Commit Graph

8560 Commits

Author SHA1 Message Date
Hanno Becker
f122944b7d Remove code from ssl_derive_keys if relevant modes are not enabled
This commit guards code specific to AEAD, CBC and stream cipher modes
in `ssl_derive_keys` by the respective configuration flags, analogous
to the guards that are already in place in the record decryption and
encryption functions `ssl_decrypt_buf` resp. `ssl_decrypt_buf`.
2019-04-29 12:14:51 +02:00
Hanno Becker
4c6876b134 Provide standalone version of ssl_decrypt_buf
Analogous to the previous commit, but concerning the record decryption
routine `ssl_decrypt_buf`.

An important change regards the checking of CBC padding:
Prior to this commit, the CBC padding check always read 256 bytes at
the end of the internal record buffer, almost always going past the
boundaries of the record under consideration. In order to stay within
the bounds of the given record, this commit changes this behavior by
always reading the last min(256, plaintext_len) bytes of the record
plaintext buffer and taking into consideration the last `padlen` of
these for the padding check. With this change, the memory access
pattern and runtime of the padding check is entirely determined by
the size of the encrypted record, in particular not giving away
any information on the validity of the padding.

The following depicts the different behaviors:

1) Previous CBC padding check

1.a) Claimed padding length <= plaintext length

  +----------------------------------------+----+
  |   Record plaintext buffer   |          | PL |
  +----------------------------------------+----+
                                 \__ PL __/

                                +------------------------------------...
                                |  read for padding check            ...
                                +------------------------------------...
                                                |
                                                 contents discarded
                                                 from here

1.b) Claimed padding length > plaintext length

  +----------------------------------------+----+
  |   Record plaintext buffer              | PL |
  +----------------------------------------+----+
                                           +-------------------------...
                                           |  read for padding check ...
                                           +-------------------------...
                                                |
                                                 contents discarded
                                                 from here

2) New CBC padding check

  +----------------------------------------+----+
  |   Record plaintext buffer   |          | PL |
  +----------------------------------------+----+
                                 \__ PL __/

        +---------------------------------------+
        |        read for padding check         |
        +---------------------------------------+
                                |
                                 contents discarded
                                 until here
2019-04-29 12:13:25 +02:00
Hanno Becker
3307b53413 Provide standalone version of ssl_encrypt_buf
The previous version of the record encryption function
`ssl_encrypt_buf` takes the entire SSL context as an argument,
while intuitively, it should only depend on the current security
parameters and the record buffer.

Analyzing the exact dependencies, it turned out that in addition
to the currently active `ssl_transform` instance and the record
information, the encryption function needs access to
- the negotiated protocol version, and
- the status of the encrypt-then-MAC extension.

This commit moves these two fields into `ssl_transform` and
changes the signature of `ssl_encrypt_buf` to only use an instance
of `ssl_transform` and an instance of the new `ssl_record` type.
The `ssl_context` instance is *solely* kept for the debugging macros
which need an SSL context instance.

The benefit of the change is twofold:
1) It avoids the need of the MPS to deal with instances of
   `ssl_context`. The MPS should only work with records and
   opaque security parameters, which is what the change in
   this commit makes progress towards.
2) It significantly eases testing of the encryption function:
   independent of any SSL context, the encryption function can
   be passed some record buffer to encrypt alongside some arbitrary
   choice of parameters, and e.g. be checked to not overflow the
   provided memory.
2019-04-29 10:58:15 +02:00
Hanno Becker
4a5eeaee2e Improve documentation of mbedtls_ssl_transform 2019-04-29 10:37:01 +02:00
Hanno Becker
9d2e4b4742 Add structure representing TLS records
This commit adds a structure `mbedtls_record` whose instances
represent (D)TLS records. This structure will be used in the
subsequent adaptions of the record encryption and decryption
routines `ssl_decrypt_buf` and `ssl_encrypt_buf`, which currently
take the entire SSL context as input, but should only use the
record to be acted on as well as the record transformation to use.
2019-04-29 10:36:44 +02:00
Hanno Becker
b628a80b76 Fix definition of SSL_SOME_MODES_USE_MAC
The previous definition was lacking the case of the ARIA and DES ciphers.
2019-04-29 10:36:26 +02:00
Hanno Becker
5cc04d5ae7 Correct space needed for MAC in case of NULL cipher
The macro constant `MBEDTLS_SSL_MAC_ADD` defined in `ssl_internal.h`
defines an upper bound for the amount of space needed for the record
authentication tag. Its definition distinguishes between the
presence of an ARC4 or CBC ciphersuite suite, in which case the maximum
size of an enabled SHA digest is used; otherwise, `MBEDTLS_SSL_MAC_ADD`
is set to 16 to accomodate AEAD authentication tags.

