Commit Graph

13404 Commits

Author SHA1 Message Date
Hanno Becker
67a37db2d2 Add missing configuration guards to SSL record protection helpers
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-31 08:51:29 +01:00
Hanno Becker
13996927cb Introduce configuration option for TLS 1.3 padding granularity
TLS 1.3 record protection allows the addition of an arbitrary amount
of padding.

This commit introduces a configuration option

```
   MBEDTLS_SSL_TLS13_PADDING_GRANULARITY
```

The semantics of this option is that padding is chosen in a minimal
way so that the padded plaintext has a length which is a multiple of
MBEDTLS_SSL_TLS13_PADDING_GRANULARITY.

For example, setting MBEDTLS_SSL_TLS13_PADDING_GRANULARITY to 1024
means that padded plaintexts will have length 1024, 2048, ..., while
setting it to 1 means that no padding will be used.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-31 08:51:25 +01:00
Nicola Di Lieto
110a794e93 Add ChangeLog.d/new-mbedtls_x509_crt_parse_der_with_ext_cb_routine.txt
Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
2020-05-29 23:27:47 +02:00
Nicola Di Lieto
e58b4638e5 Unsupported extension tests in test_suite_x509parse
All combinations of critical or not, recognized or not by the
callback are now tested as requested in
https://github.com/ARMmbed/mbedtls/pull/3243#discussion_r432647880

In addition pass the OID of the unsupported extension to be parsed
to the callback using the opaque pointer, which makes the tests fail
if the library forwards the wrong pointer to the callback, as
requested in
https://github.com/ARMmbed/mbedtls/pull/3243#discussion_r432647392

Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
2020-05-29 23:11:28 +02:00
Nicola Di Lieto
565b52bb72 mbedtls_x509_crt_parse_der_with_ext_cb improvement
Continue parsing when the callback fails to parse a non critical
exception. Also document the behaviour more extensively and pass
the callback error code to the caller unaltered.

See https://github.com/ARMmbed/mbedtls/pull/3243#discussion_r432630548
and https://github.com/ARMmbed/mbedtls/pull/3243#discussion_r432630968

Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
2020-05-29 23:09:47 +02:00
Ronald Cron
8216dd3f34 Use defines to check alpn ext list validity
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-05-29 15:10:30 +02:00
Hanno Becker
e131bfec29 Return error in case of bad user configurations
This commits adds returns with the SSL_BAD_CONFIG error code
in case of bad user configurations.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-05-29 15:10:30 +02:00
Hanno Becker
b4c0b7556d Add error condition for bad user configurations
This commit adds an error condition for bad user configurations
and updates the number of SSL module errors in error.h.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-05-29 15:10:30 +02:00
Hanno Becker
261602cb34 Uniformize bounds checks using new macro
This commit uses the previously defined macro to uniformize
bounds checks in several places. It also adds bounds checks to
the ClientHello writing function that were previously missing.
Also, the functions adding extensions to the ClientHello message
can now fail if the buffer is too small or a different error
condition occurs, and moreover they take an additional buffer
end parameter to free them from the assumption that one is
writing to the default output buffer.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-05-29 15:07:00 +02:00
Manuel Pégourié-Gonnard
817e368dfd Add test for building without CTR_DRBG
People who prefer to rely on HMAC_DRBG (for example because they use it for
deterministic ECDSA and don't want a second DRBG for code size reasons) should
be able to build and run the tests suites without CTR_DRBG.

Ideally we should make sure the level of testing (SSL) is the same regardless
of which DRBG modules is enabled, but that's a more significant piece of work.
For now, just ensure everything builds and `make test` passes.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-05-29 11:50:53 +02:00
Hugues de Valon
600cf9d142 Add usage info of generate_psa_constants script
Signed-off-by: Hugues de Valon <hugues.devalon@arm.com>
2020-05-29 10:29:49 +01:00
Manuel Pégourié-Gonnard
a89040c7f5 Fix undeclared deps on CTR_DRBG in programs/fuzz
While at it, fix a few other obvious ones such as ENTROPY and TIMING_C when
applicable.

A non-regression test for CTR_DRBG will be added in a follow-up commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-05-29 11:27:08 +02:00
Manuel Pégourié-Gonnard
d12402ffc0 Fix undeclared deps on MBEDTLS_CTR_DRBG in tests
While at it, declare deps on ENTROPY as well.

