Commit Graph

10305 Commits

Author SHA1 Message Date
Hanno Becker
7177a88a36 Introduce helper function to determine whether suite uses server CRT
This commit introduces a static helper function

   `mbedtls_ssl_ciphersuite_uses_srv_cert()`

which determines whether a ciphersuite may make use of server-side CRTs.

This function is in turn uses in `mbedtls_ssl_parse_certificate()` to
skip certificate parsing for ciphersuites which don't involve CRTs.

Note: Ciphersuites not using server-side CRTs don't allow client-side CRTs
either, so it is safe to guard `mbedtls_ssl_{parse/write}_certificate()`
this way.

Note: Previously, the code uses a positive check over the suites

- MBEDTLS_KEY_EXCHANGE_PSK
- MBEDTLS_KEY_EXCHANGE_DHE_PSK
- MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
- MBEDTLS_KEY_EXCHANGE_ECJPAKE,

while now, it uses a negative check over `mbedtls_ssl_ciphersuite_uses_srv_cert()`,
which checks for the suites

- MBEDTLS_KEY_EXCHANGE_RSA
- MBEDTLS_KEY_EXCHANGE_RSA_PSK
- MBEDTLS_KEY_EXCHANGE_DHE_RSA
- MBEDTLS_KEY_EXCHANGE_ECDH_RSA
- MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
- MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
- MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA

This is equivalent since, together, those are all ciphersuites.
Quoting ssl_ciphersuites.h:

```
typedef enum {
    MBEDTLS_KEY_EXCHANGE_NONE = 0,
    MBEDTLS_KEY_EXCHANGE_RSA,
    MBEDTLS_KEY_EXCHANGE_DHE_RSA,
    MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
    MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
    MBEDTLS_KEY_EXCHANGE_PSK,
    MBEDTLS_KEY_EXCHANGE_DHE_PSK,
    MBEDTLS_KEY_EXCHANGE_RSA_PSK,
    MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
    MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
    MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
    MBEDTLS_KEY_EXCHANGE_ECJPAKE,
} mbedtls_key_exchange_type_t;
```
2019-02-26 14:38:09 +00:00
Hanno Becker
2148993900 Use helper macro to detect whether some ciphersuite uses CRTs 2019-02-26 14:38:09 +00:00
Hanno Becker
6bdfab2ccc Unify state machine update in mbedtls_ssl_parse_certificate()
The handler `mbedtls_ssl_parse_certificate()` for incoming `Certificate`
messages contains many branches updating the handshake state. For easier
reasoning about state evolution, this commit introduces a single code-path
updating the state machine at the end of `mbedtls_ssl_parse_certificate()`.
2019-02-26 14:38:09 +00:00
Hanno Becker
7a955a043e Clear peer's CRT chain outside before parsing new one
If an attempt for session resumption fails, the `session_negotiate` structure
might be partially filled, and in particular already contain a peer certificate
structure. This certificate structure needs to be freed before parsing the
certificate sent in the `Certificate` message.

This commit moves the code-path taking care of this from the helper
function `ssl_parse_certificate_chain()`, whose purpose should be parsing
only, to the top-level handler `mbedtls_ssl_parse_certificate()`.

The fact that we don't know the state of `ssl->session_negotiate` after
a failed attempt for session resumption is undesirable, and a separate
issue #2414 has been opened to improve on this.
2019-02-26 14:38:09 +00:00
Hanno Becker
4a55f638e2 Introduce helper to check for no-CRT notification from client
This commit introduces a server-side static helper function
`ssl_srv_check_client_no_crt_notification()`, which checks if
the message we received during the incoming certificate state
notifies the server of the lack of certificate on the client.

