbedtls_ecdh_setup()` to complete
covering the context lifecycle with functions.
2018-11-30 14:09:57 +00:00
Janos Follath
89ac8c9266 ECP: Add mbedtls_ecp_tls_read_group_id()
`mbedtls_ecp_tls_read_group()` both parses the group ID and loads the
group into the structure provided. We want to support alternative
implementations of ECDH in the future and for that we need to parse the
group ID without populating an `mbedtls_ecp_group` structure (because
alternative implementations might not use that).

This commit moves the part that parses the group ID to a new function.
There is no need to test the new function directly, because the tests
for `mbedtls_ecp_tls_read_group()` are already implicitly testing it.

There is no intended change in behaviour in this commit.
2018-11-30 14:09:57 +00:00
Simon Butcher
51b8a2fa87 Merge remote-tracking branch 'restricted/pr/512' into development 2018-11-29 16:56:02 +00:00
Simon Butcher
b9eb7866eb Merge remote-tracking branch 'restricted/pr/535' into development 2018-11-29 16:54:51 +00:00
Simon Butcher
658618b6b2 Merge remote-tracking branch 'restricted/pr/516' into development 2018-11-29 16:53:51 +00:00
Ron Eldor
a16fa297f7 Refactor mpi_write_hlp to not be recursive
Refactor `mpi_write_hlp()` to not be recursive, to fix stack overflows.
Iterate over the `mbedtls_mpi` division of the radix requested,
until it is zero. Each iteration, put the residue in the next LSB
of the output buffer. Fixes #2190
2018-11-27 10:34:36 +02:00
Gilles Peskine
8220466297 Streamline mbedtls_xxx_drbg_update_seed_file
Refactor mbedtls_ctr_drbg_update_seed_file and
mbedtls_hmac_drbg_update_seed_file to make the error logic clearer.

The new code does not use fseek, so it works with non-seekable files.
2018-11-26 19:26:22 +01:00
Gilles Peskine
b7f71c8bc1 HMAC_DRBG: report all errors from HMAC functions
Make sure that any error from mbedtls_md_hmac_xxx is propagated.
2018-11-26 19:26:22 +01:00
Gilles Peskine
e0e9c573ad HMAC_DRBG: deprecate mbedtls_hmac_drbg_update because it ignores errors
Deprecate mbedtls_hmac_drbg_update (which returns void) in favor of a
new function mbedtls_hmac_drbg_update_ret which reports error.
2018-11-26 19:26:21 +01:00
Gilles Peskine
d919993b76 CTR_DRBG: deprecate mbedtls_ctr_drbg_update because it ignores errors
Deprecate mbedtls_ctr_drbg_update (which returns void) in favor of a
new function mbedtls_ctr_drbg_update_ret which reports error.
2018-11-26 19:26:00 +01:00
Gilles Peskine
afa803775a HMAC_DRBG: clean stack buffers
Wipe stack buffers that may contain sensitive data (data that
contributes to the DRBG state.
2018-11-26 15:47:14 +01:00
Gilles Peskine
d9aa84dc0d CTR_DRBG: clean stack buffers
Wipe stack buffers that may contain sensitive data (data that
contributes to the DRBG state.
2018-11-26 15:47:14 +01:00
Simon Butcher
60ee838a8a Merge remote-tracking branch 'public/pr/2224' into development-psa-proposed 2018-11-23 21:18:32 +00:00
Simon Butcher
ebeb6cb446 Update library version to 2.15.0 2018-11-23 14:18:15 +00:00
Hanno Becker
3441d2e4a4 Merge branch 'iotssl-2597-psa-hashing-x509' into development-psa-proposed 2018-11-23 11:42:07 +00:00
Hanno Becker
4ae8b497c0 Merge branch 'iotssl-2578-psa-sig-verification' into development-psa-proposed 2018-11-23 11:37:00 +00:00
Hanno Becker
a0a96a0c56 Merge branch 'psa_cipher_integration' into development-psa-proposed 2018-11-23 11:26:57 +00:00
Hanno Becker
f8b5f27bce Merge branch 'psa_cipher' into development-psa-proposed 2018-11-23 11:18:02 +00:00
Hanno Becker
485529952f Merge branch 'opaque_psk_implementation' into development-psa-proposed 2018-11-23 11:12:38 +00:00
Andrzej Kurek
b7f3ac6504 pkwrite: add an explicit cast to size_t 2018-11-22 12:05:08 -05:00
Andrzej Kurek
158c3d10d0 pkwrite: add a safety check before calculating the buffer size 2018-11-22 12:05:08 -05:00
Andrzej Kurek
4b11407258 Cosmetic changes
Adjust whitespaces, reduce test dependencies and reduce buffer size passed by 1.
2018-11-22 12:05:08 -05:00
Andrzej Kurek
5fec0860f9 pkwrite: add opaque key handling for public key exporting
Return early from mbedtls_pk_write_pubkey_der - public opaque key
exporting is expected to contain all of the needed data, therefore it shouldn't
be written again.
2018-11-22 12:05:08 -05:00
Andrzej Kurek
8b38ff57ab Remove trailing whitespace 2018-11-22 11:53:04 -05:00
Andrzej Kurek
a609337ca0 x509: remove unnecessary calls to psa_hash_abort
According to the documentation, it does not need to be called after a failed
psa_hash call.
2018-11-22 11:53:04 -05:00
Andrzej Kurek
d4a6553191 x509: use the PSA API to perform hashing operations
So far limited only to certificate verification withour CRL and CSR generation.
2018-11-22 11:53:04 -05:00
Andrzej Kurek
ad5d58124a pk_wrap.c: fix length mismatch check placement 2018-11-22 11:17:37 -05:00
Andrzej Kurek
eeac03b354 pk_wrap.c: tidy up signature extraction
Add a sanity check for signature length, remove superfluous bounds check.
2018-11-22 11:17:37 -05:00
Andrzej Kurek
6cb63aa010 Cosmetic changes
Move memset to a more relevant spot, fix one whitespace error
2018-11-22 11:17:37 -05:00
Andrzej Kurek
9241d18773 pk_wrap: rework and tidy up signature extraction
Improve comments, use a normal buffer instead of mbedtls_asn1_buf,
remove unneeded variables and use shared utilities where possible.
2018-11-22 11:17:37 -05:00
Andrzej Kurek
b6016c52c5 pk_wrap: reuse a static buffer for signature extraction
Use a buffer left over after importing a key to hold an extracted signature.
2018-11-22 11:17:37 -05:00
Andrzej Kurek
b7b0478f76 pk_wrap: rework signature extraction to work with small r and s values
There is a probability that r will be encoded as 31 or less bytes in DER,
so additional padding is added in such case.
Added a signature-part extraction function to tidy up the code further.
2018-11-22 11:17:37 -05:00
Andrzej Kurek
4f0253962e pk_wrap: improve error codes returned from ecdsa_verify_wrap
Use the shared PSA utilities to translate errors.
2018-11-22 11:17:37 -05:00
Andrzej Kurek
2122774d72 pk_wrap: switch to helper functions defined in psa_util.h
Remove duplicated helper functions.
Remove an unnecessary call to psa_crypto_init().
2018-11-22 11:17:37 -05:00
Andrzej Kurek
c05ec9f39c pk_wrap: test if a valid md_alg is passed to ecdsa_verify_wrap
Adjust tests to pass a valid algorithm
2018-11-22 11:17:37 -05:00
Andrzej Kurek
cef91afab6 pk_wrap: destroy key slot on errors with policy or key importing 2018-11-22 11:17:37 -05:00
Andrzej Kurek
3f864c2457 pk_wrap: add a check for equal signature parts 2018-11-22 11:17:37 -05:00
Andrzej Kurek
b3d1b12177 pk_wrap: check if curve conversion is successful 2018-11-22 11:17:37 -05:00
Andrzej Kurek
ea84233e02 pk_wrap: nullify the signature pointer on error in extract_ecdsa_sig
Fix a double free error in ecdsa_verify_wrap
2018-11-22 11:17:37 -05:00
Andrzej Kurek
6376d638b8 pk_wrap: cosmetic changes
Adjust whitespaces and variable names
2018-11-22 11:17:37 -05:00
Andrzej Kurek
8b036a6082 pk_wrap.c: add support for ecdsa signature verification using PSA
Use PSA internally to verify signatures.
Add a conversion to a raw signature format.
2018-11-22 11:17:37 -05:00
Hanno Becker
cb1cc80cf5 Use PSA-based ciphers for record protections in TLS-1.2 only
Reasons:
- For the first release, we attempt to support TLS-1.2 only,
- At least TLS-1.0 is known to not work at the moment, as
  for CBC ciphersuites the code in mbedtls_ssl_decrypt_buf()
  and mbedtls_ssl_encrypt_buf() assumes that mbedtls_cipher_crypt()
  updates the structure field for the IV in the cipher context,
  which the PSA-based implementation currently doesn't.
2018-11-22 14:05:54 +00:00
Hanno Becker
679d8ceb13 Use PSA-based ciphers for SSL ticket protection
This commit modifies the default SSL ticket implementation
from `library/ssl_ticket.c` to use PSA-based cipher context
for ticket creation and parsing.

