Commit Graph

1403 Commits

Author SHA1 Message Date
Jarno Lamsa
29f2dd0a7b Address review comments 2019-07-02 15:12:29 +02:00
Jarno Lamsa
59bd12bf14 Add new config MBEDTLS_SSL_SESSION_RESUMPTION
Add a new configuration option MBEDTLS_SSL_SESSION_RESUMPTION
to enable/disable the session resumption feature including
ticket and cache based session resumption.
2019-07-02 15:12:29 +02:00
Jarno Lamsa
7be14065e2 Add config MBEDTLS_SSL_SESSION_CACHE
Add configuration option MBEDTLS_SSL_SESSION_CACHE to control
enabling/disabling of the cache based session resumption.
2019-07-02 15:12:29 +02:00
Hanno Becker
abd929c89c Merge branch 'mbedtls-2.16' into baremetal-2.16-01_07_19 2019-07-01 11:25:42 +01:00
Hanno Becker
a7ac412dcd Update query_config.c 2019-06-25 09:07:16 +01:00
Hanno Becker
c6d1c3ed1c Remove frame/pk parameter from mbedtls_x509_crt_xxx_release() 2019-06-25 09:07:16 +01:00
Hanno Becker
5d9021e7f2 Make use of new API in ssl_server2 example application 2019-06-25 09:06:26 +01:00
Hanno Becker
4588dc4754 Update query_config.c 2019-06-25 09:06:26 +01:00
Hanno Becker
d8eab343d2 Adapt cert_write example program to work with new CRT structure 2019-06-25 09:06:26 +01:00
Hanno Becker
7f376f4ece Allow compile-time configuration of DTLS anti replay
Introduce MBEDTLS_SSL_CONF_ANTI_REPLAY to allow configuring
the use/nonuse of DTLS anti replay protection at compile-time.

Impact on code-size, measured with
> ./scripts/baremetal.sh --rom --gcc --armc5 --armc6

|  | GCC | ARMC5 | ARMC6 |
| --- | --- | --- | --- |
| `libmbedtls.a` before | 23559 | 24089 | 27921 |
| `libmbedtls.a` after  | 23511 | 24049 | 27903 |
| gain in Bytes | 48 | 40 | 18 |
2019-06-25 08:43:31 +01:00
Hanno Becker
aa9fc6dd33 Update query_config.c 2019-06-25 08:42:20 +01:00
Hanno Becker
f765ce617f Remove ExtendedMS configuration API if hardcoded at compile-time
If the ExtendedMasterSecret extension is configured at compile-time
by setting MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET and/or
MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET, the runtime
configuration APIs mbedtls_ssl_conf_extended_master_secret()
and mbedtls_ssl_conf_extended_master_secret_enforce() must
either be removed or modified to take no effect (or at most
check that the runtime value matches the hardcoded one, but
that would undermine the code-size benefits the hardcoding
is supposed to bring in the first place).

Previously, the API was kept but modified to have no effect.
While convenient for us because we don't have to adapt example
applications, this comes at the danger of users calling the runtime
configuration API, forgetting that the respective fields are
potentially already hardcoded at compile-time - and hence silently
using a configuration they don't intend to use.

This commit changes the approach to removing the configuration
API in case the respective field is hardcoded at compile-time,
and exemplifies it in the only case implemented so far, namely
the configuration of the ExtendedMasterSecret extension.

It adapts ssl_client2 and ssl_server2 by omitting the call to
the corresponding API if MBEDTLS_SSL_CONF_XXX are defined and
removing the command line parameters for the runtime configuration
of the ExtendedMasterSecret extension.
2019-06-25 08:42:20 +01:00
Hanno Becker
aabbb582eb Exemplify harcoding SSL config at compile-time in example of ExtMS
This commit is the first in a series demonstrating how code-size
can be reduced by hardcoding parts of the SSL configuration at
compile-time, focusing on the example of the configuration of
the ExtendedMasterSecret extension.

The flexibility of an SSL configuration defined a runtime vs.
compile-time is necessary for the use of Mbed TLS as a
dynamically linked library, but is undesirable in constrained
environments because it introduces the following overhead:
- Definition of SSL configuration API (code-size overhead)
  (and on the application-side: The API needs to be called)
- Additional fields in the SSL configuration (RAM overhead,
  and potentially code-size overhead if structures grow
  beyond immediate-offset bounds).
- Dereferencing is needed to obtain configuration settings.
- Code contains branches and potentially additional structure
  fields to distinguish between different configurations.

Considering the example of the ExtendedMasterSecret extension,
this instantiates as follows:
- mbedtls_ssl_conf_extended_master_secret() and
  mbedtls_ssl_conf_extended_master_secret_enforced()
  are introduced to configure the ExtendedMasterSecret extension.
- mbedtls_ssl_config contains bitflags `extended_ms` and
  `enforce_extended_master_secret` reflecting the runtime
  configuration of the ExtendedMasterSecret extension.
- Whenever we need to access these fields, we need a chain
  of dereferences `ssl->conf->extended_ms`.
- Determining whether Client/Server should write the
  ExtendedMasterSecret extension needs a branch
  depending on `extended_ms`, and the state of the
  ExtendedMasterSecret negotiation needs to be stored in a new
  handshake-local variable mbedtls_ssl_handshake_params::extended_ms.
  Finally (that's the point of ExtendedMasterSecret) key derivation
  depends on this handshake-local state of ExtendedMasterSecret.