This assignment has a flaw in the situation where confidentiality is
not needed and the NULL cipher is in use. In this case, the
authentication tag also uses a SHA digest, but the definition of
`MBEDTLS_SSL_MAC_ADD` doesn't guarantee enough space.

The present commit fixes this by distinguishing between the presence
of *some* ciphersuite using a MAC, including those using a NULL cipher.
For that, the previously internal macro `SSL_SOME_MODES_USE_MAC` from
`ssl_tls.c` is renamed and moved to the public macro
`MBEDTLS_SOME_MODES_USE_MAC` defined in `ssl_internal.h`.
2019-04-29 10:36:09 +02:00
Hanno Becker
8759e16242 Remove ciphersuite_info from ssl_transform
Prior to this commit, the security parameter struct `ssl_transform`
contained a `ciphersuite_info` field pointing to the information
structure for the negotiated ciphersuite. However, the only
information extracted from that structure that was used in the core
encryption and decryption functions `ssl_encrypt_buf`/`ssl_decrypt_buf`
was the authentication tag length in case of an AEAD cipher.

The present commit removes the `ciphersuite_info` field from the
`ssl_transform` structure and adds an explicit `taglen` field
for AEAD authentication tag length.

This is in accordance with the principle that the `ssl_transform`
structure should contain the raw parameters needed for the record
encryption and decryption functions to work, but not the higher-level
information that gave rise to them. For example, the `ssl_transform`
structure implicitly contains the encryption/decryption keys within
their cipher contexts, but it doesn't contain the SSL master or
premaster secrets. Likewise, it contains an explicit `maclen`, while
the status of the 'Truncated HMAC' extension -- which  determines the
value of `maclen` when the `ssl_transform` structure is created in
`ssl_derive_keys` -- is not contained in `ssl_transform`.

The `ciphersuite_info` pointer was used in other places outside
the encryption/decryption functions during the handshake, and for
these functions to work, this commit adds a `ciphersuite_info` pointer
field to the handshake-local `ssl_handshake_params` structure.
2019-04-29 10:36:01 +02:00
Hanno Becker
e7f2df03a3 Remove key length field from ssl_transform
The `ssl_transform` security parameter structure contains opaque
cipher contexts for use by the record encryption/decryption functions
`ssl_decrypt_buf`/`ssl_encrypt_buf`, while the underlying key material
is configured once in `ssl_derive_keys` and is not explicitly dealt with
anymore afterwards. In particular, the key length is not needed
explicitly by the encryption/decryption functions but is nonetheless
stored in an explicit yet superfluous `keylen` field in `ssl_transform`.
This commit removes this field.
2019-04-29 09:32:08 +02:00
Simon Butcher
7326bc8577
Merge pull request #2524 from hanno-arm/baremetal_config
[Baremetal] Introduce baremetal config and scripts to measure memory usage
2019-04-12 17:19:40 +01:00
Hanno Becker
224eb0c53b Use AES-128 instead of AES-256 in baremetal ciphersuite 2019-04-10 12:24:10 +01:00
Hanno Becker
7f6e808212 Remove uninitialized variable error in baremetal.sh 2019-04-03 13:48:09 +01:00
Hanno Becker
b4d8fab27e Rename generate_codesize_stats.sh to extract_codesize_stats.sh 2019-04-03 13:46:27 +01:00
Hanno Becker
275e5bfb9b Remove TODO from configs/baremetal.h 2019-04-03 13:39:31 +01:00
Hanno Becker
1373724166 Add static callgraph output to baremetal.sh --ram --stack 2019-04-03 12:17:20 +01:00
Hanno Becker
e6c3c7f52c Correct ECP optimization params in baremetal_test.sh 2019-04-03 12:04:32 +01:00
Hanno Becker
c7c20817dc Measure stack usage in baremetal script
So far, `baremetal.sh --ram --stack` ran `callgrind` to extract
a call stack in an example run of ssl_client2 and ssl_server2.
This, however, needs to be complemented with per-function stack
usage to be able to extract the maximum stack usage.