As in mbedtls_ssl_derive_keys() adapted in an earlier commit,
we allow fallback to the ordinary mbedtls_cipher_setup()
if the provided cipher is not known. We do this even though
we always call mbedtls_ssl_ticket_setup() with AES-GCM
in our own code since this function is public and might
be used with other ciphers by users.
2018-11-22 14:05:54 +00:00
Hanno Becker
d140d0828e Introduce macros for constants in SSL ticket implementation 2018-11-22 14:05:54 +00:00
Hanno Becker
f704befee8 Setup PSA-based cipher context in mbedtls_ssl_derive_keys()
This commit changes the code path in mbedtls_ssl_derive_keys()
responsible for setting up record protection cipher contexts
to attempt to use the new API mbedtls_cipher_setup_psa() in
case MBEDTLS_USE_PSA_CRYPTO is set.

For that, the AEAD tag length must be provided, which is already
computed earlier in mbedtls_ssl_derive_keys() and only needs to be
stored a function scope to be available for mbedtls_cipher_setup_psa().

If mbedtls_cipher_setup_psa() fails cleanly indicating that the
requested cipher is not supported in PSA, we fall through to
the default setup using mbedtls_cipher_setup(). However, we print
a debug message in this case, to allow catching the fallthrough in
tests where we know we're using a cipher which should be supported
by PSA.
2018-11-22 14:05:54 +00:00
Hanno Becker
a654c3e38a Return 'Feature unavailable' error for ciphers unsupported by PSA 2018-11-22 14:03:39 +00:00
Hanno Becker
ce61a32e6a Use enum for slot state in PSA-based cipher context 2018-11-22 14:03:39 +00:00
Hanno Becker
8d88a6e20d Check support for cipher in mbedtls_cipher_setup_psa()
mbedtls_cipher_setup_psa() should return
MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE when the requested
cipher is not supported by PSA, so that the caller can
try the original mbedtls_cipher_setup() instead.

The previous version of mbedtls_cipher_setup_psa(), however,
only attempted to translate the cipher mode (GCM, CCM, CBC,
ChaChaPoly, Stream), but didn't consider the underlying
cipher primitive. Hence, it wouldn't fail when attempting
to setup a cipher context for, say, 3DES-CBC, where CBC
is currently supported by PSA but 3DES isn't.

This commit adds a check to mbedtls_cipher_setup_psa()
for whether the requested cipher primitive is available
in the underlying PSA Crypto implementation, and fails
cleanly with MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE if
it is isn't.
2018-11-22 14:03:39 +00:00
Hanno Becker
56150afd1a Implement PSA-based AEAD enc/dec cipher operations 2018-11-22 14:03:39 +00:00
Hanno Becker
f133640475 Add AEAD tag length to new mbedtls_cipher_setup_psa()
For AEAD ciphers, the information contained in mbedtls_cipher_info
is not enough to deduce a PSA algorithm value of type psa_algorithm_t.
This is because mbedtls_cipher_info doesn't contain the AEAD tag
length, while values of type psa_algorithm_t do.

This commit adds the AEAD tag length as a separate parameter
to mbedtls_cipher_setup_psa(). For Non-AEAD ciphers, the value
must be 0.

This approach is preferred over passing psa_algorithm_t directly
in order to keep the changes in existing code using the cipher layer
small.
2018-11-22 14:03:39 +00:00
Hanno Becker
884f6af590 Always configure PSA-based keys for encryption and decryption
Mbed TLS cipher layer allows usage of keys for other purposes
than indicated in the `operation` parameter of `mbedtls_cipher_setkey()`.
The semantics of the PSA Crypto API, in contrast, checks key
usage against the key policy.

As a remedy, this commit modifies the PSA key slot setup to
always allow both encryption and decryption.
2018-11-22 14:03:39 +00:00
Hanno Becker
3c852a9c35 Implement PSA-based version of mbedtls_cipher_crypt() 2018-11-22 14:03:39 +00:00
Hanno Becker
d9ca5cfd60 Implement mbedtls_cipher_setkey() for PSA-based cipher contexts
This commit implements the internal key slot management performed
by PSA-based cipher contexts. Specifically, `mbedtls_cipher_setkey()`
wraps the provided raw key material into a key slot, and
`mbedtls_cipher_free()` destroys that key slot.
2018-11-22 14:03:39 +00:00
Hanno Becker
73f59fc3e9 Add PSA-specific cipher context 2018-11-22 14:03:39 +00:00
Hanno Becker
1cb36530be Add psa_enabled field to cipher ctx and add dummy implementations
This field determines whether a cipher context should
use an external implementation of the PSA Crypto API for
cryptographic operations, or Mbed TLS' own crypto library.

