Commit Graph

4797 Commits

Author SHA1 Message Date
Hanno Becker
62a44d43b0 Allow defining MD information structs through macros
In builds enabling only a single MD digest, we want to be able to
implement the MD info getter functions by returning compile-time
constants matching the fields of the MD info structures used so far.

To avoid information duplication hardening maintainability, this
commit introduces the possibility of providing the various aspects
of a particular digest implementation by defining macros
MBEDTLS_MD_INFO_DIGEST_FIELD (e.g. MBEDTLS_MD_INFO_SHA256_SIZE)
and to generate the corresponding mbedtls_md_info instance from
this set of macros, via the new macro MBEDTLS_MD_INFO().

This way, we'll be able to switch between MD info based builds
and single-digest builds without information duplication.
2019-09-09 09:45:57 +01:00
Hanno Becker
0e7fc3166d Inline md_wrap.c in md.c
md_wrap.c doesn't expose any public functionality and doesn't
need to be present as a separate compilation unit.
2019-09-09 09:45:57 +01:00
Hanno Becker
530387eaa3 Introduce getter functions for MD info fields
This commit continues the introduction of the MD digest implementation
abstraction layer given by `mbedtls_md_handle_t` by adding getter
functions returning the various properties of an implementation
(e.g. name, digest type, digest size). For the existing implementation,
these are just structure field accesses; however, in configurations
hardcoding the choice of a fixed digest algorithm, we'll be able to
implement them as inline functions returning compile-time constants.
2019-09-09 09:45:57 +01:00
Hanno Becker
a5cedbcd3f Introduce MD handle type
As has been previously done for ciphersuites, this commit introduces
a zero-cost abstraction layer around the type

  mbedtls_md_info const *

whose valid values represent implementations of message digest algorithms.

Access to a particular digest implementation can be requested by name or
digest ID through the API mbedtls_md_info_from_xxx(), which either returns
a valid implementation or NULL, representing failure.

This commit replaces such uses of `mbedtls_md_info const *` by an abstract
type `mbedtls_md_handle_t` whose valid values represent digest implementations,
and which has a designated invalid value MBEDTLS_MD_INVALID_HANDLE.

The purpose of this abstraction layer is to pave the way for builds which
support precisely one digest algorithm. In this case, mbedtls_md_handle_t
can be implemented as a two-valued type, with one value representing the
invalid handle, and the unique valid value representing the unique enabled
digest.
2019-09-09 09:45:57 +01:00
Manuel Pégourié-Gonnard
7f2c3e4034 Remove dependency of ssl_cookie on SHA-224
Cookies are fully opaque so we can change the hash used at any time, it's not
part of the API.

