Commit Graph

10412 Commits

Author SHA1 Message Date
Simon Butcher
e501c8d308 Merge remote-tracking branch 'origin/pr/644' into baremetal 2019-09-07 12:34:46 +01:00
Jaeden Amero
04a049bda1 Merge remote-tracking branch 'origin/pr/2823' into mbedtls-2.16
* origin/pr/2823:
  Bump version to Mbed TLS 2.16.3
2019-09-06 13:35:30 +01:00
Jaeden Amero
fcb8711f6f Bump version to Mbed TLS 2.16.3 2019-09-06 13:27:00 +01:00
Hanno Becker
d5cfe6fbd0 Use native DTLS version encoding if only DTLS is enabled
This commit changes the internal identifiers

  MBEDTLS_SSL_MINOR_VERSION_XXX

in DTLS-only builds to match the version encoding used by the
DTLS standard, encoding DTLS 1.0 as 255 and DTLS 1.2 as DTLS 1.0.
Accordingly, the version comparison functions introduced in the
previous commit must be re-implemented, as older version have
_larger_ identifiers now.

Further, since we identify DTLS 1.0 as MBEDTLS_SSL_MINOR_VERSION_2
and DTLS 1.2 as MBEDTLS_SSL_MINOR_VERSION_3, what remains is to
define MBEDTLS_SSL_MINOR_VERSION_{0|1}. While these don't have any
meaning meaning in DTLS, they still need to be set and obey the
ordering in the sense that the version comparison functions '<='
should attest that

  MBEDTLS_SSL_MINOR_VERSION_i '<=' MBEDTLS_SSL_MINOR_VERSION_j

for i <= j. Since '<=' is actually >= and the wire format value
for DTLS 1.0 == MBEDTLS_SSL_MINOR_VERSION_2 is the 255, this
forces us to use values beyond 255, and hence to extend the
storage type for minor versions from uint8_t to uint16_t.
2019-09-06 10:35:41 +01:00
Teppo Järvelin
f69e641e03 Changed x509_internal.h methods as static.
Moved some functions under defined to get rid of compiler warnings.
Functions moved under defines:
 - mbedtls_x509_get_alg
 - mbedtls_x509_get_alg_null
 - mbedtls_x509_get_time
 - mbedtls_x509_get_ext
 - mbedtls_x509_sig_alg_gets
 - mbedtls_x509_key_size_helper