The commit also adds dummy implementations for the cipher API.
2018-11-22 14:03:39 +00:00
Hanno Becker
098c9de2af Add declaration and dummy-definition of mbedtls_cipher_setup_psa() 2018-11-22 14:03:39 +00:00
Hanno Becker
21967c5bff Fix style in cipher.c 2018-11-22 14:03:39 +00:00
Hanno Becker
c3d25b31ab Fix style in NUM_CIPHERS definition in cipher_wrap.c
Use brackets around `sizeof()` arguments as well as the entire macro.
2018-11-22 14:03:39 +00:00
Manuel Pégourié-Gonnard
347a00e07e Add test utility function: wrap_as_opaque()
The new function is not tested here, but will be in a subsequent PR.
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
59eecb0e9e Guard against PSA generating invalid signature
The goal is not to double-check everything PSA does, but to ensure that it
anything goes wrong, we fail cleanly rather than by overwriting a buffer.
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
9a5a77ba7c Use shared function for error translation 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
45013a1d54 Fix a compliance issue in signature encoding
The issue is not present in the normal path because asn1write_mpi() does it
automatically, but we're not using that here...
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
509aff111f Improve documentation of an internal function 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
d8454bc515 Get rid of large stack buffers in PSA sign wrapper 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
69baf70984 Align names to use "opaque" only everywhere
It's better for names in the API to describe the "what" (opaque keys) rather
than the "how" (using PSA), at least since we don't intend to have multiple
function doing the same "what" in different ways in the foreseeable future.
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
3686771dfa Implement pk_sign() for opaque ECDSA keys 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
920c063bad Implement can_do for opaque ECC keypairs
Unfortunately the can_do wrapper does not receive the key context as an
argument, so it cannot check psa_get_key_information(). Later we might want to
change our internal structures to fix this, but for now we'll just restrict
opaque PSA keys to be ECDSA keypairs, as this is the only thing we need for
now. It also simplifies testing a bit (no need to test each key type).
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
0184b3c69b Add support for get_(bit)len on opaque keys 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
7b5fe041f1 Implement alloc/free wrappers for pk_opaque_psa 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
eaeb7b23ff Clarify return value of pk_check_pair() 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
20678b2ae2 Skeleton for PK_OPAQUE_PSA 2018-11-22 09:59:34 +01:00
Hanno Becker
7390c71609 Share code for PSK identity configuration
This commit shares the code for setting the PSK identity hint between
the functions mbedtls_ssl_conf_psk() and mbedtls_ssl_conf_psk_opaque().
2018-11-21 21:12:58 +00:00
Hanno Becker
a63ac3f149 Safe-guard ssl_conf_remove_psk() for simultaneous raw-opaque PSKs
The code maintains the invariant that raw and opaque PSKs are never
configured simultaneously, so strictly speaking `ssl_conf_remove_psk()`
need not consider clearing the raw PSK if it has already cleared an
opaque one - and previously, it didn't. However, it doesn't come at
any cost to keep this check as a safe-guard to future unforeseen
situations where opaque and raw PSKs _are_ both present.
2018-11-21 21:12:58 +00:00
Hanno Becker
f9ed7d5f76 Don't use 48 as a magic number in ssl_derive_keys()
In multiple places, it occurrs as the fixed length of
the master secret, so use a constant with a descriptive
name instead. This is reinforced by the fact the some
further occurrences of '48' are semantically different.
2018-11-21 21:12:58 +00:00
Hanno Becker
c1385c104f Don't use idiom if( func() ) but always add explicit value check 2018-11-21 21:12:58 +00:00
Hanno Becker
845b946d92 Add server-support for opaque PSKs 2018-11-21 21:12:58 +00:00
Hanno Becker
520224e577 Rename ssl_conf_has_[raw_]_psk to ssl_conf_has_static_[raw_]psk
This is to differentiate the function from the functions relevant
on the server-side, which also need to take into the PSK callback.
2018-11-21 21:12:58 +00:00
Hanno Becker
afd311ee12 Skip PMS generation on client if opaque PSK is used
For opaque PSKs, the PSK-to-MS expansion is performed atomatically
on the PSA-side.
2018-11-21 21:12:58 +00:00
Hanno Becker
7d0a569d38 Implement PSA-based PSK-to-MS derivation in mbedtls_ssl_derive_keys 2018-11-21 21:12:58 +00:00
Hanno Becker
35b23c7484 Simplify master secret derivation in mbedtls_ssl_derive_keys() 2018-11-21 21:12:58 +00:00
Hanno Becker
dfab8e221a Allow opaque PSKs in pure-PSK ciphersuites only
In contrast, RSA-PSK, ECDHE-PSK and DHE-PSK are explicitly excluded
for the moment.
2018-11-21 21:12:58 +00:00
Hanno Becker
2e4f616708 Don't suggest the use of a PSK suite if no PSK configured on client 2018-11-21 21:12:58 +00:00
Hanno Becker
d20a8ca733 Implement API for configuration of opaque PSKs
This commit adds implementations of the two new API functions

mbedtls_ssl_conf_psk_opaque()
mbedtls_ssl_set_hs_psk_opaque().
2018-11-21 21:12:58 +00:00
Manuel Pégourié-Gonnard
aeefa49edd Add config option for X.509/TLS to use PSA 2018-11-21 21:03:14 +00:00
Jaeden Amero
484ee33c35 psa: Add PSA Crypto configuration
Add an option that can enable the exposure of PSA Crypto APIs from
libmbedcrypto.
2018-11-21 12:54:57 +00:00
Jaeden Amero
30b340a760 crypto: Add mbedtls-psa as a submodule
mbedtls-psa contains an implementation of libmbedcrypto, including the PSA
Crypto API.
2018-11-21 12:54:57 +00:00
Jaeden Amero
4cb814e3a7 cmake: Use finer grained include directory
Using finer grained control over include directories will allow differnt
targets to use different include files. This will be useful when the
`crypto` subcomponent wants to use its own include files instead of or in
addition to the top level ones.
2018-11-20 18:46:43 +00:00
Gilles Peskine
11cdb0559e mbedtls_mpi_write_binary: don't leak the exact size of the number
In mbedtls_mpi_write_binary, avoid leaking the size of the number
through timing or branches, if possible. More precisely, if the number
fits in the output buffer based on its allocated size, the new code's
trace doesn't depend on the value of the number.
2018-11-20 17:09:27 +01:00
Simon Butcher
c1b9892177 Update library version number to 2.14.0 2018-11-19 18:31:40 +00:00
Simon Butcher
de13963d66 Merge remote-tracking branch 'restricted/pr/520' into development-restricted-proposed 2018-11-12 14:30:16 +00:00
Simon Butcher
cdd1a6c872 Merge remote-tracking branch 'restricted/pr/510' into development-restricted-proposed 2018-11-12 14:29:14 +00:00
Simon Butcher
e51d4b336b Merge remote-tracking branch 'public/pr/2054' into development-proposed 2018-11-09 19:57:53 +00:00
Ron Eldor
9924bdc792 Deprecate hardware acceleration errors
Deprecate the module-specific XXX_HW_ACCEL_FAILED and
XXX_FEATURE_UNAVAILABLE errors, as alternative implementations should now
return `MBEDTLS_ERR_PLATFORM_HW_FAILED` and
`MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED`.
2018-11-09 15:01:07 +00:00
Ron Eldor
bcca58c6cd Add common feature unavailable error
Add a common error for the feature unavailable, in the
platform module.
2018-11-09 13:57:37 +00:00
Simon Butcher
d83448b736 Merge remote-tracking branch 'public/pr/2052' into development-restricted-proposed 2018-11-07 12:59:14 +00:00
Simon Butcher
53b45ec881 Merge remote-tracking branch 'public/pr/2079' into development-restricted-proposed 2018-11-07 12:58:44 +00:00
Simon Butcher
bbc31b4827 Merge remote-tracking branch 'public/pr/2085' into development-restricted-proposed 2018-11-07 12:57:38 +00:00
Simon Butcher
93a9b497e0 Merge remote-tracking branch 'public/pr/2077' into development-restricted-proposed 2018-11-07 12:57:24 +00:00
Simon Butcher
241823aab8 Merge remote-tracking branch 'public/pr/1641' into development-restricted-proposed 2018-11-07 12:55:47 +00:00
Simon Butcher
42ab4ae033 Merge remote-tracking branch 'public/pr/2167' into development-restricted-proposed 2018-11-07 12:54:45 +00:00
Hanno Becker
f6d6e30820 Fix incomplete assertion in ssl_write_handshake_msg()
ssl_write_handshake_msg() includes the assertion that
`ssl->handshake != NULL` when handling a record which is
(a) a handshake message, and NOT
(b) a HelloRequest.
However, it later calls `ssl_append_flight()` for any
record different from a HelloRequest handshake record,
that is, records satisfying !(a) || !(b), instead of
(a) && !(b) as covered by the assertion (specifically,
CCS or Alert records).

Since `ssl_append_flight()` assumes that `ssl->handshake != NULL`,
this rightfully triggers static analyzer warnings.