The cookie module handles truncation, so it's simpler to always use SHA-256
rather than check if SHA-224 is available.
2019-09-09 10:21:30 +02:00
Manuel Pégourié-Gonnard
efd344894d Completely ignore is224 if SHA-224 is disabled 2019-09-09 10:21:30 +02:00
Manuel Pégourié-Gonnard
394c5fb24b Implement NO_SHA224 in MD layer as well 2019-09-09 10:21:30 +02:00
Manuel Pégourié-Gonnard
abebdd16ef Adapt SHA-256 selftest to NO_SHA224 2019-09-09 10:21:30 +02:00
Manuel Pégourié-Gonnard
8463d29156 Implement MBEDTLS_SHA256_NO_SHA224 2019-09-09 10:21:30 +02:00
Manuel Pégourié-Gonnard
9b781b2880 Add MBEDTLS_SHA256_NO_SHA244 option (unimplemented) 2019-09-09 09:06:56 +02:00
Simon Butcher
d82db9d48c Merge remote-tracking branch 'origin/pr/649' into baremetal 2019-09-07 12:46:12 +01:00
Simon Butcher
d91adcf7f5 Merge remote-tracking branch 'origin/pr/624' into baremetal 2019-09-07 12:44:42 +01:00
Teppo Järvelin
c3e5716aaf Some minor struct optimizations. 2019-09-06 07:58:36 +03:00
Hanno Becker
7bcf2b5875 Introduce version comparing functions
This zero-cost abstraction allows to change the internal encoding
of TLS/DTLS versions in the future.
2019-09-05 17:37:55 +01:00
Manuel Pégourié-Gonnard
0cfb6efad4 Add work-around for non-C99 compilers 2019-09-05 14:07:01 +02:00
Manuel Pégourié-Gonnard
c7abba3796 Use static inline function unconditionally
No need to play tricks with macros and functions depending on whether
SHA256_SMALLER is enabled or not, with a static inline function all common
compilers (tested with arm-gcc, armcc5, arm-clang) will Do The Right Thing
depending on whether we told them to optimize for size or speed.
2019-09-05 12:09:59 +02:00
Hanno Becker
683d84a5d7 Fixup TinyCrypt PK parse: Correct function name in comment 2019-09-04 16:19:49 +01:00
Hanno Becker
f45d9da878 Fixup certs.c: Remove redundant TinyCrypt guard 2019-09-04 16:19:49 +01:00
Hanno Becker
d2929b5626 Fixup TinyCrypt PK wrap: Check TinyCrypt signature return code 2019-09-04 16:19:49 +01:00
Hanno Becker
96d34d57ec TinyCrypt PK Wrap: Remove dependency on ASN.1 writing
The TinyCrypt PK signature wrapper uses ASN.1 writing functions
for length and tag, accounting for the only dependency of the
baremetal build on ASN.1 writing.

Since all lengths to be encoded are below 128 Bytes and are hence
ASN.1 encoded as single Bytes, the dependency on ASN.1 writing can
be removed at low complexity by writing the length and tags directly.
2019-09-04 16:19:49 +01:00
Hanno Becker
358b3006ee TinyCrypt ECDHE-PSK: Implement CliKeyExchange parsing 2019-09-04 16:19:49 +01:00
Hanno Becker
982da7ee0a TinyCrypt ECDHE-PSK: Implement mbedtls_ssl_psk_derive_premaster() 2019-09-04 16:19:49 +01:00
Hanno Becker
d91ede14c4 TinyCrypt ECDHE-PSK: Implement ClientKeyExchange writing 2019-09-04 16:19:49 +01:00
Hanno Becker
c7effc04c1 TinyCrypt SSL: Extend scope use of TC in CliKeyExchange writing
Extend scope of TC in ECDH-param extraction from CRT

Previously, TinyCrypt was only used for ECDHE-ECDSA/RSA ciphersuites.
This commit is a step towards using it for _all_ ciphersuites involving
ECDHE (specifically: ECDHE, ECDHE-PSK, static ECDH), extending the scope
of the use of TinyCrypt in the writing of the ClientKeyExchange message.
2019-09-04 16:19:49 +01:00
Hanno Becker
7352bd141e TinyCrypt SSL: Extend scope of SrvKeyExchange parsing
Extend scope of TC in ECDH-param extraction from CRT

Previously, TinyCrypt was only used for ECDHE-ECDSA/RSA ciphersuites.
This commit is a step towards using it for _all_ ciphersuites involving
ECDHE (specifically: ECDHE, ECDHE-PSK, static ECDH), extending the scope
of the use of TinyCrypt in the parsing of the ServerKeyExchange message.
2019-09-04 16:19:49 +01:00
Hanno Becker
40ee0d450d Fixup: Correct #else and #endif comments in SrvKeyExch writing 2019-09-04 16:19:49 +01:00
Hanno Becker
b42e2388ff TinyCrypt SSL: Extend scope of CliKeyExchange parsing
Previously, TinyCrypt was only used for ECDHE-ECDSA/RSA ciphersuites.
This commit is a step towards using it for _all_ ciphersuites involving
ECDHE (specifically: ECDHE, ECDHE-PSK, static ECDH), extending the scope
of the use of TinyCrypt in the parsing of the ClientKeyExchange message.
2019-09-04 16:19:49 +01:00
Hanno Becker
8ea7da2250 TinyCrypt SSL: Extend scope of TC-based SrvKeyExch writing
Previously, TinyCrypt was only used for ECDHE-ECDSA/RSA ciphersuites.
This commit is a step towards using it for _all_ ciphersuites involving
ECDHE (specifically: ECDHE, ECDHE-PSK, static ECDH), extending the scope
of the use of TinyCrypt in the writing of the ServerKeyExchange message.
2019-09-04 16:19:49 +01:00
Hanno Becker
b3a244847d TinyCrypt SSL: Impl. ECDH-param extraction from CRT for TinyCrypt 2019-09-04 16:19:49 +01:00
Hanno Becker
ecf5d3fdb1 TinyCrypt SSL: Extend scope of use of TC in PMS derivation
Extend scope of TC in ECDH-param extraction from CRT

