Commit Graph

9216 Commits

Author SHA1 Message Date
Hanno Becker
7ec9c368f1 Add buffer holding raw ExtKeyUsage extension data to CRT struct
The previous commits replace the use of dynamically allocated linked lists
for X.509 name inspection. This commit is the first in a series which attempts
the same for the `ExtendedKeyUsage` extension. So far, when a CRT is parsed,
the extension is traversed and converted into a dynamically allocated linked
list, which is then search through whenever the usage of a CRT needs to be
checked through `mbedtls_x509_check_extended_key_usage()`.

As a first step, this commit introduces a raw buffer holding the bounds
of the `ExtendedKeyUsage` extension to the `mbedtls_x509_crt` structure.
2019-06-25 09:06:26 +01:00
Hanno Becker
8b543b3ca8 Make use of abort condition callback in CN comparison
The previous CN name comparison function x509_crt_verify_name()
traversed the dynamically allocated linked list presentation of
the CRT's subject, comparing each entry to the desired hostname
configured by the application code.

Eventually, we want to get rid of the linked list presentation of
the CRT's subject to save both code and RAM usage, and hence need
to rewrite the CN verification routine in a way that builds on the
raw ASN.1 subject data only.

In order to avoid duplicating the code for the parsing of the nested
ASN.1 name structure, this commit performs the name search by using
the existing name traversal function mbedtls_x509_name_cmp_raw(),
passing to it a callback which checks whether the current name
component matches the desired hostname.
2019-06-25 09:06:26 +01:00
Hanno Becker
67284cce00 Add abort condition callback to mbedtls_x509_name_cmp_raw()
There are three operations that need to be performed on an X.509 name:
1 Initial traversal to check well-formedness of the ASN.1 structure.
2 Comparison between two X.509 name sequences.
3 Checking whether an X.509 name matches a client's ServerName request.

Each of these tasks involves traversing the nested ASN.1 structure,
In the interest of saving code, we aim to provide a single function
which can perform all of the above tasks.

The existing comparison function is already suitable not only for task 2,
but also for 1: One can simply pass two equal ASN.1 name buffers, in which
case the function will succeed if and only if that buffer is a well-formed
ASN.1 name.

This commit further adds a callback to `mbedtls_x509_name_cmp_raw()` which
is called after each successful step in the simultaneous name traversal and
comparison; it may perform any operation on the current name and potentially
signal that the comparison should be aborted.

With that, task 3 can be implemented by passing equal names and a callback
which aborts as soon as it finds the desired name component.
2019-06-25 09:06:26 +01:00
Hanno Becker
7dee12a38c Make use of raw comparison function in CRT verification
This commit replaces the previous calls to `mbedtls_x509_name_cmp()`
during CRT verification (to match child and parent, to check whether
a CRT is self-issued, and to match CRLs and CAs) by calls to the new
`mbedtls_x509_name_cmp_raw()` using the raw ASN.1 data; it passes the
raw buffers introduced in the last commits.

The previous name comparison function mbedtls_x509_name_cmp() is now
both unused and unneeded, and is removed.
2019-06-25 09:06:26 +01:00
Hanno Becker
f8a42862b7 Add buffers with raw issuer/subject data to CRT structure 2019-06-25 09:06:26 +01:00
Hanno Becker
a632e3638c Add buffer with raw issuer data to CRL structure
To make use of the X.509 name comparison function based on raw
ASN.1 data that was introduced in the previous commit, this commit
adds an ASN.1 buffer field `issuer_raw_no_hdr` to `mbedtls_x509_crl`
which delimits the raw contents of the CRLs `Issuer` field.