This commit expands the scope of the assertion to check
that `ssl->handshake != NULL` for any record which is not
a HelloRequest.
2018-11-07 11:57:51 +00:00
Simon Butcher
51b6abbbf2 Merge remote-tracking branch 'public/pr/2165' into development-proposed 2018-11-06 22:55:14 +00:00
Hanno Becker
9772da8792 Add missing bracket
Wasn't spotted earlier because it's guarded by `! HAVE_GETRANDOM`.
2018-11-06 13:12:47 +00:00
Ron Eldor
2981d8f161 Change to positive flow for all cases
Use the `rs_ctx` only when `MBEDTLS_ECP_RESTARTABLE` is defined.
2018-11-05 18:08:46 +02:00
Ron Eldor
93ace0199b Revert positive flow check
Revert changes for checking whether `MBEDTLS_ECP_RESTARTABLE`
is defined, since it broke the CI. The context is used whether the
restartable feature is defined or not.
2018-11-05 17:50:07 +02:00
Ron Eldor
b430d9f262 Change to positive checks
1. Checge to check for `MBEDTLS_ECP_RESTARTABLE` for all definitions
of `rs_ctx`.
2. Remove checks for `_ALT` when using `rs_ctx` as they cannot coexist
with the Restartable configuration.
2018-11-05 17:18:29 +02:00
Ron Eldor
19779c4739 Some style and documentation fixes
1. Change description of of hte `MBEDTLS_ECP_RESTARTABLE`
in the configuration file.
2. Change check for compilation of `rs_ctx` to positive flow.
2018-11-05 16:58:13 +02:00
Ron Eldor
5ed8c1eded Avoid using restartable and alternative ECP imp.
1. Add a check that MBEDTLS_ECP_RESTARTABLE is not defined
   along any EC* alternative implementation.
2. Add a closing comment foran `#endif`.
2018-11-05 14:04:26 +02:00
Hanno Becker
b75ffb5061 Don't perform binary comparison of CRL issuer and CA subject
Previously, when checking whether a CRT was revoked through
one of the configured CRLs, the library would only consider
those CRLs whose `issuer` field binary-matches the `subject`
field of the CA that has issued the CRT in question. If those
fields were not binary equivalent, the corresponding CRL was
discarded.

This is not in line with RFC 5280, which demands that the
comparison should be format- and case-insensitive. For example:

- If the same string is once encoded as a `PrintableString` and
  another time as a `UTF8String`, they should compare equal.
- If two strings differ only in their choice of upper and lower case
  letters, they should compare equal.

This commit fixes this by using the dedicated x509_name_cmp()
function to compare the CRL issuer with the CA subject.

Fixes #1784.
2018-11-05 11:54:06 +00:00
Hanno Becker
1f8527f1cf Move static x509_name_cmp() in library/x509_crt.c
A subsequent change will need this function earlier
within the file.
2018-11-05 11:54:06 +00:00
Simon Butcher
06f88e9c42 Merge remote-tracking branch 'public/pr/2007' into development-proposed 2018-11-04 19:12:57 +00:00
Simon Butcher
76646a4bac Merge remote-tracking branch 'public/pr/1777' into development-proposed 2018-11-04 18:51:36 +00:00
Simon Butcher
2705beaeef Merge remote-tracking branch 'public/pr/2095' into development-proposed 2018-11-04 18:48:04 +00:00
Hanno Becker
710f203541 Merge branch 'iotssl-1770' into development_thomas_dee 2018-11-02 10:52:49 +00:00
Hanno Becker
cec1c2685f Break overly long line in library/x509_create.c 2018-11-02 10:52:38 +00:00
Hanno Becker
ee334a3a5c Remove Doxygen tags from documentation of private structure 2018-11-02 10:52:38 +00:00
Hanno Becker
beffcd8d4a Update hardcoded certificates in library/certs.c
library/certs.c provides some hardcoded certificates that
are used e.g. by the test applications ssl_server2, ssl_client2
in case no certificates are provided on the command line.

The certificates used are from the tests/data_files folder
and have been updated in the latest commits. This commit
updates their copies in certs.c. It also adds comments
indicating the files from which the data is taken, in
order to ease update in the future.
2018-11-02 10:52:38 +00:00
Hanno Becker
6e1adee42b Regenerate test files
Previous commits have added or modified build instructions for
server1*, server2*, server5*, test-ca*, cli-rsa* in the Makefile
tests/data_files/Makefile, or the apps they invoke have been changed.

This commit regenerates those files to make sure they are in match with
the build instructions.
2018-11-02 10:52:38 +00:00
Hanno Becker
cb93813e04 Don't perform binary comparison of CRL issuer and CA subject
Previously, when checking whether a CRT was revoked through
one of the configured CRLs, the library would only consider
those CRLs whose `issuer` field binary-matches the `subject`
field of the CA that has issued the CRT in question. If those
fields were not binary equivalent, the corresponding CRL was
discarded.

This is not in line with RFC 5280, which demands that the
comparison should be format- and case-insensitive. For example:

- If the same string is once encoded as a `PrintableString` and
  another time as a `UTF8String`, they should compare equal.
- If two strings differ only in their choice of upper and lower case
  letters, they should compare equal.

This commit fixes this by using the dedicated x509_name_cmp()
function to compare the CRL issuer with the CA subject.

Fixes #1784.
2018-11-02 10:49:09 +00:00
Hanno Becker
0f6903d84c Move static x509_name_cmp() in library/x509_crt.c
A subsequent change will need this function earlier
within the file.
2018-11-02 10:49:08 +00:00
Ron Eldor
2b161c33be Fix compilation issue
Fix compilation error when both `MBEDTLS_ECP_RESTARTABLE` and the
alternative definition of ECDH function are defined.
2018-11-01 16:18:20 +02:00
Ron Eldor
936d284f4d Minor fixes
1. Fix unused symbols compilation warnings.
2. Add comments for the closing `endif`.
2018-11-01 13:05:52 +02:00
Ron Eldor
8493f80e65 conditionaly compile ECDH and ECDSA alt functions
Return the condition compilation flags surrounding
`mbedtls_ecdh_compute_shared()`, `mbedtls_ecdh_gen_public()`,
`mbedtls_ecdsa_sign()` and `mbedtls_ecdsa_verify()` that were accidentally
removed in a previous merge.
Resolves #2163
2018-11-01 11:32:15 +02:00
Krzysztof Stachowiak
c388a8c394 Fix typo in a test condition code 2018-10-31 16:49:20 +01:00
Simon Butcher
7904f94550 Merge remote-tracking branch 'public/pr/1099' into development-proposed 2018-10-28 18:10:37 +00:00
Simon Butcher
17a0fab345 Merge remote-tracking branch 'public/pr/2111' into development-proposed 2018-10-28 16:22:18 +00:00
Simon Butcher
a07d86e8af Merge remote-tracking branch 'public/pr/1902' into development 2018-10-27 18:36:55 +01:00
Simon Butcher
ef263ebcd7 Merge remote-tracking branch 'public/pr/1993' into development 2018-10-27 18:36:28 +01:00
Hanno Becker
b10c66073f Detect unsigned integer overflow in mbedtls_ecp_check_budget()
This commit modifies a bounds check in `mbedtls_ecp_check_budget()` to
be correct even if the requested number of ECC operations would overflow
the operation counter.
2018-10-26 15:09:35 +01:00
Hanno Becker
6934e9b288 Indentation fix 2018-10-25 16:07:16 +01:00
Hanno Becker
137015c1b1 Fix unsafe bounds checks in ssl_load_session()
Fixes #659 reported by Guido Vranken.
2018-10-25 16:07:08 +01:00
Simon Butcher
169712e15a Merge remote-tracking branch 'restricted/pr/390' into development 2018-10-24 18:34:30 +01:00
Hanno Becker
9543373668 Use brackets around shift operations
Use `( x >> y ) & z` instead of `x >> y & z`. Both are equivalent
by operator precedence, but the former is more readable and the
commonly used idiom in the library.
2018-10-24 13:31:49 +01:00
Jaeden Amero
a74faba27a aes: xts: Correct NIST 80-38E to 800-38E
Correct a typo in an AES XTS implementation comment where the relevant
NIST standard was incorrectly referred to as NIST 80-38E instead of NIST
800-38E.
2018-10-23 12:07:18 +01:00
Jaeden Amero
8381fcb3f9 aes: xts: Update inaccurate comments
It is inaccurate to call a data unit a "sector". A disk sector is a
common use case for the data unit, but there exist other types of data
units that are not sectors.
2018-10-23 12:07:18 +01:00
Manuel Pégourié-Gonnard
a966fdea72 Fix some documentation typos and improve a comment 2018-10-23 10:41:11 +02:00
Brian J Murray
f343de12dc typo fix 2018-10-22 16:41:35 -07:00
Krzysztof Stachowiak
2cdb6b46be Include MinGW in the non-conforming (v)snprintf scope
It turns out that in some environments MinGW esposes a non-conforming
(v)snprintf behavior despite the tests against the MSVC runtime pass.
Therefore it has been included in the "non-conforming" scope alongide
older MSVC rungime environments.
2018-10-22 10:43:56 +02:00
Manuel Pégourié-Gonnard
ca29fdf569 Fix some typos in documentation and comments 2018-10-22 09:56:53 +02:00
Hanno Becker
27516979c1 Entropy: Fall through to /dev/random if getrandom() syscall unknown
This commit fixes issue #1212 related to platform-specific entropy
polling in an syscall-emulated environment.