Previously, TinyCrypt was only used for ECDHE-ECDSA/RSA ciphersuites.
This commit is a step towards using it for _all_ ciphersuites involving
ECDHE (specifically: ECDHE, ECDHE-PSK, static ECDH), extending the scope
of the use of TinyCrypt in the assembly of the PMS.
2019-09-04 16:19:49 +01:00
Hanno Becker
2e80173dfc Fixup: Correct wrong comment ssl_prepare_server_key_exchange() 2019-09-04 16:19:49 +01:00
Hanno Becker
27b7e50dcd TinyCrypt SSL: Declare EC-related TLS RFC constants in SSL namespace
mbedtls/ecp.h defines constants

   MBEDTLS_ECP_PF_UNCOMPRESSED
   MBEDTLS_ECP_PF_COMPRESSED
   MBEDTLS_ECP_TLS_NAMED_CURVE

which regard the encoding of elliptic curves and curve point formats in TLS.
As such, they should be defined in the SSL namespace. Asides, this will help
replacing the legacy ECC crypto by alternative ECC implementations.
2019-09-04 16:19:49 +01:00
Hanno Becker
ee902df678 TinyCrypt SSL: Implement mbedtls_ssl_check_curve() for TinyCrypt 2019-09-04 16:19:49 +01:00
Hanno Becker
7e9c2e0d81 TinyCrypt SSL: Adapt ssl_parse_certificate_verify() to TinyCrypt 2019-09-04 16:17:45 +01:00
Hanno Becker
461fa723a1 TinyCrypt SSL: Adapt ssl_check_key_curve() to TinyCrypt 2019-09-04 16:17:45 +01:00
Hanno Becker
59e7b08b8a TinyCrypt X.509: Adapt profiles to use TinyCrypt curve identifier 2019-09-04 16:17:45 +01:00
Hanno Becker
88889c618e Fixup: Add missing TinyCrypt guards 2019-09-04 16:17:45 +01:00
Hanno Becker
d931ad2aca Implement x509_profile_check_key() for TinyCrypt-based PK context 2019-09-04 16:17:45 +01:00
Hanno Becker
1521ec501c Remove TinyCrypt PRNG configuration from ssl_cli.c
The TinyCrypt PRNG is configured in mbedtls_ssl_setup().
2019-09-04 16:17:25 +01:00
Hanno Becker
dfb949bb4e Fixup: Use TC ECC type instead of uint32_t during pubkey parsing
Using explicit enumerated types avoids type confusion.
2019-09-04 16:17:25 +01:00
Hanno Becker
28332a5642 TinyCrypt PK write: Impl. PK writing helpers for TC-based PK context 2019-09-04 16:17:25 +01:00
Hanno Becker
64a81b03aa TinyCrypt PK write: Make PK writing helpers accept PK context
This prepares the ground for TinyCrypt-based implementations of
these helpers.
2019-09-04 16:17:25 +01:00
Hanno Becker
c64d5af9ab Fixup: Don't use legacy ECC error code from TinyCrypt
We want to be able to remove legacy ECC entirely when using TinyCrypt,
including their identifiers.
2019-09-04 16:17:25 +01:00
Hanno Becker
da77971ec8 Fixup: Rename mbedtls_uecc_pk -> mbedtls_pk_uecc
This is in line with the naming of the analogous function mbedtls_pk_ec
used for legacy ECC PK contexts.
2019-09-04 16:17:25 +01:00
Hanno Becker
8cf2f5e466 TinyCrypt PK parse: Move TC-based EC public key parsing code-block
Keep code-paths handling legacy-ECC vs. TinyCrypt together
for better readability.
2019-09-04 16:17:25 +01:00
Hanno Becker
3bef643987 Fixup: Guard numerous legacy-ECC PK parse functions by !TinyCrypt 2019-09-04 16:17:25 +01:00
Hanno Becker
d336f721c0 Fixup: Add missing TinyCrypt guard in ECC private key parsing
PEM-encoded keys with PEM header