The previous field `issuer_raw` isn't suitable for that because
it includes the ASN.1 header.
2019-06-25 09:06:26 +01:00
Hanno Becker
a3a2ca1333 Provide X.509 name comparison based on raw ASN.1 data
This commit provides a new function `mbedtls_x509_name_cmp_raw()`
to x509.c for comparing to X.509 names by traversing the raw ASN.1
data (as opposed to using the dynamically allocated linked list
of `mbedtls_x509_name` structures). It has external linkage because
it will be needed in `x509_crt` and `x509_crl`, but is marked
internal and hence not part of the public API.
2019-06-25 09:06:26 +01:00
Hanno Becker
88de342c95 Move x509_name_cmp() from x509_crt.c to x509.c
This is to prepare a subsequent rewrite of `x509_name_cmp()` in terms
of the X.509 name traversal helper `x509_set_sequence_iterate()`
from `x509.c`.
2019-06-25 09:06:26 +01:00
Hanno Becker
83cd8676fa Remove sig_oid parameter from mbedtls_x509_sig_alg_gets()
The function `mbedtls_x509_sig_alg_gets()` previously needed the
raw ASN.1 OID string even though it is implicit in the PK and MD
parameters.

This commit modifies `mbedtls_x509_sig_alg_gets()` to infer the OID
and remove it from the parameters.

This will be needed for the new X.509 CRT structure which will
likely not store the signature OID.

Care has to be taken to handle the case of RSASSA-PSS correctly,
where the hash algorithm in the OID list is set to MBEDTLS_MD_NONE
because it's only determined by the algorithm parameters.
2019-06-25 09:06:26 +01:00
Hanno Becker
f226998fa2 Reduce code-size of mbedtls_asn1_get_sequence_of()
Reduce nesting of branches and remove unnecessary check at the end
of the routine.
2019-06-25 09:00:25 +01:00
Hanno Becker
b5419867cd Reduce code-size of mbedtls_asn1_get_alg()
The previous code
- checked that at least 1 byte of ASN.1 tag data is available,
- read and stored that ASN.1 tag,
- called the ASN.1 parsing function, part of which is checking
  that enough space is available and that the ASN.1 tag matches
  the expected value MBEDTLS_ASN1_OID.

Since the ASN.1 parsing function includes bounds checks,
this can be streamlined to:
- call the ASN.1 parsing function directly,
- on success, store MBEDTLS_ASN1_OID in the tag field.

This commit applies this simplification to mbedtls_asn1_get_alg().
2019-06-25 09:00:25 +01:00
Hanno Becker
30cb1ac23e Reduce code-size of mbedtls_x509_get_name()
Consider the following code-template:

   int beef();

   static int foo()
   {
        /* ... */
        ret = beef();
        if( ret != 0 )
           return( ret + HIGH_LEVEL );
        /* ... */
   }

   int bar()
   {
       /* ... */
       ret = foo();
       if( ret != 0 )
          ...
       /* ... */
   }

This leads to slightly larger code than expected, because when the
compiler inlines foo() into bar(), the sequence of return sequences
cannot be squashed, because compiler might not have knowledge that
the wrapping `ret + HIGH_LEVEL` of the return value of beef() doesn't
lead to foo() returning 0.

This can be avoided by performing error code wrapping in nested
functions calls at the top of the call chain.

This commit applies this slight optimization to mbedtls_x509_get_name().

It also moves various return statements into a single exit section,
again with the intend to save code.
2019-06-25 09:00:25 +01:00
Hanno Becker
3470d592ce Simplify implementation of mbedtls_x509_get_name()
X.509 names in ASN.1 are encoded as ASN.1 SEQUENCEs of ASN.1 SETs
of Attribute-Value pairs, one for each component in the name. (For
example, there could be an Attribute-Value pair for "DN=www.mbedtls.org").

So far, `mbedtls_x509_get_name()` parsed such names by two nested
loops, the outer one traversing the outer ASN.1 SEQUENCE and the
inner one the ASN.1 SETs.

