Commit Graph

9591 Commits

Author SHA1 Message Date
Hanno Becker
95e4bbcf6c Fix additional data calculation if CID is disabled
In contrast to other aspects of the Connection ID extension,
the CID-based additional data for MAC computations differs from
the non-CID case even if the CID length is 0, because it
includes the CID length.
2019-06-03 14:47:36 +01:00
Hanno Becker
af05ac067b Remove unnecessary empty line in ssl_tls.c 2019-06-03 14:47:36 +01:00
Hanno Becker
07dc97db8c Don't quote DTLSInnerPlaintext structure multiple times 2019-06-03 14:47:36 +01:00
Hanno Becker
d3f8c79ea0 Improve wording in ssl_build_inner_plaintext() 2019-06-03 14:47:36 +01:00
Hanno Becker
edb24f8eec Remove unnecessary whitespace in ssl_extract_add_data_from_record() 2019-06-03 14:47:36 +01:00
Hanno Becker
92fb4fa802 Reduce stack usage for additional data buffers in record dec/enc 2019-06-03 14:47:36 +01:00
Hanno Becker
c4a190bb0f Add length of CID to additional data used for record protection
Quoting the CID draft 04:

   -  Block Ciphers:

       MAC(MAC_write_key, seq_num +
           tls12_cid +                     // New input
           DTLSPlaintext.version +
           cid +                           // New input
           cid_length +                    // New input
           length_of_DTLSInnerPlaintext +  // New input
           DTLSInnerPlaintext.content +    // New input
           DTLSInnerPlaintext.real_type +  // New input
           DTLSInnerPlaintext.zeros        // New input
       )

And similar for AEAD and Encrypt-then-MAC.
2019-06-03 14:47:36 +01:00
Hanno Becker
d5aeab1e8a Improve documentation of ssl_extract_add_data_from_record() 2019-06-03 14:47:36 +01:00
Hanno Becker
fe6bb8ccc2 Unify documentation of internal SSL record structure
- Don't use Doxygen style comments
- Document CID and CID length fields.
2019-06-03 14:47:36 +01:00
Hanno Becker
43c24b8da9 Fix missing compile-time guards around CID-only constants 2019-06-03 14:47:36 +01:00
Hanno Becker
f44e55de5e Remove TODO 2019-06-03 14:47:36 +01:00
Hanno Becker
75f080f4b6 Use MBEDTLS_ namespace for internal CID length constant 2019-06-03 14:47:36 +01:00
Hanno Becker
8a7f972202 Skip copying CIDs to SSL transforms until CID feature is complete
This commit temporarily comments the copying of the negotiated CIDs
into the established ::mbedtls_ssl_transform in mbedtls_ssl_derive_keys()
until the CID feature has been fully implemented.

While mbedtls_ssl_decrypt_buf() and mbedtls_ssl_encrypt_buf() do
support CID-based record protection by now and can be unit tested,
the following two changes in the rest of the stack are still missing
before CID-based record protection can be integrated:
- Parsing of CIDs in incoming records.
- Allowing the new CID record content type for incoming records.
- Dealing with a change of record content type during record
  decryption.

Further, since mbedtls_ssl_get_peer_cid() judges the use of CIDs by
the CID fields in the currently transforms, this change also requires
temporarily disabling some grepping for ssl_client2 / ssl_server2
debug output in ssl-opt.sh.
2019-06-03 14:47:36 +01:00
Hanno Becker
8b3eb5ab82 Implement inner plaintext parsing/writing for CID-based connections 2019-06-03 14:47:36 +01:00
Hanno Becker
d856c82993 Add unit tests for record protection using CID 2019-06-03 14:47:36 +01:00
Hanno Becker
6c87b3f9df Record enc/dec tests: Don't take turns in sending / receiving roles
Part of the record encryption/decryption tests is to gradually
increase the space available at the front and/or at the back of
a record and observe when encryption starts to succeed. If exactly
one of the two parameters is varied at a time, the expectation is
that encryption will continue to succeed once it has started
succeeding (that's not true if both pre- and post-space are varied
at the same time).

Moreover, previously the test would take turns when choosing which
transform should be used for encryption, and which for decryption.

With the introduction of the CID feaature, this switching of transforms
doesn't align with the expectation of eventual success of the encryption,
since the overhead of encryption might be different for the parties,
because both parties may use different CIDs for their outgoing records.

This commit modifies the tests to not take turns between transforms,
but to always use the same transforms for encryption and decryption
during a single round of the test.
2019-06-03 14:47:36 +01:00
Hanno Becker
cab87e68b6 Incorporate CID into MAC computations during record protection
This commit modifies ssl_decrypt_buf() and ssl_encrypt_buf()
to include the CID into authentication data during record
protection.

It does not yet implement the new DTLSInnerPlaintext format
from https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-04
2019-06-03 14:47:36 +01:00
Hanno Becker
f2ed4482d7 Add CID field to internal structure representing TLS records
This commit adds a static array `cid` to the internal structure
`mbedtls_record` representing encrypted and decrypted TLS records.