Previously, the implementation of the entropy gathering function
`mbedtls_platform_entropy_poll()` for linux machines used the
following logic to determine how to obtain entropy from the kernel:

1. If the getrandom() system call identifier SYS_getrandom is present and
   the kernel version is 3.17 or higher, use syscall( SYS_getrandom, ... )
2. Otherwise, fall back to reading from /dev/random.

There are two issues with this:

1. Portability:
   When cross-compiling the code for a different
   architecture and running it through system call
   emulation in qemu, qemu reports the host kernel
   version through uname but, as of v.2.5.0,
   doesn't support emulating the getrandom() syscall.
   This leads to `mbedtls_platform_entropy_poll()`
   failing even though reading from /dev/random would
   have worked.

2. Style:
   Extracting the linux kernel version from
   the output of `uname` is slightly tedious.

This commit fixes both by implementing the suggestion in #1212:
- It removes the kernel-version detection through uname().
- Instead, it checks whether `syscall( SYS_getrandom, ... )`
  fails with errno set to ENOSYS indicating an unknown system call.
  If so, it falls through to trying to read from /dev/random.

Fixes #1212.
2018-10-18 12:12:04 +01:00
Hanno Becker
dd3ab13da3 Fail when encountering invalid CBC padding in EtM records
This commit changes the behavior of the record decryption routine
`ssl_decrypt_buf()` in the following situation:
1. A CBC ciphersuite with Encrypt-then-MAC is used.
2. A record with valid MAC but invalid CBC padding is received.
In this situation, the previous code would not raise and error but
instead forward the decrypted packet, including the wrong padding,
to the user.

This commit changes this behavior to return the error
MBEDTLS_ERR_SSL_INVALID_MAC instead.

While erroneous, the previous behavior does not constitute a
security flaw since it can only happen for properly authenticated
records, that is, if the peer makes a mistake while preparing the
padded plaintext.
2018-10-17 14:43:14 +01:00
Hanno Becker
44da18a294 Duplicate mbedtls_asn1_find_named_data in asn1write.c to avoid dep.
This commit duplicates the public function mbedtls_asn1_find_named_data()
defined in library/asn1parse.c within library/asn1write.c in order to
avoid a dependency of the ASN.1 writing module on the ASN.1 parsing module.

The duplication is unproblematic from a semantic and an efficiency
perspective becasue it is just a short list traversal that doesn't
actually do any ASN.1 parsing.
2018-10-16 13:44:06 +01:00
Hanno Becker
1ea604d3ee Guard mbedtls_pkcs5_pbes2() by MBEDTLS_ASN1_PARSE_C
Previously, mbedtls_pkcs5_pbes2() was unconditionally declared
in `pkcs5.h` but defined as a stub returning
`MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE` in case
MBEDTLS_ASN1_PARSE_C was not defined.

In line with the previous commits, this commit removes declaration
and definition from both `pkcs5.h` and `pkcs5.c` in case
MBEDTLS_ASN1_PARSE_C is not defined.
2018-10-16 13:39:40 +01:00
Hanno Becker
8a89f9fcd2 Make PBE-related parts of PKCS12 depend on MBEDTLS_ASN1_PARSE_C 2018-10-16 13:39:40 +01:00
Manuel Pégourié-Gonnard
b25cb603bb Add a comment to clarify code flow 2018-10-16 11:48:09 +02:00
Manuel Pégourié-Gonnard
a5a3e40c4e Fix missing dereference.
Went unnoticed because it was only on a defensive code path, in an internal
function, so not exercised.
2018-10-16 11:27:23 +02:00
Manuel Pégourié-Gonnard
90f31b71a8 Improve readability by moving counter decrement
Avoid the slightly awkward rs_ctx-> i = i + 1
2018-10-16 10:45:24 +02:00
Manuel Pégourié-Gonnard
a58e011ac0 Fix alignment in a macro definition 2018-10-16 10:42:47 +02:00
Manuel Pégourié-Gonnard
b843b15a02 Fix function name to fit conventions 2018-10-16 10:41:31 +02:00
Manuel Pégourié-Gonnard
c0edc96704 Add comment on internal function API 2018-10-16 10:38:19 +02:00
Manuel Pégourié-Gonnard
d8b73f2312 Remove unnecessary calls to init() from free()
Our API makes no guarantee that you can use a context after free()ing it
without re-init()ing it first, so better not give the wrong impression that we
do, while it's not policy and the rest of the code might not allow it.
2018-10-16 10:34:13 +02:00
Manuel Pégourié-Gonnard
c37423fa76 Fix misleading sub-state name and comments
The enum constant had 'ske' in its name while this was a sub-state of the
"write client key exchange" state; corresponding issue in the comment.
2018-10-16 10:28:17 +02:00
Ron Eldor
5267b62248 Change error description
1. Change error description to a clearer one.
2. Change value in the error codes ranges description.
2018-10-15 18:44:42 +03:00
Ron Eldor
a27190b774 Rename platform error code and value
Rename the PLATFORM HW error, to avoid ABI breakage with Mbed OS.
The value changed as well, as previous value was not in the range of
Mbed TLS low level error codes.
2018-10-15 16:33:43 +03:00
Manuel Pégourié-Gonnard
ee68cff813 Fix or improve some comments (and whitespace) 2018-10-15 15:27:49 +02:00
Manuel Pégourié-Gonnard
f0bbd7e3fd Misc documentation fixes/improvements. 2018-10-15 13:22:41 +02:00
Manuel Pégourié-Gonnard
6346a75dfb Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted
* development:
  ssl-opt.sh: change expected output for large srv packet test with SSLv3
  Adapt ChangeLog
  Fix bug in SSL ticket implementation removing keys of age < 1s
  ssl-opt.sh: Add DTLS session resumption tests
  Add ChangeLog entry
  Fix typo
  Fix hmac_drbg failure in benchmark, with threading
  Remove trailing whitespace
  Remove trailing whitespace
  ssl_server2: add buffer overhead for a termination character
  Add missing large and small packet tests for ssl_server2
  Added buffer_size and response_size options for ssl-server2. Added appropriate tests.