Left one function (mbedtls_x509_write_names) as non static as it increased code size.
2019-09-06 10:03:36 +03:00
Teppo Järvelin
c3e5716aaf Some minor struct optimizations. 2019-09-06 07:58:36 +03:00
Jaeden Amero
89408672eb Merge remote-tracking branch 'origin/mbedtls-2.16' into mbedtls-2.16-restricted
* origin/mbedtls-2.16:
  Changelog entry
  Check for zero length and NULL buffer pointer
  ssl-opt.sh: wait for proxy to start before running the script further
  Adapt ChangeLog
  Fix mpi_bigendian_to_host() on bigendian systems
2019-09-05 18:14:55 +01:00
Hanno Becker
7bcf2b5875 Introduce version comparing functions
This zero-cost abstraction allows to change the internal encoding
of TLS/DTLS versions in the future.
2019-09-05 17:37:55 +01:00
Jaeden Amero
c3bfb20a41 Merge remote-tracking branch 'origin/pr/2645' into mbedtls-2.16
* origin/pr/2645:
  Adapt ChangeLog
  Fix mpi_bigendian_to_host() on bigendian systems
2019-09-05 17:37:13 +01:00
Jaeden Amero
71db1de226 Merge remote-tracking branch 'origin/pr/2793' into mbedtls-2.16
* origin/pr/2793:
  Changelog entry
  Check for zero length and NULL buffer pointer
2019-09-05 15:57:34 +01:00
Hanno Becker
963d49f79a ssl-opt.sh: Remove now-redundant explicit DTLS dependencies
Dependencies on DTLS are now auto-detected from the command line.
2019-09-05 14:55:56 +01:00
Hanno Becker
a43f85c9b2 ssl-opt.sh: Auto-skip tests depending on DTLS 2019-09-05 14:51:20 +01:00
Hanno Becker
fcda6ddae1 Fixup: Correct typo in DTLS only component of all.sh 2019-09-05 14:50:00 +01:00
Jaeden Amero
f09a120b08 Merge remote-tracking branch 'origin/pr/2817' into mbedtls-2.16
* origin/pr/2817:
  ssl-opt.sh: wait for proxy to start before running the script further
2019-09-05 14:24:39 +01:00
Hanno Becker
baac25d2bf Add DTLS-only build + test to all.sh 2019-09-05 13:57:01 +01:00
Hanno Becker
73b72d1890 ssl-opt.sh: Auto-skip tests using TLS if TLS is disabled 2019-09-05 13:57:01 +01:00
Hanno Becker
d016e44e3c Baremetal config: Remove deprecated functions
This doesn't make a difference after link time optimization
because they aren't used, but it yields more accurate code-size
figures from baremetal.sh.
2019-09-05 13:37:03 +01:00
Hanno Becker
fceba69c25 Baremetal config: Remove MBEDTLS_SSL_TICKETS_C
This doesn't make a difference after link time optimization because
tickets aren't used, but it yields more accurate code-size figures
from baremetal.sh.
2019-09-05 13:36:49 +01:00
Manuel Pégourié-Gonnard
0cfb6efad4 Add work-around for non-C99 compilers 2019-09-05 14:07:01 +02:00
Manuel Pégourié-Gonnard
8bf8f2ebde Improve documentation in config.h 2019-09-05 13:08:21 +02:00
Manuel Pégourié-Gonnard
c7abba3796 Use static inline function unconditionally
No need to play tricks with macros and functions depending on whether
SHA256_SMALLER is enabled or not, with a static inline function all common
compilers (tested with arm-gcc, armcc5, arm-clang) will Do The Right Thing
depending on whether we told them to optimize for size or speed.
2019-09-05 12:09:59 +02:00
Teppo Järvelin
30185bb82b struct optimization for mbedtls_record 2019-09-05 08:54:13 +03:00
Teppo Järvelin
22854511bb struct optimization for mbedtls_ssl_transform 2019-09-05 08:54:13 +03:00
Teppo Järvelin
d689a67af2 struct optimization for mbedtls_x509_crl 2019-09-05 08:54:13 +03:00
Teppo Järvelin
648fbbad8f struct optimization for mbedtls_ssl_context 2019-09-05 08:54:13 +03:00
Teppo Järvelin
1cd48143c3 struct optimization for mbedtls_ssl_handshake_params 2019-09-05 08:54:13 +03:00
Hanno Becker
d601854548 Fixup TinyCrypt Tests: Remove redundant guards 2019-09-04 16:19:49 +01:00
Hanno Becker
683d84a5d7 Fixup TinyCrypt PK parse: Correct function name in comment 2019-09-04 16:19:49 +01:00
Hanno Becker
f45d9da878 Fixup certs.c: Remove redundant TinyCrypt guard 2019-09-04 16:19:49 +01:00
Hanno Becker
d2929b5626 Fixup TinyCrypt PK wrap: Check TinyCrypt signature return code 2019-09-04 16:19:49 +01:00
Hanno Becker
96d34d57ec TinyCrypt PK Wrap: Remove dependency on ASN.1 writing
The TinyCrypt PK signature wrapper uses ASN.1 writing functions
for length and tag, accounting for the only dependency of the
baremetal build on ASN.1 writing.

Since all lengths to be encoded are below 128 Bytes and are hence
ASN.1 encoded as single Bytes, the dependency on ASN.1 writing can
be removed at low complexity by writing the length and tags directly.
2019-09-04 16:19:49 +01:00
Hanno Becker
1b82685dc9 Fixup debug.h and ssl_internal.h: Add missing include of ecdh.h
Previously, this wasn't necessary because ecdh.h was included
through ssl.h, but now that this is no longer the case (because
ssl.h doesn't use ECDH), we have to include it explicitly.
2019-09-04 16:19:49 +01:00
Hanno Becker
82a7a21982 Fixup: Correct inclusion of legacy ECP headers in ssl.h
Previously, ecp.h was included only if MBEDTLS_ECDH_C was set,
which broke the build in configurations using ECDSA, but not ECDH.
An example of such a config is configs/config-thread.h, which
uses ECJPAKE exclusively.

