Commit Graph

5578 Commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
7037e222ea Improve comments and doc for ECP 2017-08-23 14:30:36 +02:00
Manuel Pégourié-Gonnard
daf049144e Rework state saving for verify_chain()
Child was almost redundant as it's already saved in ver_chain, except it was
multiplexed to also indicate whether an operation is in progress. This commit
removes it and introduces an explicit state variable instead.

This state can be useful later if we start returning IN_PROGRESS at other
points than find_parent() (for example when checking CRL).

Note that the state goes none -> find_parent and stays there until the context
is free(), as it's only on the first call that nothing was in progress.
2017-08-23 12:32:19 +02:00
Manuel Pégourié-Gonnard
a968843429 Improve some comments in verify_chain() 2017-08-23 11:37:22 +02:00
Manuel Pégourié-Gonnard
3627a8b2f6 Clarify state handling in find_parent(_in)() 2017-08-23 11:20:48 +02:00
Manuel Pégourié-Gonnard
83e923ba2b Better initialisation of ver_chain
Use dedicated function for consistency, and initialise flags to -1 as this is
the safe value.
2017-08-23 10:55:41 +02:00
Manuel Pégourié-Gonnard
8b7b96bbd3 Fix typo 2017-08-23 10:02:51 +02:00
Manuel Pégourié-Gonnard
d55f776cb7 Skip context allocation if restart disabled 2017-08-18 17:40:15 +02:00
Manuel Pégourié-Gonnard
aaa9814879 Uniformize ifdefs to ECDSA_C+ECP_RESTARTABLE
Some parts were already implicitly using this as the two ifdefs were nested,
and some others didn't, which resulted in compile errors in some configs. This
fixes those errors and saves a bit of code+RAM that was previously wasted when
ECP_RESTARTABLE was defined but ECDSA_C wasn't
2017-08-18 17:30:37 +02:00
Manuel Pégourié-Gonnard
fe6877034d Keep PK layer context in the PK layer
Previously we kept the ecdsa context created by the PK layer for ECDSA
operations on ECKEY in the ecdsa_restart_ctx structure, which was wrong, and
caused by the fact that we didn't have a proper handling of restart
sub-contexts in the PK layer.
2017-08-18 17:04:07 +02:00
Manuel Pégourié-Gonnard
0bbc66cc76 Dynamically allocate/free restart subcontext in PK 2017-08-18 16:22:06 +02:00
Manuel Pégourié-Gonnard
15d7df2ba8 Introduce mbedtls_pk_restart_ctx and use it
The fact that you needed to pass a pointer to mbedtls_ecdsa_restart_ctx (or
that you needed to know the key type of the PK context) was a breach of
abstraction.

Change the API (and callers) now, and the implementation will be changed in
the next commit.
2017-08-17 15:16:11 +02:00
Manuel Pégourié-Gonnard
98a6778d47 Better document some function arguments 2017-08-17 10:52:20 +02:00
Manuel Pégourié-Gonnard
b889d3e5fb Clarify & uniformise test comments 2017-08-17 10:25:18 +02:00
Manuel Pégourié-Gonnard
5faafa76cf Update X.509 test certs' Readme 2017-08-17 10:13:00 +02:00
Manuel Pégourié-Gonnard
c9e16a97da Disable restartable ECC by default 2017-08-15 14:30:59 +02:00
Manuel Pégourié-Gonnard
9897cc933d Update ChangeLog 2017-08-15 14:30:43 +02:00
Manuel Pégourié-Gonnard
3bf49c4552 Enable restart for certificate verify 2017-08-15 14:12:47 +02:00
Manuel Pégourié-Gonnard
fed37ed039 Extract some code to separate function
Goals include:
- reducing the number of local variables in the main function (so that we
  don't have to worry about saving/restoring them)
- reducing the number exit points in the main function, making it easier to
  update ssl->state only right before we return
2017-08-15 13:35:42 +02:00
Manuel Pégourié-Gonnard
39eda87382 Make more auto variables const
That way we know we don't have to worry about saving and restoring their
value.
2017-08-15 13:00:33 +02:00
Manuel Pégourié-Gonnard
6b7301c872 Change restart context type.
No need to have both x509 and ecdsa, as the former contains the later.
2017-08-15 12:08:45 +02:00
Manuel Pégourié-Gonnard
d27d1a5a82 Clean up existing SSL restartable ECC code
- more consistent naming with ecrs prefix for everything
- always check it enabled before touching the rest
- rm duplicated code in parse_server_hello()
2017-08-15 11:49:08 +02:00
Manuel Pégourié-Gonnard
8b59049407 Make verify() actually restartable 2017-08-15 10:45:09 +02:00
Manuel Pégourié-Gonnard
c11e4baa63 Rework type for verify chain
- create container with length + table
- make types public (will be needed in restart context)
2017-08-15 10:44:13 +02:00
Manuel Pégourié-Gonnard
18547b5db6 Refactor find_parent() to merge two call sites 2017-08-15 10:44:13 +02:00
Manuel Pégourié-Gonnard
a4a5d1dbe6 Adapt function signatures to rs_ctx + ret 2017-08-15 10:44:13 +02:00
Manuel Pégourié-Gonnard
be4ff42fe4 Call crt_check_signature from one place only 2017-08-15 10:44:13 +02:00
Manuel Pégourié-Gonnard
d19a41d9aa Add tests for verify_restartable()
For selection of test cases, see comments added in the commit.