A non-regression test will be added in a follow-up commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-05-29 11:27:07 +02:00
Janos Follath
0af1560919
Merge pull request #3305 from gilles-peskine-arm/psa-asymmetric-adjectives
PSA: Fix copypasta and align terminology about asymmetric encryption
2020-05-29 08:15:11 +01:00
Nicola Di Lieto
5659e7e889 Add opaque context to mbedtls_x509_crt_ext_cb_t
Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
2020-05-28 23:41:38 +02:00
Nicola Di Lieto
17bb60c0f1 Tests for mbedtls_x509_crt_parse_der_with_ext_cb
Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
2020-05-28 23:20:47 +02:00
Nicola Di Lieto
5f6ebdebdb Fix wrong parameter name in comment
Detected by Travis
https://travis-ci.org/github/ARMmbed/mbedtls/jobs/692213150

/home/travis/build/ARMmbed/mbedtls/include/mbedtls/x509_crt.h:333:
warning: argument 'make_copy' of command @param is not found in the
argument list of mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt
*chain, const unsigned char *buf, size_t buflen, int no_copy,
mbedtls_x509_crt_ext_cb_t cb)

Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
2020-05-28 23:20:46 +02:00
Nicola Di Lieto
2c3a917393 Minor style improvement
Co-authored-by: Hanno Becker <hanno.becker@arm.com>
Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
2020-05-28 23:20:46 +02:00
Dan Handley
a8b26c2ae4 Enable branch coverage in basic_build_test.sh
Enable branch coverage output in basic_build_test.sh. This
includes enabling branch coverage output to the lcov make target,
which is disabled by default.

Signed-off-by: Dan Handley <dan.handley@arm.com>
2020-05-28 17:51:46 +01:00
Gilles Peskine
eca95db763 Finish the documentation of normalize_path
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-05-28 18:19:20 +02:00
Hugues de Valon
235c72d3cb Generate PSA constant names in CMake build dir
This commit modifies the generate_psa_constants.py script to take as
input argument the location of where to write the
psa_constant_names_generated.c file.
For make-based build system, this commit does not change anything.
For CMake build system, this commit modifies the generation location of
that file to be inside the build directory and include it from there in
psa_constant_names.c

Fix #3365

Signed-off-by: Hugues de Valon <hugues.devalon@arm.com>
2020-05-28 16:51:21 +01:00
Nicola Di Lieto
4dbe5676af mbedtls_x509_crt_parse_der_with_ext_cb enhancement
added make_copy parameter as suggested in
https://github.com/ARMmbed/mbedtls/pull/3243#discussion_r431233555

Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
2020-05-28 17:17:27 +02:00
Nicola Di Lieto
fae25a13d9 mbedtls_x509_crt_ext_cb_t definition changed
As suggested in
https://github.com/ARMmbed/mbedtls/pull/3243#discussion_r431238005

Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
2020-05-28 17:17:27 +02:00
Nicola Di Lieto
fde98f7773 Rename mbedtls_x509_crt_parse_der_ext
new name: mbedtls_x509_crt_parse_der_with_ext_cb

Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
2020-05-28 17:17:27 +02:00
ndilieto
6e24980cc6 Minor style and documentation improvements
Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
2020-05-28 17:17:27 +02:00
Hanno Becker
b54094bd7c Fix copy-pasta in TLS 1.3 record protection unit test names
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 15:41:44 +01:00
Gilles Peskine
6147e86e5d
Merge pull request #3350 from gilles-peskine-arm/error-include-asn1-development
Include asn1.h in error.c
2020-05-28 15:09:20 +02:00
Jonas
b246214ade Fix Changelag PR number and uniformize code when prng fails
Signed-off-by: Jonas <jonas.lejeune4420@gmail.com>
2020-05-28 20:02:40 +09:00
Hanno Becker
a0c65d84da Update version_features.c
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
e683287710 Adapt SSL record protection unit test to setup TLS 1.3 transforms
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
f93c2d7ca5 Add support for TLS 1.3 record protection to ssl_populate_transform()
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
447558df12 Improve documentation of ssl_populate_transform()
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
c0eefa8b92 Introduce helper function to retrieve explicit IV len for transform
The structure `mbedtls_ssl_transform` representing record protection
transformations should ideally be used through a function-based
interface only, as this will ease change of implementation as well
as the addition of new record protection routines in the future.