This commit introduces a helper function `x509_set_sequence_iterate()`
which implements an iterator through an ASN.1 name buffer; the state
of the iterator is a triple consisting of
- the current read pointer
- the end of the current SET
- the end of the name buffer
The iteration step reads a new SET if the current read pointer has
reached the end of the current SET, and afterwards reads the next
AttributeValue pair.
This way, iteration through the X.509 name data can be implemented
in a single loop, which increases readability and slightly reduces
the code-size.
2019-06-25 09:00:25 +01:00
Hanno Becker
b40dc58a83 Introduce a helper macro to check for ASN.1 string tags
This commit introduces a macro `MBEDTLS_ASN1_IS_STRING_TAG`
that can be used to check if an ASN.1 tag is among the list
of string tags:
- MBEDTLS_ASN1_BMP_STRING
- MBEDTLS_ASN1_UTF8_STRING
- MBEDTLS_ASN1_T61_STRING
- MBEDTLS_ASN1_IA5_STRING
- MBEDTLS_ASN1_UNIVERSAL_STRING
- MBEDTLS_ASN1_PRINTABLE_STRING
- MBEDTLS_ASN1_BIT_STRING
2019-06-25 09:00:25 +01:00
Hanno Becker
ace04a6dc3 Move bounds check into ASN.1 parsing function
`x509_get_attr_type_value()` checks for the presence of a tag byte
and reads and stores it before calling `mbedtls_asn1_get_tag()` which
fails if either the tag byte is not present or not as expected. Therefore,
the manual check can be removed and left to `mbedtls_asn1_get_tag()`, and
the tag can be hardcoded after the call succeeded. This saves a few bytes
of code.
2019-06-25 09:00:25 +01:00
Hanno Becker
74b89f6051 Use private key to check suitability of PK type when picking srv CRT
The server-side routine `ssl_pick_cert()` is responsible for
picking a suitable CRT from the list of CRTs configured on the
server. For that, it previously used the public key context
from the certificate to check whether its type (including the
curve type for ECC keys) suits the ciphersuite and the client's
preferences.

This commit changes the code to instead use the PK context
holding the corresponding private key. For inferring the type
of the key, this makes no difference, and it removes a PK-from-CRT
extraction step which, if CRTs are stored raw, is costly in terms
of computation and memory: CRTs need to be parsed, and memory needs
to be allocated for the PK context.
2019-06-25 09:00:25 +01:00
Hanno Becker
81bb4d0378 Simplify server-side ssl_decrypt_encrypted_pms()
The server-side routine `ssl_decrypt_encrypted_pms()` is
responsible for decrypting the RSA-encrypted PMS in case of
an RSA-based ciphersuite.

Previously, the code checked that the length of the PMS sent
by the client matches the bit length of the RSA key. This commit
removes this check -- thereby removing the need to access the
server's own CRT -- because the RSA decryption routine performs
this check itself, too.
2019-06-25 09:00:25 +01:00
Hanno Becker
cd03bb2048 Introduce helper functions to free X.509 names and sequences
`mbedtls_x509_name` and `mbedtls_x509_sequence` are dynamically allocated
linked lists that need a loop to free properly. Introduce a static helper
function to do that and use it in `mbedtls_x509_crt_free()`, where the
CRT's issuer and subject names (of type `mbedtls_x509_name`) and the
SubjectAlternativeName and ExtendedKeyUsage extensions (of type
`mbedtls_x509_sequence`) need freeing. Increases code-clarity and saves
a few bytes of flash.
2019-06-25 09:00:25 +01:00
Manuel Pégourié-Gonnard
393338ca78
Merge pull request #586 from ARMmbed/remove_peer_crt_after_handshake_no_digest-baremetal
[Baremetal] Don't store peer CRT digest if renegotiation is disabled
2019-06-24 18:12:00 +02:00
Manuel Pégourié-Gonnard
79cf74a95f
Merge pull request #583 from ARMmbed/remove_peer_crt_after_handshake-baremetal
[Baremetal] Allow removal of peer certificate to reduce RAM usage
2019-06-24 18:11:46 +02:00
Manuel Pégourié-Gonnard
8dcd80ec5c
Merge pull request #578 from ARMmbed/x509_parse_bf-baremetal
[Baremetal] Enhance X.509 CRT negative parsing tests
2019-06-24 18:08:33 +02:00
Manuel Pégourié-Gonnard
cc3b7ccb04
Merge pull request #579 from Patater/bm-dont-use-non-existent-encrypt-then-mac
[Baremetal] ssl: Don't access non-existent encrypt_then_mac field
2019-06-24 18:06:53 +02:00
Hanno Becker
e256f7c9ae Add test for !KEEP_PEER_CERTIFICATE + !RENEGOTIAITON to all.sh 2019-06-19 16:56:51 +01:00
Hanno Becker
5882dd0856 Remove CRT digest from SSL session if !RENEGO + !KEEP_PEER_CERT
If `MBEDTLS_SSL_KEEP_PEER_CERTIFICATE` is not set, `mbedtls_ssl_session`
contains the digest of the peer's certificate for the sole purpose of
detecting a CRT change on renegotiation. Hence, it is not needed if
renegotiation is disabled.

