Commit graph

20281 commits

Author SHA1 Message Date
Ronald Cron
cb67e1a890
Merge pull request #5917 from gilles-peskine-arm/asn1write-0-fix
Improve ASN.1 write tests
2022-06-30 15:42:16 +02:00
Ronald Cron
bcde39ca4a
Merge pull request #5612 from tom-cosgrove-arm/tls13-config-options
Document that MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is required by MBEDTLS_SSL_PROTO_TLS1_3

Fully validated by the internal CI. No need to wait for the open one.
2022-06-30 15:10:02 +02:00
Manuel Pégourié-Gonnard
31fcfd5632
Merge pull request #5981 from mprse/hkdf_config_fix
Add comment to config_psa.h about enabling PSA_HKDF/-EXTRACT/-EXPAND
2022-06-30 11:27:16 +02:00
Tom Cosgrove
d7adb3c7d9 Add comments about MBEDTLS_PSA_CRYPTO_C also being required by MBEDTLS_SSL_PROTO_TLS1_3
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-06-30 09:48:40 +01:00
Tom Cosgrove
afb2fe1acf Document that MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is required by MBEDTLS_SSL_PROTO_TLS1_3
Also have check_config.h enforce this. And MBEDTLS_SSL_EXPORT_KEYS has been removed,
so no longer mention it.

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-06-29 16:36:12 +01:00
Dave Rodgman
1dc6848679
Merge pull request #5976 from gilles-peskine-arm/selftest-calloc-pointer-comparison-fix-development
Remove largely useless bit of test log to silence GCC 12
2022-06-29 15:25:04 +01:00
Manuel Pégourié-Gonnard
2f244c43b4
Merge pull request #5980 from mprse/md_dep_fix
Remove MD dependencies from mbedtls_x509_sig_alg_gets(), ssl_tls13_parse_certificate_verify()
2022-06-29 10:18:41 +02:00
Ronald Cron
7898fd456a
Merge pull request #5970 from gabor-mezei-arm/5229_Send_dummy_change_cipher_spec_records_from_server
TLS 1.3 server: Send dummy change_cipher_spec records