All this is unnecessary if it is known at compile-time that the
ExtendedMasterSecret extension is used and enforced:
- No API calls are necessary because the configuration is fixed
  at compile-time.
- No SSL config fields are necessary because there are corresponding
  compile-time constants instead.
- Accordingly, no dereferences for field accesses are necessary,
  and these accesses can instead be replaced by the corresponding
  compile-time constants.
- Branches can be eliminated at compile-time because the compiler
  knows the configuration. Also, specifically for the ExtendedMasterSecret
  extension, the field `extended_ms` in the handshake structure
  is unnecessary, because we can fail immediately during the Hello-
  stage of the handshake if the ExtendedMasterSecret extension
  is not negotiated; accordingly, the non-ExtendedMS code-path
  can be eliminated from the key derivation logic.

A way needs to be found to allow fixing parts of the SSL configuration
at compile-time which removes this overhead in case it is used,
while at the same time maintaining readability and backwards
compatibility.

This commit proposes the following approach:

From the user perspective, for aspect of the SSL configuration
mbedtls_ssl_config that should be configurable at compile-time,
introduce a compile-time option MBEDTLS_SSL_CONF_FIELD_NAME.
If this option is not defined, the field is kept and configurable
at runtime as usual. If the option is defined, the field is logically
forced to the value of the option at compile time.

Internally, read-access to fields in the SSL configuration which are
configurable at compile-time gets replaced by new `static inline` getter
functions which evaluate to the corresponding field access or to the
constant MBEDTLS_SSL_CONF_FIELD_NAME, depending on whether the latter
is defined or not.

Write-access to fields which are configurable at compile-time needs
to be removed: Specifically, the corresponding API itself either
needs to be removed or replaced by a stub function without effect.
This commit takes the latter approach, which has the benefit of
not requiring any change on the example applications, but introducing
the risk of mismatching API calls and compile-time configuration,
in case a user doesn't correctly keep track of which parts of the
configuration have been fixed at compile-time, and which haven't.
Write-access for the purpose of setting defaults is simply omitted.
2019-06-25 08:42:20 +01:00
Jaeden Amero
7b03e87fbc Merge remote-tracking branch 'restricted/pr/582' into mbedtls-2.16-restricted
* restricted/pr/582:
  Add a test for signing content with a long ECDSA key
  Add documentation notes about the required size of the signature buffers
  Add missing MBEDTLS_ECP_C dependencies in check_config.h
  Change size of preallocated buffer for pk_sign() calls
2019-06-24 11:40:59 +01:00
Jaeden Amero
7f132cc1a3 Merge remote-tracking branch 'origin/pr/2714' into mbedtls-2.16
* origin/pr/2714:
  programs: Make `make clean` clean all programs always
  ssl_tls: Enable Suite B with subset of ECP curves
  windows: Fix Release x64 configuration
  timing: Remove redundant include file
  net_sockets: Fix typo in net_would_block()
2019-06-21 16:00:52 +01:00
Jaeden Amero
0c42e908e5 programs: Make make clean clean all programs always
If `make TEST_CPP:=1` is run, and then `make clean` (as opposed to `make
TEST_CPP:=1 clean`), the cpp_dummy_build will be left behind after the
clean. Make `make clean more convenient to use by removing programs that
could be generated from any configuration, not just the active one.

Fixes #1862
2019-06-20 16:34:24 +01:00
Hanno Becker
488c8dee47 Add missing compile time guard in ssl_client2 2019-06-19 14:59:42 +01:00
Hanno Becker
b6f7241741 Update programs/ssl/query_config.c 2019-06-19 14:59:42 +01:00
Hanno Becker
b7fab76890 ssl_client2: Reset peer CRT info string on reconnect 2019-06-19 14:59:42 +01:00
Hanno Becker
f9ca30d042 ssl_client2: Zeroize peer CRT info buffer when reconnecting 2019-06-19 14:59:41 +01:00
Hanno Becker
975c463b3f ssl_client2: Extract peer CRT info from verification callback
So far, `ssl_client2` printed the CRT info for the peer's CRT
by requesting the latter through `mbedtls_ssl_get_peer_cert()`
at the end of the handshake, and printing it via
`mbedtls_x509_crt_info()`. When `MBEDTLS_SSL_KEEP_PEER_CERTIFICATE`
is disabled, this does no longer work because the peer's CRT
isn't stored beyond the handshake.

This makes some tests in `ssl-opt.sh` fail which rely on the CRT
info output for the peer certificate.

This commit modifies `ssl_client2` to extract the peer CRT info
from the verification callback, which is always called at a time
when the peer's CRT is available. This way, the peer's CRT info
is still printed if `MBEDTLS_SSL_KEEP_PEER_CERTIFICATE` is disabled.
2019-06-19 14:59:37 +01:00
Hanno Becker
b265f5f191 Use mbedtls_ssl_get_peer_cert() to query peer cert in cert_app 2019-06-19 10:25:02 +01:00
Simon Butcher
7400e8fb36 Merge remote-tracking branch 'origin/pr/591' into baremetal 2019-06-18 17:36:45 +01:00
Simon Butcher
f2ef573f2b Merge remote-tracking branch 'origin/pr/598' into baremetal 2019-06-18 15:00:02 +01:00
Simon Butcher
f1ff74574d Merge remote-tracking branch 'origin/pr/597' into baremetal 2019-06-18 14:58:37 +01:00
Hanno Becker
98f85c8c25 Add missing dependencies on !MBEDTLS_X509_REMOVE_INFO 2019-06-18 11:05:44 +01:00
Hanno Becker
02a2193f60 Rename MBEDTLS_X509_INFO to !MBEDTLS_X509_REMOVE_INFO 2019-06-18 11:05:44 +01:00
Peter Kolbus
dc470ae8af Reduce code size when mbedtls_x509_*_info() unused
Introduce MBEDTLS_X509_INFO to indicate the availability of the
mbedtls_x509_*_info() function and closely related APIs. When this is
not defined, also omit name and description from
mbedtls_oid_descriptor_t, and omit OID arrays, macros, and types that
are entirely unused. This saves several KB of code space.