For SSLv3, such a notification comes as a specific alert,
while for all other TLS versions, it comes as a `Certificate`
handshake message with an empty CRT list.
2019-02-26 14:38:09 +00:00
Hanno Becker
a028c5bbd8 Introduce CRT counter to CRT chain parsing function
So far, we've used the `peer_cert` pointer to detect whether
we're parsing the first CRT, but that will soon be removed
if `MBEDTLS_SSL_KEEP_PEER_CERTIFICATE` is unset.
2019-02-26 14:38:09 +00:00
Hanno Becker
1294a0b260 Introduce helper function to clear peer CRT from session structure
This commit introduces a helper function `ssl_clear_peer_cert()`
which frees all data related to the peer's certificate from an
`mbedtls_ssl_session` structure. Currently, this is the peer's
certificate itself, while eventually, it'll be its digest only.
2019-02-26 14:38:09 +00:00
Hanno Becker
f852b1c035 Break overly long line in definition of mbedtls_ssl_get_session() 2019-02-26 14:38:09 +00:00
Hanno Becker
60848e6574 Don't reuse CRT from initial handshake during renegotiation
After mitigating the 'triple handshake attack' by checking that
the peer's end-CRT didn't change during renegotation, the current
code avoids re-parsing the CRT by moving the CRT-pointer from the
old session to the new one. While efficient, this will no longer
work once only the hash of the peer's CRT is stored beyond the
handshake.

This commit removes the code-path moving the old CRT, and instead
frees the entire peer CRT chain from the initial handshake as soon
as the 'triple handshake attack' protection has completed.
2019-02-26 14:38:09 +00:00
Jaeden Amero
72f8348d1b
Merge pull request #72 from gilles-peskine-arm/psa-fix_setup_cleanup
Fix missing cleanup in psa_cipher_setup
2019-02-26 11:25:31 +00:00
Gilles Peskine
9e0a4a54a2 Test abort after failed setup
Commit "Smoke-test operation contexts after setup+abort" replaced
{failed-setup; abort} sequences by {failed-setup; successful-setup}.
We want to test that, but we also want to test {failed-setup; abort}.
So test {failed-setup; abort; failed-setup; successful-setup}.
2019-02-26 11:29:17 +01:00
Gilles Peskine
9ab61b603d Fix cleanup in psa_cipher_setup
In some error cases, psa_cipher_setup was leaving a partly-initialized
operation context.
2019-02-26 11:29:17 +01:00
Gilles Peskine
f426e0f303 Smoke-test operation contexts after setup+abort
After a successful setup followed by abort, or after a failed setup
from an inactive state, a context must be usable. Test this for
hash, MAC and cipher contexts.
2019-02-26 11:29:16 +01:00
Jaeden Amero
e23a693873
Merge pull request #70 from Patater/include-platform-util
psa: Explicitly include platform_util.h
2019-02-26 10:06:34 +00:00
Janos Follath
ffbd7e8ff3 Improve mbedtls_ecp_point_read_binary tests
Renamed the tests because they are explicitly testing Curve25519 and
nothing else. Improved test coverage, test documentation and extended
in-code documentation with a specific reference to the standard as well.
2019-02-25 11:49:54 +00:00
Jaeden Amero
81cefed27f psa: Explicitly include platform_util.h
crypto_extra.h has a dependency on platform_util.h for
MBEDTLS_DEPRECATED_NUMERIC_CONSTANT. Make the dependency explicit by
including platform_util.h. Although in most use cases the header should
already be included by something else, it doesn't hurt to include it
again and helps to clarify dependencies.
2019-02-25 10:25:48 +00:00
Janos Follath
7caf8e452f Add Montgomery points to ecp_point_write_binary
The library is able to perform computations and cryptographic schemes on
curves with x coordinate ladder representation. Here we add the
capability to export such points.
2019-02-22 15:42:18 +00:00
Gilles Peskine
bf7a98b791 Fix typos found in PSA Crypto API 1.0 beta2 before publication 2019-02-22 16:42:11 +01:00
Janos Follath
ab0f71a22a ECDH: Add test vectors for Curve25519
The test vectors added are published in RFC 7748.
2019-02-22 15:42:03 +00:00
Janos Follath
e344d0f6fc Add little endian export to Bignum
The function `mbedtls_mpi_write_binary()` writes big endian byte order,
but we need to be able to write little endian in some caseses. (For
example when handling keys corresponding to Montgomery curves.)