  -----BEGIN EC PRIVATE KEY-----
  ...
  -----END EC PRIVATE KEY-----

were previously not parsed in configurations using TinyCrypt
instead of legacy ECC crypto.
2019-09-04 16:17:25 +01:00
Hanno Becker
75f8d3276f TinyCrypt PK parse: Remove MBEDTLS_PK_ECDSA during pubkey parsing
The PK type MBEDTLS_PK_ECDSA is never returned from
`mbedtls_pk_info_from_type()`. Instead, EC keys either
are identified as MBEDTLS_PK_ECKEY_DH (in case they
must only be used for ECDHE) or MBEDTLS_PK_ECKEY (in
case they can be used for any algorithm).
2019-09-04 16:17:25 +01:00
Hanno Becker
e65697c351 TinyCrypt PK parse: Handle each PK type precisely once 2019-09-04 16:17:25 +01:00
Hanno Becker
d45f383b01 TinyCrypt PK parse: Impl. EC public key derivation in TC-based ECDSA 2019-09-04 16:17:25 +01:00
Hanno Becker
7e38c37302 TinyCrypt PK parse: Pass TC keypair structure to ECDSA pubkey parse 2019-09-04 16:17:25 +01:00
Hanno Becker
68d5478d8d TinyCrypt PK parse: Simplify TinyCrypt public key parsing 2019-09-04 16:17:25 +01:00
Hanno Becker
aebffdd363 TinyCrypt PK parse: Add comments to #endif's indicating condition 2019-09-04 16:17:25 +01:00
Hanno Becker
d7e0cd001c TinyCrypt PK wrap: Add short documentation for extract_ecdsa_sig_int 2019-09-04 16:17:25 +01:00
Hanno Becker
9653d80518 TinyCrypt PK wrap: Implement check_pair PK wrapper 2019-09-04 16:17:25 +01:00
Hanno Becker
4102972d31 TinyCrypt PK wrap: Implement alloc/free PK wrappers 2019-09-04 16:17:25 +01:00
Hanno Becker
11cb2637e7 TinyCrypt PK wrap: Simplify guards in pk_wrap.c
With TinyCrypt and legacy ECC mutually exclusive, we don't have
to use #if TINYCRYPT #else #if LEGACY #endif #endif anymore, but
can add the TC and legacy based ECC implementations independently.
2019-09-04 16:17:25 +01:00
Hanno Becker
8ea35458e4 Fixup: TinyCrypt PK verify wrapper uecc_ecdsa_verify_wrap()
- TinyCrypt uses `0` for errors.
- The first argument to uECC_verify() should be the public key,
  but the previous code passed the beginning of the entire
  private-public key structure.
2019-09-04 16:17:25 +01:00
Hanno Becker
9c7a359cc4 Fixup: uecc_ecdsa_sign_wrap() in pk_wrap.c
The previous code passed `2 * NUM_ECC_BYTES` as the size limit for
the ECDSA signature, which fails to account for space required by
ASN.1 headers.
2019-09-04 16:17:25 +01:00
Hanno Becker
9a62f2dbfb Fixup: get_bitlen() PK API in TinyCrypt-based ECDSA
- Return number of bits and not number of bytes
- Return length of private key and not length of public key.
2019-09-04 16:17:25 +01:00
Hanno Becker
496b83ff1b Fixup: Correct include paths for TinyCrypt header files
TinyCrypt header files are expected in 'tinycrypt' folder
relative to the include path.
2019-09-04 16:17:25 +01:00
Hanno Becker
ad353f289b Fixup: Minor style corrections around use of TinyCrypt 2019-09-04 16:17:25 +01:00
Hanno Becker
e8f1448306 Fixup: Remove references to PSA from TinyCrypt wrapper code 2019-09-04 16:17:25 +01:00
Hanno Becker
adf11e13a4 Fixup: Impl. MBEDTLS_PK_ECKEY, not MBEDTLS_PK_ECDSA, via TinyCrypt