Change-Id: I056312613379890e0d70e1d08c34171287c0aa17
2019-06-18 11:05:37 +01:00
Jarno Lamsa
8b2608b6c2 Fix style issues 2019-06-18 11:50:11 +03:00
Jarno Lamsa
29a15c2de5 Set timer callbacks with serialization 2019-06-18 11:50:11 +03:00
Jarno Lamsa
85c238018e Fix spacing 2019-06-18 11:50:11 +03:00
Jarno Lamsa
034ae84601 Fix compiler warnings 2019-06-18 11:50:11 +03:00
Jarno Lamsa
b5ff6a4ced Add option for ssl-context re-initialization flow 2019-06-18 11:50:11 +03:00
Jarno Lamsa
bff4a91827 Fix spacing 2019-06-18 11:50:11 +03:00
Jarno Lamsa
f4f8ed7e82 Allow stub implementation of the context_save for now 2019-06-18 11:50:11 +03:00
Jarno Lamsa
5737ec97a6 Address review comments for code-style issues 2019-06-18 11:50:11 +03:00
Jarno Lamsa
38061f4a17 Remove mbedtls_ssl_free() and mbedtls_ssl_init() from serialization flow in test 2019-06-18 11:50:11 +03:00
Jarno Lamsa
cf1b6724c9 Use MBEDTLS_SSL_CONTEXT_SERIALIZATION flag 2019-06-18 11:50:11 +03:00
Jarno Lamsa
f457293b57 Serialize/deserialize for ssl_server2 2019-06-18 11:50:11 +03:00
Jarno Lamsa
654e8de163 Rely on opt.exchanges for sending after serialization 2019-06-18 11:50:11 +03:00
Jarno Lamsa
d736d08618 Serialization/deserialization in ssl_client2 2019-06-18 11:50:11 +03:00
Jarno Lamsa
0ea3cfe5bf Add option for serialization in ssl_client/server2 2019-06-18 11:50:11 +03:00
Manuel Pégourié-Gonnard
91fa5bade3 Add new config MBEDTLS_SSL_CONTEXT_SERIALIZATION
This is enabled by default as we generally enable things by default unless
there's a reason not to (experimental, deprecated, security risk).

We need a compile-time option because, even though the functions themselves
can be easily garbage-collected by the linker, implementing them will require
saving 64 bytes of Client/ServerHello.random values after the handshake, that
would otherwise not be needed, and people who don't need this feature
shouldn't have to pay the price of increased RAM usage.
2019-06-18 10:09:27 +02:00
Hanno Becker
1abb159e90 Merge branch 'mbedtls-2.16' into baremetal 2019-06-18 09:00:37 +01:00
Gilles Peskine
0b87412ac5 Remove mbedtls_param_failed from programs
All sample and test programs had a definition of mbedtls_param_failed.
This was necessary because we wanted to be able to build them in a
configuration with MBEDTLS_CHECK_PARAMS set but without a definition
of MBEDTLS_PARAM_FAILED. Now that we activate the sample definition of
MBEDTLS_PARAM_FAILED in config.h when testing with
MBEDTLS_CHECK_PARAMS set, this boilerplate code is no longer needed.
2019-06-17 19:10:13 +02:00
Gilles Peskine
30346f639e Make it easier to define MBEDTLS_PARAM_FAILED as assert
Introduce a new configuration option MBEDTLS_CHECK_PARAMS_ASSERT,
which is disabled by default. When this option is enabled,
MBEDTLS_PARAM_FAILED defaults to assert rather than to a call to
mbedtls_param_failed, and <assert.h> is included.

This fixes #2671 (no easy way to make MBEDTLS_PARAM_FAILED assert)
without breaking backward compatibility. With this change,
`config.pl full` runs tests with MBEDTLS_PARAM_FAILED set to assert,
so the tests will fail if a validation check fails, and programs don't
need to provide their own definition of mbedtls_param_failed().
2019-06-17 19:07:42 +02:00
Simon Butcher
c725e4b34e Merge remote-tracking branch 'origin/pr/590' into baremetal 2019-06-17 17:57:26 +01:00
Simon Butcher
01a8eb21d3 Merge remote-tracking branch 'origin/pr/585' into baremetal 2019-06-17 17:53:41 +01:00
Manuel Pégourié-Gonnard
ba8b1eb5d9 Use negated option for controlling TLS support.
A positive option looks better, but comes with the following compatibility
issue: people using a custom config.h that is not based on the default
config.h and need TLS support would need to manually change their config in
order to still get TLS.

Work around that by making the public option negative. Internally the positive
option is used, though.

In the future (when preparing the next major version), we might want to switch
back to a positive option as this would be more consistent with other options
we have.
2019-06-17 15:26:34 +02:00
Jaeden Amero
8f27b4455c Merge remote-tracking branch 'origin/pr/2695' into mbedtls-2.16
* origin/pr/2695:
  UDP proxy: Don't attempt to dissect dgram into records when dropping
2019-06-14 08:55:47 +01:00
Jaeden Amero
7aed01c0dc Merge remote-tracking branch 'origin/pr/2481' into mbedtls-2.16
* origin/pr/2481:
  Document support for MD2 and MD4 in programs/x509/cert_write
  Correct name of X.509 parsing test for well-formed, ill-signed CRT
  Add test cases exercising successful verification of MD2/MD4/MD5 CRT
  Add test case exercising verification of valid MD2 CRT
  Add MD[245] test CRTs to tree
  Add instructions for MD[245] test CRTs to tests/data_files/Makefile
  Add suppport for MD2 to CSR and CRT writing example programs
  Convert further x509parse tests to use lower-case hex data
  Correct placement of ChangeLog entry
  Adapt ChangeLog
  Use SHA-256 instead of MD2 in X.509 CRT parsing tests
  Consistently use lower case hex data in X.509 parsing tests
2019-06-14 08:50:47 +01:00
Hanno Becker
bcf97ec18c UDP proxy: Don't attempt to dissect dgram into records when dropping
To prevent dropping the same message over and over again, the UDP proxy
test application programs/test/udp_proxy _logically_ maintains a mapping
from records to the number of times the record has already been dropped,
and stops dropping once a configurable threshold (currently 2) is passed.