It makes the most sense to test with chains using ECC only, so for the chain
of length 2 we use server10 -> int-ca3 -> int-ca2 and trust int-ca2 directly.

Note: server10.crt was created by copying server10_int3_int-ca2.crt and
manually truncating it to remove the intermediates. That base can now be used
to create derived certs (without or with a chain) in a programmatic way.
2017-08-15 10:44:08 +02:00
Manuel Pégourié-Gonnard
bc3f44ae9c Introduce mbedtls_x509_crt_verify_restartable() 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
21b7719fb2 Add ChangeLog entry for current progress 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
32033da127 Test some more handshake flows 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
23e416261c ECDH: not restartable unless explicitly enabled
This is mainly for the benefit of SSL modules, which only supports restart in
a limited number of cases. In the other cases (ECDHE_PSK) it would currently
return ERR_ECP_IN_PROGRESS and the user would thus call ssl_handshake() again,
but the SSL code wouldn't handle state properly and things would go wrong in
possibly unexpected ways.  This is undesirable, so it should be possible for
the SSL module to choose if ECDHE should behave the old or the new way.

Not that it also brings ECDHE more in line with the other modules which
already have that choice available (by passing a NULL or valid restart
context).
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
1f1f2a1ca6 Adapt ServerKeyEchange processing to restart 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
862cde5b8e Add restart support for ECDSA client auth 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
2350b4ebdc Adapt ECDHE_ECDSA key exchange to restartable EC
For now some other key exchanges (ECDHE_PSK) will just fail to work, this will
be either fixed or properly fixed later.
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
b3c8307960 Adapt ssl_client2 to restartable EC 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
171a481b96 Add a ChangeLog entry for changes so far 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
31f0ef7b19 Fix style issues introduced earlier 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
1f596064bc Make PK EC sign/verify actually restartable 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
c4ee9acb7b Add tests for restartable PK sign/verify 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
82cb27b3db PK: declare restartable sign/verify functions
For RSA, we could either have the function return an error code like
NOT_IMPLEMENTED or just run while disregarding ecp_max_ops. IMO the second
option makes more sense, as otherwise the caller would need to check whether
the key is EC or RSA before deciding to call either sign() or
sign_restartable(), and having to do this kind of check feels contrary to the
goal of the PK layer.
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
fd838dab5c Comment cosmetics 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
66ba48a3c8 Make ECDH functions actually restartable 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
71b2c53254 Add tests for restartable ECDH 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
c90d3b0f89 Update doc for restartable ECDH functions 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
af081f5460 Make ECDSA sign actually restartable 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
50b63ba2f5 Use ecp_gen_privkey() in ECDSA sign
Two different changes:

- the first one will allow us to store k in the restart context while
  restarting the following ecp_mul() operation

- the second one is an simplification, unrelated to restartability, made
  possible by the fact that ecp_gen_privkey() is now public
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
675439620d Improve sign/key_tries handling
(Unrelated to restartable work, just noticed while staring at the code.)

Checking at the end is inefficient as we might give up when we just generated
a valid signature or key.
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
b90883dc1d Prepare infra for restartable sign 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
eb402f3cd3 Add test for restartable signature
Test relies on deterministic signature as this uses plain sig internally, so
if deterministic works, then so does non-deterministic, while the reciprocal
is false. (Also, deterministic is enabled by default in config.h.)

Test case is taken from a RFC 6979 test vector, just manually converting (r,s)
to the encoded signature.
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard
addb10efac Create functions for restartable sign 2017-08-09 11:44:53 +02:00