The PK-type MBEDTLS_PK_ECDSA isn't really used by the library.
Especially, when parsing a generic EC key, a PK context of type
MBEDTLS_PK_ECKEY will be requested. Hence, to drop in TinyCrypt
for the legacy-ECC implementation, the PK type that TinyCrypt
implements must be MBEDTLS_PK_ECKEY.
2019-09-04 16:17:25 +01:00
Hanno Becker
8d49ba3b78 Fixup: Definition of TinyCrypt OID descriptor structure 2019-09-04 16:17:25 +01:00
Jarno Lamsa
7cb5c11067 Missing uECC ECDSA flagging 2019-09-04 16:17:25 +01:00
Jarno Lamsa
ad78931fb3 Signature wrapper for uECC 2019-09-04 16:17:25 +01:00
Jarno Lamsa
9c9e77a8ad Actually use the parse functions 2019-09-04 16:17:25 +01:00
Jarno Lamsa
b176092656 Parse private key in uecc format
Parse the private key from cert in uecc format.
Accept only P-256 curve.
2019-09-04 16:17:25 +01:00
Jarno Lamsa
42b83db1eb Verify sign wrapper functionality for uECC 2019-09-04 16:17:25 +01:00
Simon Butcher
e1c5608370 Merge remote-tracking branch 'origin/pr/650' into baremetal 2019-09-04 12:53:09 +01:00
Simon Butcher
42e4e723e8 Merge remote-tracking branch 'origin/pr/648' into baremetal 2019-09-04 12:42:35 +01:00
Simon Butcher
8afa0883af Merge remote-tracking branch 'origin/pr/641' into baremetal 2019-09-04 12:17:33 +01:00
Manuel Pégourié-Gonnard
d6fba18328
Merge pull request #643 from hanno-arm/secp256r1-baremetal
[Baremetal] Add Secp256r1 test certificates
2019-09-02 08:49:20 +02:00
Hanno Becker
8398582658 Fix SSL context deserialization
The SSL context maintains a set of 'out pointers' indicating the
address at which to write the header fields of the next outgoing
record. Some of these addresses have a static offset from the
beginning of the record header, while other offsets can vary
depending on the active record encryption mechanism: For example,
if an explicit IV is in use, there's an offset between the end
of the record header and the beginning of the encrypted data to
allow the explicit IV to be placed in between; also, if the DTLS
Connection ID (CID) feature is in use, the CID is part of the
record header, shifting all subsequent information (length, IV, data)
to the back.
When setting up an SSL context, the out pointers are initialized
according to the identity transform + no CID, and it is important
to keep them up to date whenever the record encryption mechanism
changes, which is done by the helper function ssl_update_out_pointers().

During context deserialization, updating the out pointers according
to the deserialized record transform went missing, leaving the out
pointers the initial state. When attemping to encrypt a record in
this state, this lead to failure if either a CID or an explicit IV
was in use. This wasn't caught in the tests by the bad luck that
they didn't use CID, _and_ used the default ciphersuite based on
ChaChaPoly, which doesn't have an explicit IV. Changing either of
this would have made the existing tests fail.

This commit fixes the bug by adding a call to ssl_update_out_pointers()
to ssl_context_load() implementing context deserialization.