However, the actual implementation deviates from this logical view
in two crucial respects:
- To keep the implementation simple and independent of
  implementations of suitable map interfaces, it only counts how
  many times a record of a given _size_ has been dropped, and
  stops dropping further records of that size once the configurable
  threshold is passed. Of course, this is not fail-proof, but a
  good enough approximation for the proxy, and it allows to use
  an inefficient but simple array for the required map.
- The implementation mixes datagram lengths and record lengths:
  When deciding whether it is allowed to drop a datagram, it
  uses the total datagram size as a lookup index into the map
  counting the number of times a package has been dropped. However,
  when updating this map, the UDP proxy traverses the datagram
  record by record, and updates the mapping at the level of record
  lengths.

Apart from this inconsistency, the current implementation suffers
from a lack of bounds checking for the parsed length of incoming
DTLS records that can lead to a buffer overflow when facing
malformed records.

This commit removes the inconsistency in datagram vs. record length
and resolves the buffer overflow issue by not attempting any dissection
of datagrams into records, and instead only counting how often _datagrams_
of a particular size have been dropped.

There is only one practical situation where this makes a difference:
If datagram packing is used by default but disabled on retransmission
(which OpenSSL has been seen to do), it can happen that we drop a
datagram in its initial transmission, then also drop some of its records
when they retransmitted one-by-one afterwards, yet still keeping the
drop-counter at 1 instead of 2. However, even in this situation, we'll
correctly count the number of droppings from that point on and eventually
stop dropping, because the peer will not fall back to using packing
and hence use stable record lengths.
2019-06-13 11:21:42 +01:00
Simon Butcher
f49a277f34 Merge remote-tracking branch 'origin/pr/576' into baremetal 2019-06-12 20:15:00 +01:00
Jarno Lamsa
41b359114d Add tests for enforced extended master secret flag 2019-06-10 15:51:11 +03:00
k-stachowiak
e79c939693 Change size of preallocated buffer for pk_sign() calls 2019-06-06 13:13:26 +02:00
Manuel Pégourié-Gonnard
e744eab3b1 Adapt defaults and programs documentation 2019-06-06 13:02:14 +02:00
Manuel Pégourié-Gonnard
a771160799 Introduce new config.h flag for TLS
For now the option has no effect.

Adapted existing example config files. The fact that I needed to do this
highlights that this is a slightly incompatible change: existing users need to
update their existing custom configs (if standalone as opposed to based on the
default config) in order to still get the same behaviour.

The alternative would be to have a negative config option (eg NO_TLS or
DTLS_ONLY) but this doesn't fit as nicely with the existing options, so
hopefully the minor incompatibility is acceptable.

I don't think it's worth adding a new component to all.sh:
- builds with both DTLS and TLS are done in the default (and full) config
- TLS-only builds are done with eg config-suite-b.h in test-ref-configs
- a DTLS-only build is done with config-thread.h in test-ref-configs
- builds with none of them (and SSL_TLS_C enabled) are forbidden
2019-06-06 12:59:48 +02:00
Hanno Becker
08c78a2e32 UDP proxy: Don't attempt to dissect dgram into records when dropping
To prevent dropping the same message over and over again, the UDP proxy
test application programs/test/udp_proxy _logically_ maintains a mapping
from records to the number of times the record has already been dropped,
and stops dropping once a configurable threshold (currently 2) is passed.

However, the actual implementation deviates from this logical view
in two crucial respects:
- To keep the implementation simple and independent of
  implementations of suitable map interfaces, it only counts how
  many times a record of a given _size_ has been dropped, and
  stops dropping further records of that size once the configurable
  threshold is passed. Of course, this is not fail-proof, but a
  good enough approximation for the proxy, and it allows to use
  an inefficient but simple array for the required map.
- The implementation mixes datagram lengths and record lengths:
  When deciding whether it is allowed to drop a datagram, it
  uses the total datagram size as a lookup index into the map
  counting the number of times a package has been dropped. However,
  when updating this map, the UDP proxy traverses the datagram
  record by record, and updates the mapping at the level of record
  lengths.

Apart from this inconsistency, the introduction of the Connection ID
feature leads to yet another problem: The CID length is not part of
the record header but dynamically negotiated during (potentially
encrypted!) handshakes, and it is hence impossible for a passive traffic
analyzer (in this case our UDP proxy) to reliably parse record headers;
especially, it isn't possible to reliably infer the length of a record,
nor to dissect a datagram into records.

The previous implementation of the UDP proxy was not CID-aware and
assumed that the record length would always reside at offsets 11, 12
in the DTLS record header, which would allow it to iterate through
the datagram record by record. As mentioned, this is no longer possible
for CID-based records, and the current implementation can run into
a buffer overflow in this case (because it doesn't validate that
the record length is not larger than what remains in the datagram).

This commit removes the inconsistency in datagram vs. record length
and resolves the buffer overflow issue by not attempting any dissection
of datagrams into records, and instead only counting how often _datagrams_
of a particular size have been dropped.