This commit adds `-fstack-usage` to the CFLAGS used when building
the library in `baremetal.sh --ram` runs, which generates *.su
files indicating the stack usage of individual functions.
2019-04-03 12:04:26 +01:00
Hanno Becker
7a097859c5 Correct usage instructions for baremetal script 2019-04-03 11:55:40 +01:00
Hanno Becker
a778959572 Don't ignore I/O and ECP heap usage in baremetal script 2019-04-03 11:31:54 +01:00
Hanno Becker
5541e4ecde Add usage instructions to baremetal heap+stack usage function 2019-04-03 11:31:43 +01:00
Hanno Becker
085ab567ae Optimize baremetal ECP configuration 2019-04-03 11:31:31 +01:00
Hanno Becker
43fa8d645b Add scripts to build, test and measure baremetal configuration 2019-03-21 15:09:41 +00:00
Hanno Becker
abc22b780f Add baremetal configuration to configs folder
This commit adds a minimal test configuration `baremetal.h` to the `configs`
folder supporting ECDHE-ECDSA-AES-CCM-8 with Secp256R1 and SHA-256 only.

The configuration lacks some options which are currently needed to
successfully build and run the example applications `ssl_client2`
and `ssl_server2`, such as `MBEDTLS_NET_C`. To still allow testing
a configuration close to `baremetal.h`, the commit also adds
`baremetal_test.h`, containing minimal amendments to `baremetal.h`
that allow building and running `ssl_client2` and `ssl_server2`.
2019-03-19 15:12:29 +00:00
Jaeden Amero
cef29a2fd0 Merge remote-tracking branch 'origin/pr/2401' into mbedtls-2.16
* origin/pr/2401:
  Add ChangeLog entry
  Fix private DER output shifted by one byte.
2019-03-05 16:37:13 +00:00
Jaeden Amero
b0abd1c84f Merge remote-tracking branch 'origin/pr/2388' into mbedtls-2.16
* origin/pr/2388:
  Update change log
  all.sh: Test MBEDTLS_MPI_WINDOW_SIZE=1
  Fix DEADCODE in mbedtls_mpi_exp_mod()
2019-03-05 16:34:40 +00:00
Jaeden Amero
6b79a1115e Merge remote-tracking branch 'origin/pr/2293' into mbedtls-2.16
* origin/pr/2293:
  Declare test_suite_aes.ofb to CMake
  Add a facility to skip running some test suites
  run-test-suites: update the documentation
2019-03-05 16:31:02 +00:00
Jaeden Amero
203123b5b7 Merge remote-tracking branch 'origin/pr/1818' into mbedtls-2.16
* origin/pr/1818:
  Move ChangeLog entry from Bugfix to Changes section
  Adapt ChangeLog
  Return from debugging functions if SSL context is unset
2019-03-05 16:28:18 +00:00
Jaeden Amero
daed232dd7 Merge remote-tracking branch 'origin/pr/2436' into mbedtls-2.16
* origin/pr/2436:
  Use certificates from data_files and refer them
  Specify server certificate to use in SHA-1 test
  refactor CA and SRV certificates into separate blocks
  refactor SHA-1 certificate defintions and assignment
  refactor server SHA-1 certificate definition into a new block
  define TEST_SRV_CRT_RSA_SOME in similar logic to TEST_CA_CRT_RSA_SOME
  server SHA-256 certificate now follows the same logic as CA SHA-256 certificate
  add entry to ChangeLog
2019-03-05 16:26:34 +00:00
Simon Butcher
799cd57c72 Merge remote-tracking branch 'restricted/pr/550' into mbedtls-2.16
* restricted/pr/550:
  Update query_config.c
  Fix failure in SSLv3 per-version suites test
  Adjust DES exclude lists in test scripts
  Clarify 3DES changes in ChangeLog
  Fix documentation for 3DES removal
  Exclude 3DES tests in test scripts
  Fix wording of ChangeLog and 3DES_REMOVE docs
  Reduce priority of 3DES ciphersuites
2019-03-01 13:05:43 +00:00
Simon Butcher
e6a3f57898 Merge remote-tracking branch 'public/pr/2429' into mbedtls-2.16
* public/pr/2429:
  Add ChangeLog entry for unused bits in bitstrings
  Improve docs for ASN.1 bitstrings and their usage
  Add tests for (named) bitstring to suite_asn1write
  Fix ASN1 bitstring writing
2019-03-01 13:04:04 +00:00
Simon Butcher
3664fdb5f6 Merge remote-tracking branch 'public/pr/2449' into mbedtls-2.16
* public/pr/2449:
  Reword changelog entry
  Reenable GnuTLS next based tests
2019-03-01 13:01:54 +00:00
Manuel Pégourié-Gonnard
2eee0c3166 Update query_config.c 2019-03-01 10:30:30 +01:00
Manuel Pégourié-Gonnard
f1e62e8e1e Fix failure in SSLv3 per-version suites test
The test used 3DES as the suite for SSLv3, which now makes the handshake fails
with "no ciphersuite in common", failing the test as well. Use Camellia
instead (as there are not enough AES ciphersuites before TLS 1.2 to
distinguish between the 3 versions).