Extending test coverage is left for a separate commit.
2019-08-30 13:27:16 +01:00
Manuel Pégourié-Gonnard
fc8adbadb5 Merge branch 'mbedtls-2.16' into baremetal-2.16-20190827
* mbedtls-2.16: (21 commits)
  Exclude DTLS 1.2 only with older OpenSSL
  Document the rationale for the armel build
  Switch armel build to -Os
  Add a build on ARMv5TE in ARM mode
  Add changelog entry for ARM assembly fix
  bn_mul.h: require at least ARMv6 to enable the ARM DSP code
  Changelog entry for test certificates update
  Change worktree_rev to HEAD for rev-parse
  Add ChangeLog entry for entropy_nv_seed test case fix
  entropy_nv_seed: cope with SHA-256
  entropy_nv_seed: clean up properly
  Add ChangeLog entry for undefined behavior fix in test_suite_nist_kw
  Don't call memset after calloc
  Adapt ChangeLog
  ECP restart: Don't calculate address of sub ctx if ctx is NULL
  Update certificates to expire in 2029
  Update soon to be expired crl
  Test that a shared library build produces a dynamically linked executable
  Test that the shared library build with CMake works
  Add a test of MBEDTLS_CONFIG_FILE
  ...
2019-08-30 13:08:33 +02:00
Hanno Becker
f6cc7423aa Prescribe inlining of tls_prf_generic()
The NO_INLINE annotation of tls_prf_sha256() and tls_prf_sha384() from
the last commit surprisingly had an influence on ARMC5 compilation in
that tls_prf_generic() was no longer automatically inlined into
tls_prf_sha256() if only the latter was enabled (and is the point
where tls_prf_generic() is called). This commit forces inlining
of tls_prf_generic() in this case.
2019-08-29 16:02:11 +01:00
Hanno Becker
2793f740a9 Forbid inlining of some functions to reduce code-size on ARMC6
Usually, compilers are clever enough to pick the best inlining
strategy, but in this instance, it appears that compiling on ARMC6,
the compilers inlines xxx_prf_yyy() and xxx_calc_finished_yyy()
even though it really shouldn't. Forbid inlining through the use
of __attribute__((noinline)).
2019-08-29 16:02:10 +01:00
Hanno Becker
298a47064c Force inlining of ssl_populate_transform() if used only once
Somehow, at least ARMC5 isn't able to recognize this automatically.
Since some of the arguments to ssl_populate_transform() are compile-
time constants in reduced configurations, inlining leads to slightly
shorter code.
2019-08-29 16:02:10 +01:00
Hanno Becker
fc7429eef4 Remove forward declarations of calc_finished functions in ssl_tls.c 2019-08-29 16:02:09 +01:00
Hanno Becker
cf87c5e0a1 Avoid forward declarations of calc_verify functions in ssl_tls.c 2019-08-29 16:01:32 +01:00
Hanno Becker
8671e7b9f7 Remove redundant SHA-1 code-path in TLS-1.2 handling of CrtVrfy
SHA-1 is no longer offered nor accepted for the client's CertificateVerify
message in TLS 1.2. See 0a64170.
2019-08-29 16:01:32 +01:00
Hanno Becker
2f41b248c1 Remove calc_verify SSL function pointer 2019-08-29 16:01:32 +01:00
Hanno Becker
8443491280 Make SSL checksum update function inline
This saves a few bytes in configurations where only one hash
is enabled, and configurations allowing multiple hashes probably
don't care about code-size anyway.
2019-08-29 16:01:31 +01:00
Hanno Becker
8a4b59049b Remove checksum update function pointer from SSL handshake params 2019-08-29 16:01:31 +01:00
Hanno Becker
533f5b1d8d Remove ssl_optimize_checksum()
This function is called on client-only once the ciphersuite has
been chosen and it it is known which digest the client will need
for the handshake transcript throughout the handshake, and causes
all other unneeded handshake transcripts to be discontinued.

(On the server, we cannot call this function because we don't know
 which hash the client will those in its CertificateVerify message).

However, the benefit of this call is marginal, since transcript hash
computation is negligible compared to asymmetric crypto, and moreover
the handshake transcript contexts for the unused digests are still
stored in the SSL handshake parameter structure and not freed until
the end of the handshake.