There is only one practical situation where this makes a difference:
If datagram packing is used by default but disabled on retransmission
(which OpenSSL has been seen to do), it can happen that we drop a
datagram in its initial transmission, then also drop some of its records
when they retransmitted one-by-one afterwards, yet still keeping the
drop-counter at 1 instead of 2. However, even in this situation, we'll
correctly count the number of droppings from that point on and eventually
stop dropping, because the peer will not fall back to using packing
and hence use stable record lengths.
2019-06-04 13:04:28 +01:00
Hanno Becker
d0f2d8100c Document support for MD2 and MD4 in programs/x509/cert_write 2019-06-03 16:20:10 +01:00
Hanno Becker
8a0193e619 Add suppport for MD2 to CSR and CRT writing example programs
The example programs programs/x509/cert_req and programs/x509/cert_write
(demonstrating the use of X.509 CSR and CRT writing functionality)
previously didn't support MD2 signatures.

For testing purposes, this commit adds support for MD2 to cert_req,
and support for MD2 and MD4 to cert_write.
2019-06-03 16:19:34 +01:00
Manuel Pégourié-Gonnard
35ccdbb636 Normalize spelling to serialiZation
We have explicit recommendations to use US spelling for technical writing, so
let's apply this to code as well for uniformity. (My fingers tend to prefer UK
spelling, so this needs to be fixed in many places.)

sed -i 's/\([Ss]eriali\)s/\1z/g' **/*.[ch] **/*.function **/*.data ChangeLog
2019-06-03 09:55:16 +02:00
Manuel Pégourié-Gonnard
4bb1b99c7f Demonstrate safe usage (zeroize) in ssl_client2 2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard
32ce596c35 Improve save API by always updating olen
This allows callers to discover what an appropriate size is. Otherwise they'd
have to either try repeatedly, or allocate an overly large buffer (or some
combination of those).

Adapt documentation an example usage in ssl_client2.
2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard
57a348ba8c Add tests for session copy without serialisation 2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard
37a5324c74 Add mbedtls_ssl_get_session_pointer()
Avoid useless copy with mbedtls_ssl_get_session() before serialising.

Used in ssl_client2 for testing and demonstrating usage, but unfortunately
that means mbedtls_ssl_get_session() is no longer tested, which will be fixed
in the next commit.
2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard
fbb44a422f Save session in serialised form in ssl_client2.
This provides basic testing for the session (de)serialisation functions, as
well as an example of how to use them.

Tested locally with tests/ssl-opt.sh -f '^Session resume'.
2019-06-03 09:51:08 +02:00
Hanno Becker
1ce1a51816 Document "none" value for ca_path/ca_file in ssl_client2/ssl_server2 2019-05-30 10:21:59 +01:00
Hanno Becker
7ae36e4179 ssl_server2: Skip CA setup if ca_path or ca_file argument "none"
This allows to test PSK-based ciphersuites via ssl_server2 in builds
which have MBEDTLS_X509_CRT_PARSE_C enabled but both MBEDTLS_FS_IO and
MBEDTLS_CERTS_C disabled.
2019-05-30 10:21:59 +01:00
Hanno Becker
a7242061c4 ssl_client2: Skip CA setup if ca_path or ca_file argument "none"
This allows to test PSK-based ciphersuites via ssl_client2 in builds
which have MBEDTLS_X509_CRT_PARSE_C enabled but both MBEDTLS_FS_IO and
MBEDTLS_CERTS_C disabled.

A similar change is applied to the `crt_file` and `key_file` arguments.
2019-05-30 10:21:59 +01:00
Hanno Becker
c258c440b5 Correct white spaces in ssl_server2 and ssl_client2 2019-05-30 10:21:59 +01:00
Hanno Becker
bb676f7d32 Adapt ssl_client2 to parse DER encoded test CRTs if PEM is disabled 2019-05-30 10:21:59 +01:00
Hanno Becker
38566ccbd5 Adapt ssl_server2 to parse DER encoded test CRTs if PEM is disabled 2019-05-30 10:21:59 +01:00
Simon Butcher
0d1d76f987 Merge remote-tracking branch 'origin/pr/561' into baremetal 2019-05-29 15:09:24 +01:00
Simon Butcher
d5e1bfc6b4 Merge remote-tracking branch 'origin/pr/569' into baremetal 2019-05-24 15:07:10 +01:00
Simon Butcher
0edb924e16 Merge remote-tracking branch 'origin/pr/565' into baremetal 2019-05-24 15:06:56 +01:00
Hanno Becker
34dcf4e6f6 Add bad_cid option UDP proxy to insert unexpected CID records
This commit adds the command line option 'bad_cid' to the UDP proxy
`./programs/test/udp_proxy`. It takes a non-negative integral value N,
which if not 0 has the effect of duplicating every 1:N CID records
and modifying the CID in the first copy sent.

This is to exercise the stacks documented behaviour on receipt
of unexpected CIDs.