The internal CI PR-merge job ran successfully thus good to go.
2022-06-29 09:47:49 +02:00
Gilles Peskine
d86abf2392
Merge pull request #5861 from wernerlewis/csr_subject_comma
Fix output of commas and other special characters in X509 DN values
2022-06-28 21:00:49 +02:00
Gilles Peskine
7d14c19730
Merge pull request #5905 from gilles-peskine-arm/changelog-improvements-20220609-development
Changelog improvements before the 3.2 release
2022-06-28 21:00:10 +02:00
Gabor Mezei
9e4b7bd199
Do not force TLS 1.3 on client side for TLS 1.3 middlebox compatibility tests
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-06-28 16:22:14 +02:00
Gabor Mezei
f7044eaec8
Fix name
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-06-28 16:01:49 +02:00
Ronald Cron
e99ec7cb6a
Merge pull request #5908 from ronald-cron-arm/tls13-fixes-doc
TLS 1.3: Fixes and add documentation
Validated by the internal CI, no need to wait for the Open CI.
2022-06-28 12:16:17 +02:00
Gabor Mezei
96ae926572
Typo
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-06-28 11:56:26 +02:00
Gabor Mezei
5471912269
Move switching to handshake transform after sending CCS record
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-06-28 11:56:26 +02:00
Gabor Mezei
05ebf3be74
Revert "Do not encrypt CCS records"
This reverts commit 96ec831385.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-06-28 11:55:35 +02:00
Przemek Stekiel
4dc874453e ssl_tls13_parse_certificate_verify(): optimize the code
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-06-28 11:05:42 +02:00
Manuel Pégourié-Gonnard
273453f126
Merge pull request #5983 from gstrauss/inline-mbedtls_x509_dn_get_next
Inline mbedtls_x509_dn_get_next() in x509.h
2022-06-28 10:13:58 +02:00
Ronald Cron
6b14c69277 Improve documentation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
11b5332ffc tls13: Fix certificate extension size write
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
139d0aa9d3 Fix typo in documentation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
81a334fc02 tls13: Fix buffer overread checks in ssl_tls13_parse_alpn_ext()
Some coding style alignement as well.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
585cd70d04 tests: ssl: Fix coverity deadcode issue
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
7b8404608a tls13: Rename ssl_tls13_write_hello_retry_request_coordinate
Rename ssl_tls13_write_hello_retry_request_coordinate to
ssl_tls13_prepare_hello_retry_request as it is more
aligned with what the function does.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
fb508b8f21 tls13: Move state changes up to state main handler
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
63dc463ed6 tls13: Simplify switch to the inbound handshake keys on server side
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
5afb904022 tls13: Move out of place handshake field reset
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:18:42 +02:00
Ronald Cron
828aff6ead tls13: Rename server_hello_coordinate to preprocess_server_hello
Rename server_hello_coordinate to preprocess_server_hello
as it is more aligned with what the function does.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:18:42 +02:00
Ronald Cron
db5dfa1f1c tls13: Move ServerHello fetch to the ServerHello top handler
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:18:42 +02:00
Ronald Cron
44b23b10e1 tls13: Document TLS 1.3 handshake implementation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:18:42 +02:00
Ronald Cron
9d6a545714 tls13: Re-organize EncryptedExtensions message parsing code
Align the organization of the EncryptedExtensions
message parsing code with the organization of the
other message parsing codes.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:18:42 +02:00
Ronald Cron
154d1b68d6 tls13: Fix wrong usage of MBEDTLS_SSL_CHK_BUF(_READ)_PTR macros
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:18:42 +02:00
Ronald Cron
c80835943c tls13: Fix pointer calculation before space check
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:18:42 +02:00
Ronald Cron
2827106199 tls13: Add missing buffer overread check
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:18:42 +02:00
Ronald Cron
b94854f8e3
Merge pull request #5973 from ronald-cron-arm/tls13-misc-tests
TLS 1.3: Enable and add tests
2022-06-28 09:15:17 +02:00
Gilles Peskine
5969a4b5e0 Don't call memcpy(NULL, 0) which has undefined behavior
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-27 23:59:53 +02:00
Gilles Peskine
bf918b9cfe Use headlinese for added functions, per request
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-27 23:34:32 +02:00
Glenn Strauss
01d2f52a32 Inline mbedtls_x509_dn_get_next() in x509.h
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-06-27 14:20:07 -04:00
Przemek Stekiel
18399d8d53 Add comment to config_psa.h about enabling PSA_HKDF/PSA_HKDF_EXRACT/PSA_HKDF_EXPAND algs
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-06-27 15:36:06 +02:00
Dave Rodgman
f5b7082f6e
Merge pull request #5811 from polhenarejos/bug_x448
Fix order value for curve x448
2022-06-27 13:47:24 +01:00
Werner Lewis
9b0e940135 Fix case where final special char exceeds buffer
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-27 12:01:22 +01:00
Przemek Stekiel
9e30fc94f3 Remove redundant spaces
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-06-27 12:48:35 +02:00
Werner Lewis
fd8cfe4f8e Replace parsing with outputting
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-27 11:23:43 +01:00
Werner Lewis
31ecb9600a Add tests for exceeded buffer size
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-27 11:23:43 +01:00
Werner Lewis
b33dacdb50 Fix parsing of special chars in X509 DN values
Use escape mechanism defined in RFC 1779 when parsing commas and other
special characters in X509 DN values. Resolves failures when generating
a certificate with a CSR containing a comma in subject value.
Fixes #769.

Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-27 11:19:50 +01:00
Przemek Stekiel
6a5e01858f ssl_tls13_parse_certificate_verify(): remove md dependency
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-06-27 11:53:13 +02:00
Przemek Stekiel
6230d0d398 mbedtls_x509_sig_alg_gets(): remove md dependency
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-06-27 11:19:04 +02:00
Ronald Cron
a8d79b9eb6 ssl-opt.sh: Remove one pattern check
In "Authentication: client cert not trusted,
server required" ssl-opt.sh test, depending
on client and server execution speed, the
handshake on the client side may complete
successfully: the TLS connection is aborted
by the server because it is not able to
authenticate the client but at that time
the client may have completed the handshake
on its side. Thus, do not check that the
client handshake failed.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-27 09:05:35 +02:00
Ronald Cron
07040bb179
Merge pull request #5951 from xkqian/tls13_add_alpn
Add ALPN extension to the server side
2022-06-27 08:33:03 +02:00
Gilles Peskine
0ff241a1ea Remove largely useless bit of test log to silence GCC 12
GCC 12 emits a warning because it thinks `buffer1` is used after having been
freed. The code is correct C because we're only using the value of
`(uintptr_t)buffer1`, not `buffer1`. However, we aren't using the value for
anything useful: it doesn't really matter if an alloc-free-alloc sequence
returns the same address twice. So don't print that bit of information, and
this way we don't need to save the old address.

Fixes #5974.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-25 14:29:23 +02:00