mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-22 21:25:38 +01:00

History

Hanno Becker 961e677fe3 UDP proxy: Don't attempt to dissect dgram into records when dropping To prevent dropping the same message over and over again, the UDP proxy test application programs/test/udp_proxy _logically_ maintains a mapping from records to the number of times the record has already been dropped, and stops dropping once a configurable threshold (currently 2) is passed. However, the actual implementation deviates from this logical view in two crucial respects: - To keep the implementation simple and independent of implementations of suitable map interfaces, it only counts how many times a record of a given _size_ has been dropped, and stops dropping further records of that size once the configurable threshold is passed. Of course, this is not fail-proof, but a good enough approximation for the proxy, and it allows to use an inefficient but simple array for the required map. - The implementation mixes datagram lengths and record lengths: When deciding whether it is allowed to drop a datagram, it uses the total datagram size as a lookup index into the map counting the number of times a package has been dropped. However, when updating this map, the UDP proxy traverses the datagram record by record, and updates the mapping at the level of record lengths. Apart from this inconsistency, the introduction of the Connection ID feature leads to yet another problem: The CID length is not part of the record header but dynamically negotiated during (potentially encrypted!) handshakes, and it is hence impossible for a passive traffic analyzer (in this case our UDP proxy) to reliably parse record headers; especially, it isn't possible to reliably infer the length of a record, nor to dissect a datagram into records. The previous implementation of the UDP proxy was not CID-aware and assumed that the record length would always reside at offsets 11, 12 in the DTLS record header, which would allow it to iterate through the datagram record by record. As mentioned, this is no longer possible for CID-based records, and the current implementation can run into a buffer overflow in this case (because it doesn't validate that the record length is not larger than what remains in the datagram). This commit removes the inconsistency in datagram vs. record length and resolves the buffer overflow issue by not attempting any dissection of datagrams into records, and instead only counting how often _datagrams_ of a particular size have been dropped. There is only one practical situation where this makes a difference: If datagram packing is used by default but disabled on retransmission (which OpenSSL has been seen to do), it can happen that we drop a datagram in its initial transmission, then also drop some of its records when they retransmitted one-by-one afterwards, yet still keeping the drop-counter at 1 instead of 2. However, even in this situation, we'll correctly count the number of droppings from that point on and eventually stop dropping, because the peer will not fall back to using packing and hence use stable record lengths.		2019-06-13 11:09:35 +01:00
..
aes	Merge development commit `8e76332` into development-psa	2019-01-31 08:20:20 -05:00
hash	Merge development commit `8e76332` into development-psa	2019-01-31 08:20:20 -05:00
pkey	Merge remote-tracking branch 'origin/pr/2239' into development	2019-03-05 16:35:48 +00:00
random	Merge development commit `8e76332` into development-psa	2019-01-31 08:20:20 -05:00
ssl	Remove superfluous new line in ssl_server2	2019-06-03 16:07:50 +01:00
test	UDP proxy: Don't attempt to dissect dgram into records when dropping	2019-06-13 11:09:35 +01:00
util	Merge development commit `8e76332` into development-psa	2019-01-31 08:20:20 -05:00
x509	Merge remote-tracking branch 'public/pr/2421' into development	2019-03-01 12:46:07 +00:00
.gitignore	Create programs/test/query_compile_time_config app	2019-02-07 10:38:22 +00:00
CMakeLists.txt	- Added missing subdirectory line for util	2012-09-25 08:19:18 +00:00
Makefile	Force the usage of crypto submodule	2019-05-23 03:01:35 -04:00
README.md	Remove ssl_cert_test sample app	2019-04-07 16:49:18 +03:00
wince_main.c	Change main license to Apache 2.0	2015-09-04 14:21:07 +02:00

README.md

Mbed TLS sample programs

This subdirectory mostly contains sample programs that illustrate specific features of the library, as well as a few test and support programs.

Symmetric cryptography (AES) examples

aes/aescrypt2.c: file encryption and authentication with a key derived from a low-entropy secret, demonstrating the low-level AES interface, the digest interface and HMAC.
Warning: this program illustrates how to use low-level functions in the library. It should not be taken as an example of how to build a secure encryption mechanism. To derive a key from a low-entropy secret such as a password, use a standard key stretching mechanism such as PBKDF2 (provided by the pkcs5 module). To encrypt and authenticate data, use a standard mode such as GCM or CCM (both available as library module).
aes/crypt_and_hash.c: file encryption and authentication, demonstrating the generic cipher interface and the generic hash interface.

Hash (digest) examples

hash/generic_sum.c: file hash calculator and verifier, demonstrating the message digest (md) interface.
hash/hello.c: hello-world program for MD5.

Public-key cryptography examples

Generic public-key cryptography (`pk`) examples

pkey/gen_key.c: generates a key for any of the supported public-key algorithms (RSA or ECC) and writes it to a file that can be used by the other pk sample programs.
pkey/key_app.c: loads a PEM or DER public key or private key file and dumps its content.
pkey/key_app_writer.c: loads a PEM or DER public key or private key file and writes it to a new PEM or DER file.
pkey/pk_encrypt.c, pkey/pk_decrypt.c: loads a PEM or DER public/private key file and uses the key to encrypt/decrypt a short string through the generic public-key interface.
pkey/pk_sign.c, pkey/pk_verify.c: loads a PEM or DER private/public key file and uses the key to sign/verify a short string.