It is important to send the record with the unexpected CID first,
because otherwise the packet would be dropped already during
replay protection (the same holds for the implementation of the
existing 'bad_ad' option).
2019-05-24 10:07:42 +01:00
Hanno Becker
f4e8ed116c Remove superfluous new line in ssl_server2 2019-05-23 17:01:43 +01:00
Hanno Becker
c8f43d82b8 Improve readability of ssl_client2/ssl_server2 usage instructions 2019-05-23 17:01:06 +01:00
Hanno Becker
b8260c64d6 Remove superfluous newline in ssl_client2 2019-05-23 17:00:23 +01:00
Hanno Becker
76581052f9 Use negative-hex format for error codes in ssl_client2/ssl_server2 2019-05-23 16:58:22 +01:00
Hanno Becker
ac36388e3e Exemplify ways of calling mbedtls_ssl_get_peer_cid() in ssl_client2 2019-05-22 16:59:25 +01:00
Hanno Becker
a5a2b08a05 Rename MBEDTLS_SSL_CID to MBEDTLS_SSL_DTLS_CONNECTION_ID
Files modified via

sed -i 's/MBEDTLS_SSL_CID\([^_]\|$\)/MBEDTLS_SSL_DTLS_CONNECTION_ID\1/g' **/*.c **/*.h **/*.sh **/*.function
2019-05-20 15:35:36 +01:00
Hanno Becker
e8eff9a517 Allow to configure the stack's behaviour on unexpected CIDs
This commit modifies the CID configuration API mbedtls_ssl_conf_cid_len()
to allow the configuration of the stack's behaviour when receiving an
encrypted DTLS record with unexpected CID.
2019-05-20 15:32:36 +01:00
Hanno Becker
d23605d056 Add missing compile-time guard around CID API in ssl_server2 2019-05-20 15:32:36 +01:00
Hanno Becker
550e1662c7 Allow the configuration of padding when using CID extension 2019-05-20 15:32:36 +01:00
Hanno Becker
6c4bc14021 UDP Proxy: Don't drop CID records
ApplicationData records are not protected against loss by DTLS
and our test applications ssl_client2 and ssl_server2 don't
implement any retransmission scheme to deal with loss of the
data they exchange. Therefore, the UDP proxy programs/test/udp_proxy
does not drop ApplicationData records.

With the introduction of the Connection ID, encrypted ApplicationData
records cannot be recognized as such by inspecting the record content
type, as the latter is always set to the CID specific content type for
protected records using CIDs, while the actual content type is hidden
in the plaintext.

To keep tests working, this commit adds CID records to the list of
content types which are protected against dropping by the UDP proxy.
2019-05-20 15:32:36 +01:00
Hanno Becker
9687029d22 Add support for change of CID to ssl_client2 / ssl_server2
And add tests for various CID configuration changes during
renegotiation to ssl-opt.sh.
2019-05-20 15:32:36 +01:00
Hanno Becker
eec2be9c9f Add CID configuration API
Context:
The CID draft does not require that the length of CIDs used for incoming
records must not change in the course of a connection. Since the record
header does not contain a length field for the CID, this means that if
CIDs of varying lengths are used, the CID length must be inferred from
other aspects of the record header (such as the epoch) and/or by means
outside of the protocol, e.g. by coding its length in the CID itself.

Inferring the CID length from the record's epoch is theoretically possible
in DTLS 1.2, but it requires the information about the epoch to be present
even if the epoch is no longer used: That's because one should silently drop
records from old epochs, but not the entire datagrams to which they belong
(there might be entire flights in a single datagram, including a change of
epoch); however, in order to do so, one needs to parse the record's content
length, the position of which is only known once the CID length for the epoch
is known. In conclusion, it puts a significant burden on the implementation
to infer the CID length from the record epoch, which moreover mangles record
processing with the high-level logic of the protocol (determining which epochs
are in use in which flights, when they are changed, etc. -- this would normally
determine when we drop epochs).

Moreover, with DTLS 1.3, CIDs are no longer uniquely associated to epochs,
but every epoch may use a set of CIDs of varying lengths -- in that case,
it's even theoretically impossible to do record header parsing based on
the epoch configuration only.

We must therefore seek a way for standalone record header parsing, which
means that we must either (a) fix the CID lengths for incoming records,
or (b) allow the application-code to configure a callback to implement
an application-specific CID parsing which would somehow infer the length
of the CID from the CID itself.

Supporting multiple lengths for incoming CIDs significantly increases
complexity while, on the other hand, the restriction to a fixed CID length
for incoming CIDs (which the application controls - in contrast to the
lengths of the CIDs used when writing messages to the peer) doesn't
appear to severely limit the usefulness of the CID extension.

Therefore, the initial implementation of the CID feature will require
a fixed length for incoming CIDs, which is what this commit enforces,
in the following way:

In order to avoid a change of API in case support for variable lengths
CIDs shall be added at some point, we keep mbedtls_ssl_set_cid(), which
includes a CID length parameter, but add a new API mbedtls_ssl_conf_cid_len()
which applies to an SSL configuration, and which fixes the CID length that
any call to mbetls_ssl_set_cid() which applies to an SSL context that is bound
to the given SSL configuration must use.

While this creates a slight redundancy of parameters, it allows to
potentially add an API like mbedtls_ssl_conf_cid_len_cb() later which
could allow users to register a callback which dynamically infers the
length of a CID at record header parsing time, without changing the
rest of the API.
2019-05-20 15:32:36 +01:00
Hanno Becker
2e0bedcc35 Correct compile-time guard around unhexify() in ssl_server2 2019-05-17 10:20:41 +01:00
Hanno Becker
0c8281aae5 Change formating of CID debug output in ssl_client2/ssl_server2 2019-05-17 10:20:41 +01:00
Hanno Becker
fce6f836ba Merge branch 'mbedtls-2.16' into baremetal 2019-05-17 10:06:02 +01:00
Simon Butcher
e372d5fb8f Merge remote-tracking branch 'origin/pr/558' into baremetal 2019-05-09 17:03:18 +01:00
Simon Butcher
999ac174cc Merge remote-tracking branch 'origin/pr/566' into baremetal 2019-05-09 16:59:02 +01:00
Manuel Pégourié-Gonnard
afdc1b5cbd Consistently use the name tinycrypt over uecc
We called in tinycrypt in the file names, but uecc in config.h, all.sh and
other places, which could be confusing. Just use tinycrypt everywhere because
that's the name of the project and repo where we took the files.