Used `echo xx | tac -rs ..` to transform the test data to little endian.
2019-02-22 15:41:31 +00:00
Janos Follath
171a7efd02 Add mbedtls_ecp_read_key
The private keys used in ECDH differ in the case of Weierstrass and
Montgomery curves. They have different constraints, the former is based
on big endian, the latter little endian byte order. The fundamental
approach is different too:
- Weierstrass keys have to be in the right interval, otherwise they are
  rejected.
- Any byte array of the right size is a valid Montgomery key and it
  needs to be masked before interpreting it as a number.

Historically it was sufficient to use mbedtls_mpi_read_binary() to read
private keys, but as a preparation to improve support for Montgomery
curves we add mbedtls_ecp_read_key() to enable uniform treatment of EC
keys.

For the masking the `mbedtls_mpi_set_bit()` function is used. This is
suboptimal but seems to provide the best trade-off at this time.
Alternatives considered:
- Making a copy of the input buffer (less efficient)
- removing the `const` constraint from the input buffer (breaks the api
and makes it less user friendly)
- applying the mask directly to the limbs (violates the api between the
modules and creates and unwanted dependency)
2019-02-22 15:39:03 +00:00
Janos Follath
59b813c7be Add Montgomery points to ecp_point_read_binary
The library is able to perform computations and cryptographic schemes on
curves with x coordinate ladder representation. Here we add the
capability to import such points.
2019-02-22 15:38:46 +00:00
Janos Follath
a778a94b7d Add little endian import to Bignum
The function `mbedtls_mpi_read_binary()` expects big endian byte order,
but we need to be able to read from little endian in some caseses. (For
example when handling keys corresponding to Montgomery curves.)

Used `echo xx | tac -rs .. | tr [a-z] [A-Z]` to transform the test data
to little endian and `echo "ibase=16;xx" | bc` to convert to decimal.
2019-02-22 15:38:32 +00:00
Jaeden Amero
86016a03a1 Merge remote-tracking branch 'origin/pr/2338' into development 2019-02-22 12:55:30 +00:00
Jaeden Amero
e895342522 Merge remote-tracking branch 'origin/pr/2427' into development 2019-02-22 12:53:13 +00:00
Jaeden Amero
d247762a8d Merge remote-tracking branch 'origin/pr/2460' into development 2019-02-22 12:52:51 +00:00
Hanno Becker
85fd913950 Fix typo in check_config.h 2019-02-22 12:50:35 +00:00
Gilles Peskine
3081629de4 Fix mbedtls_ecdh_get_params with new ECDH context
The new check for matching groups in mbedtls_ecdh_get_params only worked
with legacy ECDH contexts. Make it work with the new context format.
2019-02-22 13:04:23 +01:00
Gilles Peskine
e023c80477 Test undefining MBEDTLS_ECDH_LEGACY_CONTEXT in all.sh
Test that the library works with the new context format.
2019-02-22 13:04:23 +01:00
Gilles Peskine
43f564f29d Define MBEDTLS_ECDH_LEGACY_CONTEXT in config.h
Define MBEDTLS_ECDH_LEGACY_CONTEXT in config.h instead of hard-coding
this in ecdh.h so that its absence can be tested. Document it as
experimental so that we reserve the right to change it in the future.
2019-02-22 13:04:20 +01:00
Jaeden Amero
caca307f42 crypto: Update submodule to Mbed Crypto 1.0.0d6 2019-02-22 10:48:48 +00:00
Jaeden Amero
415620c1f2 Merge remote-tracking branch 'origin/pr/2105' into development
Additional work done as part of merge:
    - Run ./tests/scripts/check-generated-files.sh and check in the
      resulting changes to programs/ssl/query_config.c
2019-02-22 10:33:15 +00:00
Jaeden Amero
461bd3dcca Merge remote-tracking branch 'origin/pr/2454' into development 2019-02-22 10:32:44 +00:00
Jaeden Amero
9f47f82218 Merge remote-tracking branch 'origin/pr/2391' into development 2019-02-22 10:32:44 +00:00
Jaeden Amero
8963b0311c Merge remote-tracking branch 'origin/pr/2411' into development 2019-02-22 10:32:44 +00:00
Jaeden Amero
d9516b508a Merge remote-tracking branch 'origin/pr/2407' into development 2019-02-22 10:32:44 +00:00
Jaeden Amero
0ae63f7bc3 Merge remote-tracking branch 'origin/pr/2383' into development 2019-02-22 10:32:43 +00:00
Hanno Becker
241b524964 Disable restartable ECC in full config PSA test in all.sh 2019-02-22 10:26:30 +00:00
Hanno Becker
1ce51e4dc3 Forbid setting MBEDTLS_ECP_RESTARTABLE and MBEDTLS_USE_PSA_CRYPTO_C
Restartable ECC isn't supported in PSA yet.
2019-02-22 10:25:47 +00:00
Gilles Peskine
ccf8ba0e6d Add changelog entry for mbedtls_ecdh_get_params robustness 2019-02-22 10:21:46 +01:00
Gilles Peskine
0b1b71d712 Fix ecdh_get_params with mismatching group
If mbedtls_ecdh_get_params is called with keys belonging to
different groups, make it return an error the second time, rather than
silently interpret the first key as being on the second curve.