The expected evolution of state of this field is as follows:
- When handling an incoming record, the caller of `mbedtls_decrypt_buf()`
  has to make sure the CID array field in `mbedtls_record` has been
  properly set. Concretely, it will be copied from the CID from the record
  header during record parsing.
- During decryption in `mbedtls_decrypt_buf()`, the transforms
  incoming CID is compared to the CID in the `mbedtls_record`
  structure representing the record to be decrypted.
- For an outgoing TLS record, the caller of `mbedtls_encrypt_buf()`
  clears the CID in the `mbedtls_record` structure.
- During encryption in `mbedtls_encrypt_buf()`, the CID field in
  `mbedtls_record` will be copied from the out-CID in the transform.
2019-06-03 14:47:36 +01:00
Hanno Becker
024b53a856 Document support for MD2 and MD4 in programs/x509/cert_write 2019-06-03 14:45:21 +01:00
Hanno Becker
4a9b028c08 Correct name of X.509 parsing test for well-formed, ill-signed CRT 2019-06-03 14:45:21 +01:00
Hanno Becker
20a4ade3f5 Add test cases exercising successful verification of MD2/MD4/MD5 CRT 2019-06-03 14:45:21 +01:00
Hanno Becker
7b8abee4f5 Add test case exercising verification of valid MD2 CRT
The X.509 parsing test suite test_suite_x509parse contains a test
exercising X.509 verification for a valid MD4/MD5 certificate in a
profile which doesn't allow MD4/MD5. This commit adds an analogous
test for MD2.
2019-06-03 14:45:16 +01:00
Hanno Becker
1c1f046804 Replace 'ingoing' -> 'incoming' in CID debug messages 2019-06-03 14:43:16 +01:00
Hanno Becker
c5f2422116 Document behaviour of mbedtls_ssl_get_peer_cid() for empty CIDs 2019-06-03 14:43:16 +01:00
Hanno Becker
5a29990367 Improve structure of client-side CID extension parsing
Group configuring CID values together.
2019-06-03 14:43:16 +01:00
Hanno Becker
2262648b69 Improve debugging output of client-side CID extension parsing 2019-06-03 14:43:16 +01:00
Hanno Becker
08556bf8fb Improve structure of ssl_parse_cid_ext()
Group configuring CID values together.
2019-06-03 14:43:16 +01:00
Hanno Becker
064b732d11 Use unused extension ID as tentative ID for CID extension 2019-06-03 14:43:16 +01:00
Hanno Becker
554b6ea30a Correct compile-time guard around unhexify() in ssl_server2 2019-06-03 14:43:16 +01:00
Hanno Becker
a34ff5b9a2 Correct compile-time guard around CID extension writing func on srv 2019-06-03 14:43:16 +01:00
Hanno Becker
b7ee0cf3f9 Make integer truncation explicit in mbedtls_ssl_set_cid() 2019-06-03 14:43:16 +01:00
Hanno Becker
fcffdccb85 Grep for dbug msgs witnessing use of CID in ssl_client2/ssl_server2 2019-06-03 14:43:16 +01:00
Hanno Becker
dec2552a92 Change formating of CID debug output in ssl_client2/ssl_server2 2019-06-03 14:43:16 +01:00
Hanno Becker
b1f89cd602 Implement mbedtls_ssl_get_peer_cid() 2019-06-03 14:43:16 +01:00
Hanno Becker
9ecb6c676c Grep for dbg msg witnessing copying of CIDs to SSL transform 2019-06-03 14:43:16 +01:00
Hanno Becker
4bf7465840 Copy CIDs into SSL transform if use of CID has been negotiated 2019-06-03 14:43:16 +01:00
Hanno Becker
1327fa7d14 Add fields holding in/out CIDs to SSL record transformation struct
These will be copied from the CID fields in mbedtls_ssl_handshake_params
(outgoing CID) and mbedtls_ssl_context (incoming CID) when the transformation
is set up at the end of the handshake.
2019-06-03 14:43:16 +01:00
Hanno Becker
a6a4c7623c Grep for dbg msg witnessing parsing of CID extension in ServerHello 2019-06-03 14:43:16 +01:00
Hanno Becker
a8373a11c0 Implement parsing of CID extension in ServerHello 2019-06-03 14:43:16 +01:00
Hanno Becker
4bc9e9d3f6 Grep for dbg msg witnessing writing of CID extension in ServerHello 2019-06-03 14:43:16 +01:00
Hanno Becker
51de2d3f69 Implement writing of CID extension in ServerHello 2019-06-03 14:43:16 +01:00
Hanno Becker
7dee2c6369 Grep for dbg msg witnessing parsing of CID extension in ClientHello 2019-06-03 14:43:16 +01:00
Hanno Becker
89dcc881d4 Implement parsing of CID extension in ClientHello 2019-06-03 14:43:16 +01:00
Hanno Becker
6b78c83829 Grep for dbg msg witnessing writing of CID extension in ClientHello 2019-06-03 14:43:16 +01:00
Hanno Becker
49770ffd93 Implement writing of CID extension in ClientHello 2019-06-03 14:43:16 +01:00
Hanno Becker
189a01309f Check static bounds of CID lengths in check_config.h 2019-06-03 14:43:16 +01:00
Hanno Becker
0652bc50c7 Add identifier for CID extension
Note: The current draft

   https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-04

does not yet specify the extension value, so we
use a temporary value of 42.
2019-06-03 14:43:16 +01:00
Hanno Becker
f157a97b75 Modify CID tests in ssl-opt.sh to grep for CID config debug msgs 2019-06-03 14:43:16 +01:00
Hanno Becker
ca092246a7 Allow configuring own CID fields through mbedtls_ssl_get_peer_cid() 2019-06-03 14:43:16 +01:00
Hanno Becker
2f28c1031f Add fields to SSL structures describing state and config of CID ext
* mbedtls_ssl_context gets fields indicating whether the CID extension
  should be negotiated in the next handshake, and, if yes, which CID
  the user wishes the peer to use.

  This information does not belong to mbedtls_ssl_handshake_params
  because (a) it is configured prior to the handshake, and (b) it
  applies to all subsequent handshakes.

* mbedtls_ssl_handshake_params gets fields indicating the state of CID
  negotiation during the handshake. Specifically, it indicates if the
  use of the CID extension has been negotiated, and if so, which CID
  the peer wishes us to use for outgoing messages.
2019-06-03 14:43:16 +01:00