The changes were made using the following commands (with GNU sed and zsh):

sed -i 's/uecc/tinycrypt/g' **/*.[ch] tests/scripts/all.sh
sed -i 's/MBEDTLS_USE_UECC/MBEDTLS_USE_TINYCRYPT/g' **/*.[ch] tests/scripts/all.sh scripts/config.pl
2019-05-09 11:24:11 +02:00
Jarno Lamsa
6fe99be972 Fix check-generated-files after creating a flag 2019-04-25 13:54:32 +03:00
Jaeden Amero
9cfc9ceaf9 Merge remote-tracking branch 'origin/pr/2542' into mbedtls-2.16
* origin/pr/2542:
  Add guards for MBEDTLS_X509_CRL_PARSE_C in sample
2019-04-24 11:21:35 +01:00
Hanno Becker
d6028a1894 Improve macro hygiene
This commit improves hygiene and formatting of macro definitions
throughout the library. Specifically:
- It adds brackets around parameters to avoid unintended
  interpretation of arguments, e.g. due to operator precedence.
- It adds uses of the `do { ... } while( 0 )` idiom for macros that
  can be used as commands.
2019-04-24 10:51:54 +02:00
Hanno Becker
6dde3dd8ec Print peer CID from ssl_client2 2019-04-23 11:51:47 +01:00
Hanno Becker
8be8a95dea Print peer CID from ssl_server2 2019-04-23 11:51:40 +01:00
Hanno Becker
14751aa966 Improve wording of CID debug msg in ssl_server2 example application 2019-04-23 11:39:53 +01:00
Jaeden Amero
d17b5e9abc Merge remote-tracking branch 'origin/pr/2553' into mbedtls-2.16
* origin/pr/2553:
  Remove ssl_cert_test sample app
2019-04-16 15:07:25 +01:00
Hanno Becker
1029acee1d ssl_server2: Add cmd line options to configure use of CID extension 2019-04-09 18:27:04 +01:00
Hanno Becker
7a7aa1943e ssl_client2: Add cmd line options to configure use of CID extension 2019-04-09 18:27:04 +01:00
Hanno Becker
ec37030afe ssl_client2: Add helper to unhexify binary command line data 2019-04-09 18:27:04 +01:00
Hanno Becker
c8e80eeda0 Update query_config.c 2019-04-09 18:26:59 +01:00
Ron Eldor
1ec99c66b8 Remove ssl_cert_test sample app
Remove the ssl_cert_test sample application, as it uses
hardcoded certificates that moved, and is redundant with the x509
tests and applications. Fixes #1905.
2019-04-07 16:51:18 +03:00
Ron Eldor
24eec79255 Add guards for MBEDTLS_X509_CRL_PARSE_C in sample
Add checks in `ssl_server2` that `MBEDTLS_X509_CRL_PARSE_C` is defined
to fix compilation issue. Fixes #560.
2019-04-04 15:17:34 +03:00
irwir
5b9e318e34 Fix default port number information 2019-03-06 15:15:28 +02:00
Jaeden Amero
cef29a2fd0 Merge remote-tracking branch 'origin/pr/2401' into mbedtls-2.16
* origin/pr/2401:
  Add ChangeLog entry
  Fix private DER output shifted by one byte.
2019-03-05 16:37:13 +00:00
Simon Butcher
799cd57c72 Merge remote-tracking branch 'restricted/pr/550' into mbedtls-2.16
* restricted/pr/550:
  Update query_config.c
  Fix failure in SSLv3 per-version suites test
  Adjust DES exclude lists in test scripts
  Clarify 3DES changes in ChangeLog
  Fix documentation for 3DES removal
  Exclude 3DES tests in test scripts
  Fix wording of ChangeLog and 3DES_REMOVE docs
  Reduce priority of 3DES ciphersuites
2019-03-01 13:05:43 +00:00
Simon Butcher
e6a3f57898 Merge remote-tracking branch 'public/pr/2429' into mbedtls-2.16
* public/pr/2429:
  Add ChangeLog entry for unused bits in bitstrings
  Improve docs for ASN.1 bitstrings and their usage
  Add tests for (named) bitstring to suite_asn1write
  Fix ASN1 bitstring writing
2019-03-01 13:04:04 +00:00
Manuel Pégourié-Gonnard
2eee0c3166 Update query_config.c 2019-03-01 10:30:30 +01:00
Andres Amaya Garcia
2c0f6f0b10 Add tests for (named) bitstring to suite_asn1write 2019-02-11 21:23:49 +00:00
Andres Amaya Garcia
9da4674060 Suppress visual studio preprocessor warnings on query_config.c 2019-02-07 10:32:31 +00:00
Andres Amaya Garcia
fe52d2af51 Update query_config.c with new macros 2019-02-07 10:32:31 +00:00
Andres Amaya Garcia
4eb040af4a Exclude macros from query_config.c generation 2019-02-07 10:32:31 +00:00
Andres Amaya Garcia
c500ad8cc0 Fix query_config macro expansion for windows 2019-02-07 10:32:31 +00:00
Andres Amaya Garcia
c46ea38f90 Fix query_config macro expansion for windows 2019-02-07 10:32:31 +00:00
Andres Amaya Garcia
cb6b6dcdc5 Improve cmake inclusion of query_config.c when building apps 2019-02-07 10:32:31 +00:00
Andres Amaya Garcia
5547a405b2 Improve comments in query_config.fmt 2019-02-07 10:32:31 +00:00
Andres Amaya Garcia
d2689e3876 Fix GCC 0-length printf format string error 2019-02-07 10:32:31 +00:00
Andres AG
bf83f1d296 Fix aligment in programs/test/query_compile_time_config.c 2019-02-07 10:32:31 +00:00
Andres AG
ce52886051 Create programs/test/query_compile_time_config app 2019-02-07 10:32:31 +00:00
Andres AG
b6ff184f5c Ensure query_config.c includes stdio only when needed 2019-02-07 10:32:31 +00:00
Andres Amaya Garcia
aaa6007958 Update programs/ssl/CMakeLists.txt with query_config.c dep 2019-02-07 10:32:31 +00:00
Andres Amaya Garcia
55a6c367bb query_config.c: remove duplicated inc of platform.h 2019-02-07 10:32:31 +00:00
Andres Amaya Garcia
bfa3e0914b Query config through ssl_server2 and ssl_client2 cmdline 2019-02-07 10:30:05 +00:00
Christian Walther
38c919bc95 Fix private DER output shifted by one byte. 2019-01-31 19:22:03 +02:00
Jaeden Amero
88227f9d8e Merge remote-tracking branch 'origin/pr/2326' into mbedtls-2.16 2019-01-30 15:55:53 +00:00
Jaeden Amero
f01f3088a4 Merge remote-tracking branch 'origin/pr/2137' into mbedtls-2.16 2019-01-30 14:54:28 +00:00
Masashi Honma
fbda6126d6 Remove duplicate #include
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2019-01-03 16:13:11 +09:00
Manuel Pégourié-Gonnard
3ef6a6dc5c Fix const-ness in mbedtls_param_failed()
The previous prototype gave warnings are the strings produced by #cond and
__FILE__ are const, so we shouldn't implicitly cast them to non-const.