This commit makes a step in that direction by introducing the
helper function `ssl_transform_get_explicit_iv_len()` which
returns the size of the pre-expansion during record encryption
due to the potential addition of an explicit IV.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
17263803aa Simplify AEAD nonce derivation
This commit simplifies nonce derivation for AEAD based record protection
routines in the following way.

So far, code distinguished between the cases of GCM+CCM and ChachaPoly:

- In the case of GCM+CCM, the AEAD nonce is the concatentation
  of a 4-byte Fixed IV and a dynamically chosen 8-byte IV which is prepended
  to the record. In Mbed TLS, this is always chosen to be the record sequence
  number, but it need not to.

- In the case of ChaChaPoly, the AEAD nonce is derived as

    `( 12-byte Fixed IV ) XOR ( 0 || 8-byte dynamic IV == record seq nr )`

  and the dynamically chosen IV is no longer prepended to the record.

This commit removes this distinction by always computing the record nonce
via the formula

  `IV == ( Fixed IV || 0 ) XOR ( 0 || Dynamic IV )`

The ChaChaPoly case is recovered in case `Len(Fixed IV) == Len(IV)`, and
GCM+CCM is recovered when `Len(IV) == Len(Fixed IV) + Len(Dynamic IV)`.

Moreover, a getter stub `ssl_transform_aead_dynamic_iv_is_explicit()`
is introduced which infers from a transform whether the dynamically
chosen part of the IV is explicit, which in the current implementation
of `mbedtls_ssl_transform` can be derived from the helper field
`mbedtls_ssl_transform::fixed_ivlen`.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
df8be226ba TLS record protection: Add helper function for nonce derivation
The computation of the per-record nonce for AEAD record protection
varies with the AEAD algorithm and the TLS version in use.
This commit introduces a helper function for the nonce computation
to ease readability of the quite monolithic record encrytion routine.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
bd5ed1d11b TLS record protection: Add explicit IV after record protection.
The previous record protection code added the explicit part of the
record nonce prior to encrypting the record. This temporarily leaves
the record structure in the undesireable state that the data outsie
of the interval `rec->data_offset, .., rec->data_offset + rec->data_len`
has already been written.

This commit moves the addition of the explicit IV past record encryption.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
1cb6c2a69d TLS record protection: Rewrite AAD setup and add case of TLS 1.3
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
81f3662ae8 Update query_config.c
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
9231340d71 Improve documentation of (D)TLSInnerPlaintext handling
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
3c358d4e12 Improve documentation of MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
e41606001b Disable experimental TLS 1.3 features in default config
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
b2713abb8f Enhance record encryption unit tests by checking hidden content type
TLS 1.3 and DTLS 1.2 + CID hide the real content type of a record
within the record's inner plaintext, while always using the same
content type for the protected record:
- TLS 1.3 always uses ApplicationData
- DTLS 1.2 + CID always uses a special CID content type.

This commit enhances the record encryption unit test to check
that the record content type is indeed correctly hidden.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
3169dad48b Add unit tests for TLS 1.3 record encryption
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
ccc13d03c3 TLS 1.3: Implement TLSInnerPlaintext parsing/building
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
7d343ecf06 Add note on inner plaintext parsing to ssl_transform documentation
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
581bc1b908 Remove ref to CID from inner plaintext parsing/building functions
The internal functions

  `ssl_cid_{build/parse}_inner_plaintext()`

implement the TLSInnerPlaintext mechanism used by DTLS 1.2 + CID
in order to allow for flexible length padding and to protect the
true content type of a record.

This feature is also present in TLS 1.3 support for which is under
development. As a preparatory step towards sharing the code between
the case of DTLS 1.2 + CID and TLS 1.3, this commit renames

   `ssl_cid_{build/parse}_inner_plaintext()`

to

   `ssl_{build/parse}_inner_plaintext()`.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
2ab47dc5cd Add internal version identifier for TLS 1.3
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
a711f6e277 Add 'build+unit test' test for experimental TLS 1.3 code to all.sh
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Hanno Becker
9fc15ea4cc Introduce config option for experimental TLS 1.3 specific features
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
Gilles Peskine
30e0bb4a24 Run assemble_changelog.py in all.sh
Avoid nasty surprises where it would fail when we want to make a release.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-05-27 21:55:10 +02:00