Solving a conflict in tests/ssl-opt.sh: two set of tests were added at the
same place (just after large packets):
- restartable ECC tests (in this branch)
- server-side large packets (in development)

Resolution was to move the ECC tests after the newly added server large packet
ones.
2018-10-15 11:26:17 +02:00
Gilles Peskine
4899247bf2 Fix undefined behavior in unsigned-to-signed conversion
The code assumed that `int x = - (unsigned) u` with 0 <= u < INT_MAX
sets `x` to the negative of u, but actually this calculates
(UINT_MAX - u) and then converts this value to int, which overflows.
Cast to int before applying the unary minus operator to guarantee the
desired behavior.
2018-10-12 20:32:55 +02:00
Gilles Peskine
9b430704d1 Fix likely-harmless undefined behavior surrounding volatile
The code was making two unsequenced reads from volatile locations.
This is undefined behavior. It was probably harmless because we didn't
care in what order the reads happened and the reads were from ordinary
memory, but UB is UB and IAR8 complained.
2018-10-12 20:32:52 +02:00
Hanno Becker
805f2e11bd Add missing zeroization of buffered handshake messages
This commit ensures that buffers holding fragmented or
future handshake messages get zeroized before they are
freed when the respective handshake message is no longer
needed. Previously, the handshake message content would
leak on the heap.
2018-10-12 16:50:37 +01:00
Andrzej Kurek
748face36f ssl_tls: fix maximum output length
set maximum output length to MBEDTLS_SSL_OUT_CONTENT_LEN instead of
MBEDTLS_SSL_MAX_CONTENT_LEN.
2018-10-11 07:20:19 -04:00
Hanno Becker
780f0a4cc1 Reinitialize PK ctx in mbedtls_pk_parse_key before reuse are free
Context: This commit makes a change to mbedtls_pk_parse_key() which
is responsible for parsing of private keys. The function doesn't know
the key format in advance (PEM vs. DER, encrypted vs. unencrypted) and
tries them one by one, resetting the PK context in between.

Issue: The previous code resets the PK context through a call to
mbedtls_pk_free() along, lacking the accompanying mbedtls_pk_init()
call. Practically, this is not an issue because functionally
mbedtls_pk_free() + mbedtls_pk_init() is equivalent to mbedtls_pk_free()
with the current implementation of these functions, but strictly
speaking it's nonetheless a violation of the API semantics according
to which xxx_free() functions leave a context in uninitialized state.
(yet not entirely random, because xxx_free() functions must be idempotent,
so they cannot just fill the context they operate on with garbage).

Change: The commit adds calls to mbedtls_pk_init() after those calls
to mbedtls_pk_free() within mbedtls_pk_parse_key() after which the
PK context might still be used.
2018-10-11 11:31:15 +01:00
Hanno Becker
cfa2e33fd2 Omit runtime configuration of calloc/free if macro config enabled
This commit removes the definition of the API function

`mbedtls_platform_set_calloc_free()`

from `library/platform.c` in case the macros

`MBEDTLS_PLATFORM_CALLOC_MACRO`
`MBEDTLS_PLATFORM_FREE_MACRO`

for compile time configuration of calloc/free are set.

This is in line with the corresponding header `mbedtls/platform.h`
which declares `mbedtls_platform_set_calloc_free()` only if
`MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO` are not defined.

Fixes #1642.
2018-10-11 11:04:20 +01:00
Hanno Becker
8df10232cf Add explicit unsigned-to-signed integer conversion
The previous code triggered a compiler warning because of a comparison
of a signed and an unsigned integer.

The conversion is safe because `len` is representable by 16-bits,
hence smaller than the maximum integer.
2018-10-10 15:48:39 +01:00
Darryl Green
e3f95ed25b Fix bias in random number generation in Miller-Rabin test
When a random number is generated for the Miller-Rabin primality test,
if the bit length of the random number is larger than the number being
tested, the random number is shifted right to have the same bit length.
This introduces bias, as the random number is now guaranteed to be
larger than 2^(bit length-1).

Changing this to instead zero all bits higher than the tested numbers
bit length will remove this bias and keep the random number being
uniformly generated.
2018-10-09 16:36:53 +01:00
Janos Follath
a0b67c2f3e Bignum: Deprecate mbedtls_mpi_is_prime()
When using a primality testing function the tolerable error rate depends
on the scheme in question, the required security strength and wether it
is used for key generation or parameter validation. To support all use
cases we need more flexibility than what the old API provides.
2018-10-09 16:36:53 +01:00
Janos Follath
da31fa137a Bignum: Fix prime validation vulnerability
The input distribution to primality testing functions is completely
different when used for generating primes and when for validating
primes. The constants used in the library are geared towards the prime
generation use case and are weak when used for validation. (Maliciously
constructed composite numbers can pass the test with high probability)

The mbedtls_mpi_is_prime() function is in the public API and although it
is not documented, it is reasonable to assume that the primary use case
is validating primes. The RSA module too uses it for validating key
material.
2018-10-09 16:36:53 +01:00
Janos Follath
b728c29114 Bignum: Remove dead code
Both variables affected by the code are overwritten before their next
read.
2018-10-09 16:33:27 +01:00
Janos Follath
b8fc1b02ee RSA: Use MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR 2018-10-09 16:33:27 +01:00
Janos Follath
f301d23ceb Bignum: Improve primality test for FIPS primes
The FIPS 186-4 RSA key generation prescribes lower failure probability
in primality testing and this makes key generation slower. We enable the
caller to decide between compliance/security and performance.

This python script calculates the base two logarithm of the formulas in
HAC Fact 4.48 and was used to determine the breakpoints and number of
rounds:

def mrpkt_log_2(k, t):
    if t <= k/9.0:
        return 3*math.log(k,2)/2+t-math.log(t,2)/2+4-2*math.sqrt(t*k)
    elif t <= k/4.0:
        c1 = math.log(7.0*k/20,2)-5*t
        c2 = math.log(1/7.0,2)+15*math.log(k,2)/4.0-k/2.0-2*t
        c3 = math.log(12*k,2)-k/4.0-3*t
        return max(c1, c2, c3)
    else:
        return math.log(1/7.0)+15*math.log(k,2)/4.0-k/2.0-2*t
2018-10-09 16:33:27 +01:00
Andrzej Kurek
ef43ce6e25 Dtls: change the way unlimited mtu is set for client hello messages 2018-10-09 08:24:12 -04:00
Hanno Becker
1624e2e8bb Avoid overly long lines X.509 DN attr array def in x509_create.c 2018-10-08 14:52:20 +01:00
Hanno Becker
35b6854e54 Replace reference to RFC 3280 by reference to newer RFC 5280 2018-10-08 14:47:38 +01:00
Hanno Becker
cfc47bab69 Correct some indentation and line lengths in x509_create.c 2018-10-08 14:45:42 +01:00
Hanno Becker
d355e69aed Rename tag to default_tag in x509_attr_descriptor_t 2018-10-08 14:44:32 +01:00
Hanno Becker
d2c9009e5a Improve documentation of x509_attr_descriptor_t 2018-10-08 14:42:34 +01:00
Hanno Becker
0c161d1956 Fix bounds check in ssl_parse_server_psk_hint()
In the previous bounds check `(*p) > end - len`, the computation
of `end - len` might underflow if `end` is within the first 64KB
of the address space (note that the length `len` is controlled by
the peer). In this case, the bounds check will be bypassed, leading
to `*p` exceed the message bounds by up to 64KB when leaving
`ssl_parse_server_psk_hint()`. In a pure PSK-based handshake,
this doesn't seem to have any consequences, as `*p*` is not accessed
afterwards. In a PSK-(EC)DHE handshake, however, `*p` is read from
in `ssl_parse_server_ecdh_params()` and `ssl_parse_server_dh_params()`
which might lead to an application crash of information leakage.
2018-10-08 13:40:50 +01:00
Simon Butcher
e1660af2e2 Fix CSR parsing header call
Change the secondary X509 CSR parsing call for the alternative MS header to only
occur if the first call fails due to the header being unfound, instead of any
call.
2018-10-07 17:48:37 +01:00
Simon Butcher
0488ce653a Add support for alternative CSR headers
Add support for RFC7468, and the alternative Microsoft footer/headers for CSR's
that contain the text 'BEGIN NEW CERTIFICATE REQUEST' instead of
'BEGIN CERTIFICATE REQUEST'.
2018-10-06 17:17:54 +01:00
Gilles Peskine
ec2a5fdee1 PKCS#1 v1.5 decoding: fix empty payload case 2018-10-05 20:48:20 +02:00
Gilles Peskine
40b57f4acd Remove a remaining sensitive memory access in PKCS#1 v1.5 decryption 2018-10-05 15:35:03 +02:00
Gilles Peskine
85a7442753 mbedtls_rsa_rsaes_pkcs1_v15_decrypt: remove the variable p
Get rid of the variable p. This makes it more apparent where the code
accesses the buffer at an offset whose value is sensitive.