Document some dependencies, but not all. Just trying to avoid introducing new
issues by using a new cipher here, not trying to make it perfect, which is a
much larger task out of scope of this commit.
2019-03-01 10:30:11 +01:00
Andres Amaya Garcia
37e0a8c455 Adjust DES exclude lists in test scripts 2019-03-01 10:30:11 +01:00
Andres Amaya Garcia
03afdc0971 Clarify 3DES changes in ChangeLog 2019-03-01 10:30:11 +01:00
Andres Amaya Garcia
7c86e9a03e Fix documentation for 3DES removal 2019-03-01 10:29:49 +01:00
Andres Amaya Garcia
ac9c5221c5 Exclude 3DES tests in test scripts 2019-03-01 10:29:49 +01:00
Andres Amaya Garcia
6882ec1521 Fix wording of ChangeLog and 3DES_REMOVE docs 2019-03-01 10:29:49 +01:00
Andres Amaya Garcia
5d8aade01d Reduce priority of 3DES ciphersuites 2019-03-01 10:29:13 +01:00
Jaeden Amero
2c1d492ccc Merge remote-tracking branch 'origin/pr/2428' into mbedtls-2.16 2019-02-22 12:53:27 +00:00
Jaeden Amero
c5b57ef9e0 Merge remote-tracking branch 'origin/pr/2412' into mbedtls-2.16 2019-02-21 12:01:50 +00:00
Jaeden Amero
0981db57e1 Merge remote-tracking branch 'origin/pr/2385' into mbedtls-2.16 2019-02-21 11:58:58 +00:00
Jaeden Amero
fe50335a1f Merge remote-tracking branch 'origin/pr/2389' into mbedtls-2.16 2019-02-21 11:53:51 +00:00
k-stachowiak
b4595d2527 Reword changelog entry 2019-02-19 12:41:30 +01:00
k-stachowiak
abb843e8ae Reenable GnuTLS next based tests 2019-02-18 16:14:03 +01:00
Ron Eldor
e900969cb5 Use certificates from data_files and refer them
Use the server certificate from `data_files` folder, for formality,
and refer to the source, for easier reproduction.
2019-02-12 17:10:29 +02:00
Ron Eldor
b76e765f2e Specify server certificate to use in SHA-1 test
Specify the SHA-1 server certificate to use in the SHA-1 test,
because now the default certificates use SHA256 certificates.
2019-02-12 17:10:28 +02:00
ILUXONCHIK
a51f4c737b refactor CA and SRV certificates into separate blocks 2019-02-12 17:10:28 +02:00
ILUXONCHIK
ecc6c13655 refactor SHA-1 certificate defintions and assignment
As per refactoring suggestion that I made in #1520.
2019-02-12 17:10:28 +02:00
ILUXONCHIK
5f97b32b63 refactor server SHA-1 certificate definition into a new block 2019-02-12 17:10:28 +02:00