This commit removes the `peer_cert_digest` fields (and friends) from
`mbedtls_ssl_session` if
   `!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + !MBEDTLS_SSL_RENEGOTIATION`,
which is a sensible configuration for constrained devices.

Apart from straightforward replacements of
   `if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)`
by
   `if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) && \
        defined(MBEDTLS_SSL_RENEGOTIATION)`,
there's one notable change: On the server-side, the CertificateVerify
parsing function is a no-op if the client hasn't sent a certificate.
So far, this was determined by either looking at the peer CRT or the
peer CRT digest in the SSL session structure (depending on the setting
of `MBEDTLS_SSL_KEEP_PEER_CERTIFICATE`), which now no longer works if
`MBEDTLS_SSL_KEEP_PEER_CERTIFICATE` is unset. Instead, this function
now checks whether the temporary copy of the peer's public key within
the handshake structure is initialized or not (which is also a
beneficial simplification in its own right, because the pubkey is
all the function needs anyway).
2019-06-19 16:56:51 +01:00
Hanno Becker
0528f82fa9 Clarify documentation of serialized session format 2019-06-19 14:59:42 +01:00
Hanno Becker
d972f005bf Use consistent error messages in check_config.h 2019-06-19 14:59:42 +01:00
Hanno Becker
17daaa5cc6 Move return statement in ssl_srv_check_client_no_crt_notification
The previous placing of the return statement made it look like there
are configurations for which no return statement is emitted; while
that's not true (if this function is used, at least some version of
TLS must be enabled), it's still clearer to move the failing return
statement to outside of all preprocessor guards.
2019-06-19 14:59:42 +01:00
Hanno Becker
2326d20361 Validate consistency of certificate hash type and length in session 2019-06-19 14:59:42 +01:00
Hanno Becker
fd5dc8ae07 Fix unused variable warning in ssl_parse_certificate_coordinate()
This was triggered in client-only builds.
2019-06-19 14:59:42 +01:00
Hanno Becker
488c8dee47 Add missing compile time guard in ssl_client2 2019-06-19 14:59:42 +01:00
Hanno Becker
b6f7241741 Update programs/ssl/query_config.c 2019-06-19 14:59:42 +01:00
Hanno Becker
b7fab76890 ssl_client2: Reset peer CRT info string on reconnect 2019-06-19 14:59:42 +01:00
Hanno Becker
c39e23ebb6 Add further debug statements on assertion failures 2019-06-19 14:59:41 +01:00
Hanno Becker
42de8f8a42 Fix typo in documentation of ssl_parse_certificate_chain() 2019-06-19 14:59:41 +01:00
Hanno Becker
e9839c001b Add debug output in case of assertion failure 2019-06-19 14:59:41 +01:00
Hanno Becker
2984bd2543 Add config sanity check for !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 2019-06-19 14:59:41 +01:00
Hanno Becker
f9ca30d042 ssl_client2: Zeroize peer CRT info buffer when reconnecting 2019-06-19 14:59:41 +01:00
Hanno Becker
890d7ee4cb Reintroduce numerous ssl-opt.sh tests if !MBEDTLS_SSL_KEEP_PEER_CERT 2019-06-19 14:59:41 +01:00
Hanno Becker
975c463b3f ssl_client2: Extract peer CRT info from verification callback
So far, `ssl_client2` printed the CRT info for the peer's CRT
by requesting the latter through `mbedtls_ssl_get_peer_cert()`
at the end of the handshake, and printing it via
`mbedtls_x509_crt_info()`. When `MBEDTLS_SSL_KEEP_PEER_CERTIFICATE`
is disabled, this does no longer work because the peer's CRT
isn't stored beyond the handshake.