No intended behavior change in this commit.
2018-10-05 14:50:21 +02:00
Andrzej Kurek
6290dae909 Disable dtls fragmentation for ClientHello messages
Set the handshake mtu to unlimited when encountering a ClienHello message and
reset it to its previous value after writing the record.
2018-10-05 08:06:01 -04:00
Hanno Becker
a08651f484 Remove lines above 80 characters in library/ctr_drbg.c 2018-10-05 09:38:59 +01:00
Gilles Peskine
eeedabe25e Minor optimization in the PKCS#1v1.5 unpadding step
Rather than doing the quadratic-time constant-memory-trace on the
whole working buffer, do it on the section of the buffer where the
data to copy has to lie, which can be significantly smaller if the
output buffer is significantly smaller than the working buffer, e.g.
for TLS RSA ciphersuites (48 bytes vs MBEDTLS_MPI_MAX_SIZE).
2018-10-04 22:45:13 +02:00
Gilles Peskine
8c9440a2cb Use branch-free size comparison for the padding size
In mbedtls_rsa_rsaes_pkcs1_v15_decrypt, use size_greater_than (which
is based on bitwise operations) instead of the < operator to compare
sizes when the values being compared must not leak. Some compilers
compile < to a branch at least under some circumstances (observed with
gcc 5.4 for arm-gnueabi -O9 on a toy program).
2018-10-04 21:44:40 +02:00
Gilles Peskine
a1af5c8ea2 Bleichenbacher fix: don't leak the plaintext length (step 2)
Replace memmove(to, to + offset, length) by a functionally equivalent
function that strives to make the same memory access patterns
regardless of the value of length. This fixes an information leak
through timing (especially timing of memory accesses via cache probes)
that leads to a Bleichenbacher-style attack on PKCS#1 v1.5 decryption
using the plaintext length as the observable.
2018-10-04 21:44:29 +02:00
Gilles Peskine
9265ff4ee6 Bleichenbacher fix: don't leak the plaintext length (step 1)
mbedtls_rsa_rsaes_pkcs1_v15_decrypt takes care not to reveal whether
the padding is valid or not, even through timing or memory access
patterns. This is a defense against an attack published by
Bleichenbacher. The attacker can also obtain the same information by
observing the length of the plaintext. The current implementation
leaks the length of the plaintext through timing and memory access
patterns.

This commit is a first step towards fixing this leak. It reduces the
leak to a single memmove call inside the working buffer.
2018-10-04 21:38:22 +02:00
Gilles Peskine
331d80e162 Evolve choose_int_from_mask to if_int
Make the function more robust by taking an arbitrary zero/nonzero
argument instead of insisting on zero/all-bits-one. Update and fix its
documentation.
2018-10-04 21:36:34 +02:00
Simon Butcher
d2642584cb Make inclusion of stdio.h conditional in x509_crt.c
stdio.h was being included both conditionally if MBEDTLS_FS_IO was
defined, and also unconditionally, which made at least one of them
redundant.

This change removes the unconditional inclusion of stdio.h and makes it
conditional on MBEDTLS_PLATFORM_C.
2018-10-03 15:11:19 +01:00
Gilles Peskine
e2a10de275 Fix a timing-based Bleichenbacher attack on PKCS#1v1.5 decryption
mbedtls_rsa_rsaes_pkcs1_v15_decrypt took care of calculating the
padding length without leaking the amount of padding or the validity
of the padding. However it then skipped the copying of the data if the
padding was invalid, which could allow an adversary to find out
whether the padding was valid through precise timing measurements,
especially if for a local attacker who could observe memory access via
cache timings.

Avoid this leak by always copying from the decryption buffer to the
output buffer, even when the padding is invalid. With invalid padding,
copy the same amount of data as what is expected on valid padding: the
minimum valid padding size if this fits in the output buffer,
otherwise the output buffer size. To avoid leaking payload data from
an unsuccessful decryption, zero the decryption buffer before copying
if the padding was invalid.
2018-10-03 01:03:05 +02:00
Gilles Peskine
5908dd4455 Minor readability improvement
Polish the beginning of mbedtls_rsa_rsaes_pkcs1_v15_decrypt a little,
to prepare for some behavior changes.
2018-10-02 22:43:06 +02:00
Jaeden Amero
3725bb2d6d rsa: pss: Enable use of big hashes with small keys
It should be valid to RSASSA-PSS sign a SHA-512 hash with a 1024-bit or
1032-bit RSA key, but with the salt size being always equal to the hash
size, this isn't possible: the key is too small.

To enable use of hashes that are relatively large compared to the key
size, allow reducing the salt size to no less than the hash size minus 2
bytes. We don't allow salt sizes smaller than the hash size minus 2
bytes because that too significantly changes the security guarantees the
library provides compared to the previous implementation which always
used a salt size equal to the hash size. The new calculated salt size
remains compliant with FIPS 186-4.

We also need to update the "hash too large" test, since we now reduce
the salt size when certain key sizes are used. We used to not support
1024-bit keys with SHA-512, but now we support this by reducing the salt
size to 62. Update the "hash too large" test to use a 1016-bit RSA key
with SHA-512, which still has too large of a hash because we will not
reduce the salt size further than 2 bytes shorter than the hash size.

The RSA private key used for the test was generated using "openssl
genrsa 1016" using OpenSSL 1.1.1-pre8.