Finally, if we're running on a _really_ constrained client, there
will be only one hash function enabled anyway, and in this case
the checksum optimization has no effect.

This commit therefore removes checksum optimization altogether,
saving some code on constrained systems.
2019-08-29 16:01:31 +01:00
Hanno Becker
c2fb759f3b Remove TLS calc_finished function pointer from SSL handshake params 2019-08-29 16:01:31 +01:00
Hanno Becker
39c7f7e3de Remove TLS PRF function pointer from SSL handshake parameters 2019-08-29 16:01:30 +01:00
Manuel Pégourié-Gonnard
7228167843
Merge pull request #647 from hanno-arm/hmac_drbg_entropy_fix-baremetal
[Baremetal] Fix incompatibility between HMAC DRBG and entropy module
2019-08-28 09:20:38 +02:00
Manuel Pégourié-Gonnard
87f57f6df0
Merge pull request #642 from jarvte/mbedtls_ssl_set_hostname_to_optional
[baremetal] Make function mbedtls_ssl_set_hostname(...) as optional
2019-08-28 09:20:20 +02:00
Hanno Becker
4598e49916 Don't use P-256 test CRTs if P-256 is known to be disabled 2019-08-27 11:41:37 +01:00
Hanno Becker
31c95e1e94 Fix and improve documentation of HMAC DRBG
- a comment regarding the implementation of hmac_drbg_reseed_core()
  was misplaced.
- add more references to the standard, and add details on how the
  comments in the code refer to various parts of the standard.
2019-08-27 09:22:09 +01:00
Hanno Becker
b3a06e66d8 hmac_drbg.c: Rename hmac_drbg_reseed_internal->hmac_drbg_reseed_core 2019-08-27 09:21:44 +01:00
Teppo Järvelin
4009d8f377 Make function mbedtls_ssl_set_hostname(...) as optional
Now function mbedtls_ssl_set_hostname is compile-time configurable
in config.h with define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION.
This affects to many x509 API's. See config.h for details.
2019-08-27 10:47:08 +03:00
Hanno Becker
eab304caf5 HMAC DRBG: Split entropy-gathering requests to reduce request sizes
According to SP800-90A, the DRBG seeding process should use a nonce
of length `security_strength / 2` bits as part of the DRBG seed. It
further notes that this nonce may be drawn from the same source of
entropy that is used for the first `security_strength` bits of the
DRBG seed. The present HMAC DRBG implementation does that, requesting
`security_strength * 3 / 2` bits of entropy from the configured entropy
source in total to form the initial part of the DRBG seed.

However, some entropy sources may have thresholds in terms of how much
entropy they can provide in a single call to their entropy gathering
function which may be exceeded by the present HMAC DRBG implementation
even if the threshold is not smaller than `security_strength` bits.
Specifically, this is the case for our own entropy module implementation
which only allows requesting at most 32 Bytes of entropy at a time
in configurations disabling SHA-512, and this leads to runtime failure
of HMAC DRBG when used with Mbed TLS' own entropy callbacks in such
configurations.

This commit fixes this by splitting the seed entropy acquisition into
two calls, one requesting `security_strength` bits first, and another
one requesting `security_strength / 2` bits for the nonce.
2019-08-26 15:39:23 +01:00
Hanno Becker
75bc82702f Load raw certificate and key data from files to certs.c 2019-08-23 11:39:46 +01:00
Hanno Becker
ba7082cc43 Add prototypes for Secp256r1 test CRTs and keys to certs.c 2019-08-23 11:39:45 +01:00
Simon Butcher
6617a24056 Merge remote-tracking branch 'origin/pr/633' into baremetal 2019-08-21 13:46:18 +01:00
Simon Butcher
f0f01e1f0a Merge remote-tracking branch 'origin/pr/630' into baremetal 2019-08-14 16:53:38 +01:00
Simon Butcher
434ab19164 Merge remote-tracking branch 'origin/pr/629' into baremetal 2019-08-14 16:53:13 +01:00