This makes some tests in `ssl-opt.sh` fail which rely on the CRT
info output for the peer certificate.

This commit modifies `ssl_client2` to extract the peer CRT info
from the verification callback, which is always called at a time
when the peer's CRT is available. This way, the peer's CRT info
is still printed if `MBEDTLS_SSL_KEEP_PEER_CERTIFICATE` is disabled.
2019-06-19 14:59:37 +01:00
Hanno Becker
24bc570814 Improve documentation of mbedtls_ssl_get_peer_cert() 2019-06-19 10:26:50 +01:00
Hanno Becker
3ed64578d2 Improve documentation of MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 2019-06-19 10:26:50 +01:00
Hanno Becker
dd689316d1 Fix indentation of Doxygen comment in ssl_internal.h 2019-06-19 10:26:50 +01:00
Hanno Becker
9d64b789cf Set peer CRT length only after successful allocation 2019-06-19 10:26:50 +01:00
Hanno Becker
257ef65d94 Remove question in comment about verify flags on cli vs. server 2019-06-19 10:26:50 +01:00
Hanno Becker
e669770b52 Remove misleading and redundant guard around restartable ECC field
`MBEDTLS_SSL__ECP_RESTARTABLE` is only defined if
`MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED` is set, which
requires `MBEDTLS_X509_PARSE_C` to be set (this is checked
in `check_config.`). The additional `MBEDTLS_X509_PARSE_C`
guard around the `ecrs_peer_cert` field is therefore not
necessary; moreover, it's misleading, because it hasn't
been used consistently throughout the code.
2019-06-19 10:26:50 +01:00
Hanno Becker
92820a1dff Add test for !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE to all.sh 2019-06-19 10:26:50 +01:00
Hanno Becker
34106f6ae2 Free peer CRT chain immediately after verifying it
If we don't need to store the peer's CRT chain permanently, we may
free it immediately after verifying it. Moreover, since we parse the
CRT chain in-place from the input buffer in this case, pointers from
the CRT structure remain valid after freeing the structure, and we
use that to extract the digest and pubkey from the CRT after freeing
the structure.
2019-06-19 10:26:50 +01:00
Hanno Becker
0cc7af5be5 Parse peer's CRT chain in-place from the input buffer 2019-06-19 10:26:50 +01:00
Hanno Becker
6c83db7f7b Free peer's public key as soon as it's no longer needed
On constrained devices, this saves a significant amount of RAM that
might be needed for subsequent expensive operations like ECDHE.
2019-06-19 10:26:50 +01:00
Hanno Becker
17572473c6 Correct compile-time guards for ssl_clear_peer_cert()
It is used in `mbedtls_ssl_session_free()` under
`MBEDTLS_X509_CRT_PARSE_C`, but defined only if
`MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED`.

Issue #2422 tracks the use of
`MBEDTLS_KEY_EXCHANGE__WITH_CERT_ENABLED` instead of
`MBEDTLS_X509_CRT_PARSE_C` for code and fields
related to CRT-based ciphersuites.
2019-06-19 10:26:50 +01:00