    $ openssl genrsa 1016
    Generating RSA private key, 1016 bit long modulus (2 primes)
    ..............++++++
    ....++++++
    e is 65537 (0x010001)
    -----BEGIN RSA PRIVATE KEY-----
    MIICVwIBAAKBgACu54dKTbLxUQBEQF2ynxTfDze7z2H8vMmUo9McqvhYp0zI8qQK
    yanOeqmgaA9iz52NS4JxFFM/2/hvFvyd/ly/hX2GE1UZpGEf/FnLdHOGFhmnjj7D
    FHFegEz/gtbzLp9X3fOQVjYpiDvTT0Do20EyCbFRzul9gXpdZcfaVHNLAgMBAAEC
    gYAAiWht2ksmnP01B2nF8tGV1RQghhUL90Hd4D/AWFJdX1C4O1qc07jRBd1KLDH0
    fH19WocLCImeSZooGCZn+jveTuaEH14w6I0EfnpKDcpWVAoIP6I8eSdAttrnTyTn
    Y7VgPrcobyq4WkCVCD/jLUbn97CneF7EHNspXGMTvorMeQJADjy2hF5SginhnPsk
    YR5oWawc6n01mStuLnloI8Uq/6A0AOQoMPkGl/CESZw+NYfe/BnnSeckM917cMKL
    DIKAtwJADEj55Frjj9tKUUO+N9eaEM1PH5eC7yakhIpESccs/XEsaDUIGHNjhctK
    mrbbWu+OlsVRA5z8yJFYIa7gae1mDQJABjtQ8JOQreTDGkFbZR84MbgCWClCIq89
    5R3DFZUiAw4OdS1o4ja+Shc+8DFxkWDNm6+C63g/Amy5sVuWHX2p9QI/a69Cxmns
    TxHoXm1w9Azublk7N7DgB26yqxlTfWJo+ysOFmLEk47g0ekoCwLPxkwXlYIEoad2
    JqPh418DwYExAkACcqrd9+rfxtrbCbTXHEizW7aHR+fVOr9lpXXDEZTlDJ57sRkS
    SpjXbAmylqQuKLqH8h/72RbiP36kEm5ptmw2
    -----END RSA PRIVATE KEY-----
2018-09-27 18:23:08 +01:00
Simon Butcher
c86993e33c Merge remote-tracking branch 'public/pr/1970' into development 2018-09-27 09:48:54 +01:00
Krzysztof Stachowiak
edb868dcf9 Move MinGW specific define out of a header file 2018-09-24 12:41:18 +02:00
Janos Follath
7c025a9f50 Generalize dh_flag in mbedtls_mpi_gen_prime
Setting the dh_flag to 1 used to indicate that the caller requests safe
primes from mbedtls_mpi_gen_prime. We generalize the functionality to
make room for more flags in that parameter.
2018-09-21 16:30:07 +01:00
thomas-dee
eba6c9bb50 changes requested by @hanno-arm
- renamed `mbedtls_asn1_write_any_string` to `mbedtls_asn1_write_tagged_string`
 - renamed `x509_at_oid_from_name` to `x509_attr_descr_from_name`
2018-09-19 09:10:37 +02:00
Krzysztof Stachowiak
41734a1f2a Return an error code from a dummy function 2018-09-13 15:04:31 +02:00
Ron Eldor
54a7c620bb Minor style changes
1. Rephrase error description.
2. fix alignment of error list.
2018-09-12 14:43:44 +03:00
Manuel Pégourié-Gonnard
1c1c20ed4d Fix some whitespace issues 2018-09-12 10:34:43 +02:00
Jaeden Amero
ff215726b4 rsa: pss: Use size_t when computing signatures
Functions like `mbedtls_md_get_size()` and `mgf_mask()` work with
`size_t`. Use local variables with `size_t` to match.
2018-09-11 14:36:03 +01:00
Manuel Pégourié-Gonnard
125af948c3 Merge branch 'development-restricted' into iotssl-1260-non-blocking-ecc-restricted
* development-restricted: (578 commits)
  Update library version number to 2.13.1
  Don't define _POSIX_C_SOURCE in header file
  Don't declare and define gmtime()-mutex on Windows platforms
  Correct preprocessor guards determining use of gmtime()
  Correct documentation of mbedtls_platform_gmtime_r()
  Correct typo in documentation of mbedtls_platform_gmtime_r()
  Correct POSIX version check to determine presence of gmtime_r()
  Improve documentation of mbedtls_platform_gmtime_r()
  platform_utils.{c/h} -> platform_util.{c/h}
  Don't include platform_time.h if !MBEDTLS_HAVE_TIME
  Improve wording of documentation of MBEDTLS_PLATFORM_GMTIME_R_ALT
  Fix typo in documentation of MBEDTLS_PLATFORM_GMTIME_R_ALT
  Replace 'thread safe' by 'thread-safe' in the documentation
  Improve documentation of MBEDTLS_HAVE_TIME_DATE
  ChangeLog: Add missing renamings gmtime -> gmtime_r
  Improve documentation of MBEDTLS_HAVE_TIME_DATE
  Minor documentation improvements
  Style: Add missing period in documentation in threading.h
  Rename mbedtls_platform_gmtime() to mbedtls_platform_gmtime_r()
  Guard decl and use of gmtime mutex by HAVE_TIME_DATE and !GMTIME_ALT
  ...
2018-09-11 12:39:14 +02:00
Simon Butcher
53546ea099 Update library version number to 2.13.1 2018-09-06 19:10:26 +01:00
Simon Butcher
5d40f67138 Merge remote-tracking branch 'public/pr/1927' into development-restricted 2018-09-06 16:24:48 +01:00
Hanno Becker
f5106d54eb Don't declare and define gmtime()-mutex on Windows platforms 2018-09-06 12:09:56 +01:00
Hanno Becker
323d8019bf Correct preprocessor guards determining use of gmtime()
The previous code erroneously used gmtime_r() to implement
mbedtls_platform_gmtime() in case of a non-windows, non-unix system.
2018-09-06 11:30:57 +01:00
Hanno Becker
6f70581c4a Correct POSIX version check to determine presence of gmtime_r()
Recent versions of POSIX move gmtime_r to the base.
2018-09-06 09:06:33 +01:00
Hanno Becker
7dd82b4f51 platform_utils.{c/h} -> platform_util.{c/h} 2018-09-05 16:26:04 +01:00
Hanno Becker
48a816ff26 Minor documentation improvements 2018-09-05 15:22:22 +01:00
Hanno Becker
6a739789f3 Rename mbedtls_platform_gmtime() to mbedtls_platform_gmtime_r()
For consistency, also rename MBEDTLS_PLATFORM_GMTIME_ALT to
MBEDTLS_PLATFORM_GMTIME_R_ALT.
2018-09-05 15:06:19 +01:00
Hanno Becker
be2e4bddd5 Guard decl and use of gmtime mutex by HAVE_TIME_DATE and !GMTIME_ALT 2018-09-05 14:44:31 +01:00
Hanno Becker
cfeb70c6b9 gmtime: Remove special treatment for IAR
Previous commits attempted to use `gmtime_s()` for IAR systems; however,
this attempt depends on the use of C11 extensions which lead to incompatibility
with other pieces of the library, such as the use of `memset()` which is
being deprecated in favor of `memset_s()` in C11.
2018-09-05 13:52:46 +01:00
Andres Amaya Garcia
94b540ac63 Avoid redefining _POSIX_C_SOURCE 2018-09-05 12:27:32 +01:00
Andres Amaya Garcia
433f911e59 Check for IAR in gmtime macros 2018-09-05 12:01:57 +01:00
Andres Amaya Garcia
3c9733a0a3 Fix typo in comment for gmtime macro defines 2018-09-05 11:52:07 +01:00
Andres Amaya Garcia
ca04a01bb8 Document shorthand gmtime macros 2018-09-05 11:43:57 +01:00
Andres Amaya Garcia
209960611f Use gmtime_s() for IAR 2018-09-05 11:27:56 +01:00
Andres Amaya Garcia
e9b10b21f1 Define _POSIX_C_SOURCE in threading.c before POSIX detection 2018-09-05 11:25:30 +01:00
Simon Butcher
4d075cd7d0 Update library version number to 2.13.0 2018-08-31 15:59:10 +01:00
irwir
da642d98c0
Implicit _endthread call: comment changed 2018-08-31 15:14:54 +03:00
irwir
e1b82ad25f
Added spaces after type casts
`(void) TimerContext;` seems more consistent with the current style than ((void) TimerContext);
No objections to changing this if necessary.
2018-08-30 11:57:09 +03:00
Simon Butcher
0bbb4fc132 Merge branch 'development' into development 2018-08-30 01:11:35 +01:00