ECDSA and RSA signature examples

pkey/ecdsa.c: generates an ECDSA key, signs a fixed message and verifies the signature.
pkey/rsa_encrypt.c, pkey/rsa_decrypt.c: loads an RSA public/private key and uses it to encrypt/decrypt a short string through the low-level RSA interface.
pkey/rsa_genkey.c: generates an RSA key and writes it to a file that can be used with the other RSA sample programs.
pkey/rsa_sign.c, pkey/rsa_verify.c: loads an RSA private/public key and uses it to sign/verify a short string with the RSA PKCS#1 v1.5 algorithm.
pkey/rsa_sign_pss.c, pkey/rsa_verify_pss.c: loads an RSA private/public key and uses it to sign/verify a short string with the RSASSA-PSS algorithm.

Diffie-Hellman key exchange examples

pkey/dh_client.c, pkey/dh_server.c: secure channel demonstrators (client, server). This pair of programs illustrates how to set up a secure channel using RSA for authentication and Diffie-Hellman to generate a shared AES session key.
pkey/ecdh_curve25519.c: demonstration of a elliptic curve Diffie-Hellman (ECDH) key agreement.

Bignum (`mpi`) usage examples

pkey/dh_genprime.c: shows how to use the bignum (mpi) interface to generate Diffie-Hellman parameters.
pkey/mpi_demo.c: demonstrates operations on big integers.

Random number generator (RNG) examples

random/gen_entropy.c: shows how to use the default entropy sources to generate random data.
Note: most applications should only use the entropy generator to seed a cryptographic pseudorandom generator, as illustrated by random/gen_random_ctr_drbg.c.
random/gen_random_ctr_drbg.c: shows how to use the default entropy sources to seed a pseudorandom generator, and how to use the resulting random generator to generate random data.
random/gen_random_havege.c: demonstrates the HAVEGE entropy collector.

SSL/TLS examples

SSL/TLS sample applications

ssl/dtls_client.c: a simple DTLS client program, which sends one datagram to the server and reads one datagram in response.
ssl/dtls_server.c: a simple DTLS server program, which expects one datagram from the client and writes one datagram in response. This program supports DTLS cookies for hello verification.
ssl/mini_client.c: a minimalistic SSL client, which sends a short string and disconnects. This is primarily intended as a benchmark; for a better example of a typical TLS client, see ssl/ssl_client1.c.
ssl/ssl_client1.c: a simple HTTPS client that sends a fixed request and displays the response.
ssl/ssl_fork_server.c: a simple HTTPS server using one process per client to send a fixed response. This program requires a Unix/POSIX environment implementing the fork system call.
ssl/ssl_mail_client.c: a simple SMTP-over-TLS or SMTP-STARTTLS client. This client sends an email with fixed content.
ssl/ssl_pthread_server.c: a simple HTTPS server using one thread per client to send a fixed response. This program requires the pthread library.
ssl/ssl_server.c: a simple HTTPS server that sends a fixed response. It serves a single client at a time.

SSL/TLS feature demonstrators

Note: unlike most of the other programs under the programs/ directory, these two programs are not intended as a basis for writing an application. They combine most of the features supported by the library, and most applications require only a few features. To write a new application, we recommended that you start with ssl_client1.c or ssl_server.c, and then look inside ssl/ssl_client2.c or ssl/ssl_server2.c to see how to use the specific features that your application needs.

ssl/ssl_client2.c: an HTTPS client that sends a fixed request and displays the response, with options to select TLS protocol features and Mbed TLS library features.
ssl/ssl_server2.c: an HTTPS server that sends a fixed response, with options to select TLS protocol features and Mbed TLS library features.

In addition to providing options for testing client-side features, the ssl_client2 program has options that allow you to trigger certain behaviors in the server. For example, there are options to select ciphersuites, or to force a renegotiation. These options are useful for testing the corresponding features in a TLS server. Likewise, ssl_server2 has options to activate certain behaviors that are useful for testing a TLS client.

Test utilities

test/benchmark.c: benchmark for cryptographic algorithms.
test/selftest.c: runs the self-test function in each library module.
test/udp_proxy.c: a UDP proxy that can inject certain failures (delay, duplicate, drop). Useful for testing DTLS.
test/zeroize.c: a test program for mbedtls_platform_zeroize, used by tests/scripts/test_zeroize.gdb.

Development utilities

util/pem2der.c: a PEM to DER converter. Mbed TLS can read PEM files directly, but this utility can be useful for interacting with other tools or with minimal Mbed TLS builds that lack PEM support.
util/strerror.c: prints the error description corresponding to an integer status returned by an Mbed TLS function.

X.509 certificate examples

x509/cert_app.c: connects to a TLS server and verifies its certificate chain.
x509/cert_req.c: generates a certificate signing request (CSR) for a private key.
x509/cert_write.c: signs a certificate signing request, or self-signs a certificate.
x509/crl_app.c: loads and dumps a certificate revocation list (CRL).
x509/req_app.c: loads and dumps a certificate signing request (CSR).