While at it modifying most example programs:
- include the header that has the function declaration, so that the definition
  can be checked to match by the compiler
- fix whitespace
- make it work even if PLATFORM_C is not defined:
    - CHECK_PARAMS is not documented as depending on PLATFORM_C and there is
      no reason why it should
    - so, remove the corresponding #if defined in each program...
    - and add missing #defines for mbedtls_exit when needed

The result has been tested (make all test with -Werror) with the following
configurations:

- full with    CHECK_PARAMS with    PLATFORM_C
- full with    CHECK_PARAMS without PLATFORM_C
- full without CHECK_PARAMS without PLATFORM_C
- full without CHECK_PARAMS with    PLATFORM_C

Additionally, it has been manually tested that adding

    mbedtls_aes_init( NULL );

near the normal call to mbedtls_aes_init() in programs/aes/aescrypt2.c has the
expected effect when running the program.
2018-12-11 12:28:56 +01:00
Manuel Pégourié-Gonnard
2c21073789 Remove leftover from testing 2018-12-11 12:28:56 +01:00
Simon Butcher
63cb97e562 Add handlers for parameter validation in the sample programs
The sample programs require an additional handler function of
mbedtls_param_failed() to handle any failed parameter validation checks enabled
by the MBEDTLS_CHECK_PARAMS config.h option.
2018-12-11 12:28:56 +01:00
Jaeden Amero
52ed0b9030 Merge remote-tracking branch 'upstream-public/pr/2101' into development 2018-12-07 16:15:31 +00:00
Jaeden Amero
9055a7d855 Merge remote-tracking branch 'upstream-public/pr/2175' into development 2018-12-06 16:09:58 +00:00
Janos Follath
52735ef2fe ECDH: Prevent direct access in non-legacy mode
Some sample programs access structure fields directly. Making these work is
desirable in the long term, but these are not essential for the core
functionality in non-legacy mode.
2018-11-30 14:21:35 +00:00
Simon Butcher
cdd1a6c872 Merge remote-tracking branch 'restricted/pr/510' into development-restricted-proposed 2018-11-12 14:29:14 +00:00
Simon Butcher
241823aab8 Merge remote-tracking branch 'public/pr/1641' into development-restricted-proposed 2018-11-07 12:55:47 +00:00
Hanno Becker
e2dae7e1f5 Add explicit integer to enumeration casts to programs/pkey/gen_key.c
Fixes #2170.
2018-11-05 16:54:40 +00:00
Simon Butcher
2705beaeef Merge remote-tracking branch 'public/pr/2095' into development-proposed 2018-11-04 18:48:04 +00:00
Hanno Becker
710f203541 Merge branch 'iotssl-1770' into development_thomas_dee 2018-11-02 10:52:49 +00:00
Hanno Becker
56e84632ef Add 'password' cmd line parameter to cert_req example program 2018-11-01 16:46:40 +00:00
Hanno Becker
f745733bb1 Add 'md' cmd line parameter to cert_req example program
This commit adds a command line option `md` to the example application
`programs/x509/cert_req` allowing to specify the hash algorithm to use
when signing the CSR.
2018-11-01 16:46:37 +00:00
Simon Butcher
5706452787 Merge remote-tracking branch 'public/pr/2056' into development-proposed 2018-10-28 17:21:29 +00:00
Simon Butcher
b4e5451326 Merge remote-tracking branch 'public/pr/2070' into development-proposed 2018-10-28 16:53:48 +00:00
Simon Butcher
ddc9e26b3b Merge remote-tracking branch 'public/pr/1627' into development 2018-10-27 18:27:41 +01:00
Simon Butcher
1daecb4fea Merge remote-tracking branch 'public/pr/1281' into development 2018-10-27 17:46:13 +01:00
Hanno Becker
5ddc063c88 Correct typo 2018-10-26 16:50:05 +01:00
Hanno Becker
d0d01c584e Document psk_list parameter of ssl_server2 example program 2018-10-25 16:56:37 +01:00