Moreover, the inclusion of ecdh.h isn't needed, because the header
only uses constants defined in the ECP module.
2019-09-04 16:19:49 +01:00
Hanno Becker
a007e0db47 baremetal.h: Use TinyCrypt curve identifier 2019-09-04 16:19:49 +01:00
Hanno Becker
fe08844bac TinyCrypt Test: Include ECDH and ECDHE-PSK in all.sh TinyCrypt test 2019-09-04 16:19:49 +01:00
Hanno Becker
6f212d0a16 TinyCrypt ECDH/ECDHE-PSK: Allow TinyCrypt-based ECDH and ECDHE-PSK 2019-09-04 16:19:49 +01:00
Hanno Becker
6f7680491b TinyCrypt ECDHE-PSK: Adapt dummy structure approximating PMS length 2019-09-04 16:19:49 +01:00
Hanno Becker
358b3006ee TinyCrypt ECDHE-PSK: Implement CliKeyExchange parsing 2019-09-04 16:19:49 +01:00
Hanno Becker
982da7ee0a TinyCrypt ECDHE-PSK: Implement mbedtls_ssl_psk_derive_premaster() 2019-09-04 16:19:49 +01:00
Hanno Becker
d91ede14c4 TinyCrypt ECDHE-PSK: Implement ClientKeyExchange writing 2019-09-04 16:19:49 +01:00
Hanno Becker
c7effc04c1 TinyCrypt SSL: Extend scope use of TC in CliKeyExchange writing
Extend scope of TC in ECDH-param extraction from CRT

Previously, TinyCrypt was only used for ECDHE-ECDSA/RSA ciphersuites.
This commit is a step towards using it for _all_ ciphersuites involving
ECDHE (specifically: ECDHE, ECDHE-PSK, static ECDH), extending the scope
of the use of TinyCrypt in the writing of the ClientKeyExchange message.
2019-09-04 16:19:49 +01:00
Hanno Becker
7352bd141e TinyCrypt SSL: Extend scope of SrvKeyExchange parsing
Extend scope of TC in ECDH-param extraction from CRT

Previously, TinyCrypt was only used for ECDHE-ECDSA/RSA ciphersuites.
This commit is a step towards using it for _all_ ciphersuites involving
ECDHE (specifically: ECDHE, ECDHE-PSK, static ECDH), extending the scope
of the use of TinyCrypt in the parsing of the ServerKeyExchange message.
2019-09-04 16:19:49 +01:00
Hanno Becker
40ee0d450d Fixup: Correct #else and #endif comments in SrvKeyExch writing 2019-09-04 16:19:49 +01:00
Hanno Becker
b42e2388ff TinyCrypt SSL: Extend scope of CliKeyExchange parsing
Previously, TinyCrypt was only used for ECDHE-ECDSA/RSA ciphersuites.
This commit is a step towards using it for _all_ ciphersuites involving
ECDHE (specifically: ECDHE, ECDHE-PSK, static ECDH), extending the scope
of the use of TinyCrypt in the parsing of the ClientKeyExchange message.
2019-09-04 16:19:49 +01:00
Hanno Becker
8ea7da2250 TinyCrypt SSL: Extend scope of TC-based SrvKeyExch writing
Previously, TinyCrypt was only used for ECDHE-ECDSA/RSA ciphersuites.
This commit is a step towards using it for _all_ ciphersuites involving
ECDHE (specifically: ECDHE, ECDHE-PSK, static ECDH), extending the scope
of the use of TinyCrypt in the writing of the ServerKeyExchange message.
2019-09-04 16:19:49 +01:00
Hanno Becker
b3a244847d TinyCrypt SSL: Impl. ECDH-param extraction from CRT for TinyCrypt 2019-09-04 16:19:49 +01:00
Hanno Becker
ecf5d3fdb1 TinyCrypt SSL: Extend scope of use of TC in PMS derivation
Extend scope of TC in ECDH-param extraction from CRT

Previously, TinyCrypt was only used for ECDHE-ECDSA/RSA ciphersuites.
This commit is a step towards using it for _all_ ciphersuites involving
ECDHE (specifically: ECDHE, ECDHE-PSK, static ECDH), extending the scope
of the use of TinyCrypt in the assembly of the PMS.
2019-09-04 16:19:49 +01:00
Hanno Becker
8b3408f1a8 TinyCrypt Test: Run ssl-opt.sh without restrictions
Previously, the TinyCrypt component in all.sh restricted the ssl-opt.sh
to the 'Default, DTLS' test, due to implicit dependencies on Secp384r1.
These dependencies are now explicit and ssl-opt.sh skips corresponding
tests accordingly, so we can introduce a full run of ssl-opt.sh into
the TinyCrypt test in all.sh.
2019-09-04 16:19:49 +01:00
Hanno Becker
69c6cde728 ssl-opt.sh: Detect use of CRTs using Secp384R1 and potentially skip
This commit modifies ssl-opt.sh to autodetect the use of test certificates
server5.* server6.* test-ca2.* using Secp384r1, and skips the corresponding
tests if MBEDTLS_ECP_DP_SECP384R1_ENABLED isn't set.
2019-09-04 16:19:49 +01:00
Hanno Becker
6b2b22164c depends-pkalgs.pl: Unset all EC curves when testing !MBEDTLS_ECP_C 2019-09-04 16:19:49 +01:00