This makes the non-regression test added by the previous commit pass.
2019-02-22 10:21:46 +01:00
Gilles Peskine
c4dff06f31 Add test case for ecdh_get_params with mismatching group
Add a test case for doing an ECDH calculation by calling
mbedtls_ecdh_get_params on both keys, with keys belonging to
different groups. This should fail, but currently passes.
2019-02-22 10:21:31 +01:00
Gilles Peskine
552563b741 Add test case for ecdh_calc_secret
Add a test case for doing an ECDH calculation by calling
mbedtls_ecdh_get_params on both keys, then mbedtls_ecdh_calc_secret.
2019-02-22 10:20:07 +01:00
Jaeden Amero
bf61ca7a04
Merge pull request #58 from Patater/disallow-invalid-context
Disallow use of invalid contexts
2019-02-21 17:37:04 +00:00
Gilles Peskine
13cf3eca5b Fix typo in documentation 2019-02-21 17:29:22 +01:00
Jaeden Amero
c37fff9b95
Merge pull request #67 from Patater/deprecated-psa-errors
psa: Add backwards compatible error codes
2019-02-21 13:34:10 +00:00
Jaeden Amero
5e6d24c5e1 psa: Add backwards compatible error codes
Add deprecated error codes to help transition between the previous
version of the PSA Crypto specification and the current one.
2019-02-21 11:49:15 +00:00
Jaeden Amero
e236c2a13c psa: Don't abort when operations are invalid
In places where we detect a context is in a bad state and there is no
sensitive data to clear, simply return PSA_ERROR_BAD_STATE and don't
abort on behalf of the application. The application will choose what to
do when it gets a bad state error.

The motivation for this change is that an application should decide what
to do when it misuses the API and encounters a PSA_ERROR_BAD_STATE
error. The library should not attempt to abort on behalf of the
application, as that may not be the correct thing to do in all
circumstances.
2019-02-20 17:38:25 +00:00
Jaeden Amero
1ac5e6a34c
Merge pull request #64 from gilles-peskine-arm/storage_spec-key_file_id
Update the architecture document regarding key file identifiers
2019-02-20 17:32:43 +00:00
Jaeden Amero
c8ed00a04f
Merge pull request #65 from Patater/deprecated-constants-compat
psa: Be compatible with deprecated constants
2019-02-20 16:42:56 +00:00