1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-10-24 13:32:59 +03:00
Commit Graph

714 Commits

Author SHA1 Message Date
Philippe Antoine
12e85de964 Adds missing ret definition 2019-06-11 16:07:53 +02:00
Philippe Antoine
f91b3722cf More clarity for ifdef orders 2019-06-11 16:02:43 +02:00
Philippe Antoine
0ff84fb6fe Only warns if MBEDTLS_HAVE_TIME 2019-06-11 12:15:17 +02:00
Philippe Antoine
7c9d72497d Option used added in string 2019-06-11 12:11:36 +02:00
Philippe Antoine
3ca5085f10 Code review
Typo rproduce -> reproducible
Call mbedtls_entropy_func
2019-06-07 22:31:59 +02:00
Philippe Antoine
986b6f20a9 Style fixes 2019-06-07 15:04:32 +02:00
Philippe Antoine
aa4d15264a SSL reproducible test mode 2019-06-06 21:30:01 +02:00
Hanno Becker
422d1993d2 Document "none" value for ca_path/ca_file in ssl_client2/ssl_server2 2019-06-03 17:46:56 +01:00
Hanno Becker
8174bdfb94 ssl_server2: Skip CA setup if ca_path or ca_file argument "none"
This allows to test PSK-based ciphersuites via ssl_server2 in builds
which have MBEDTLS_X509_CRT_PARSE_C enabled but both MBEDTLS_FS_IO and
MBEDTLS_CERTS_C disabled.
2019-06-03 17:46:56 +01:00
Hanno Becker
a0c5ceb2af Correct white spaces in ssl_server2 and ssl_client2 2019-06-03 17:46:56 +01:00
Hanno Becker
09b8cae006 Adapt ssl_server2 to parse DER encoded test CRTs if PEM is disabled 2019-06-03 17:46:56 +01:00
Hanno Becker
3978d10e9e Remove superfluous new line in ssl_server2 2019-06-03 16:07:50 +01:00
Hanno Becker
3279822e24 Improve readability of ssl_client2/ssl_server2 usage instructions 2019-06-03 16:07:50 +01:00
Hanno Becker
d5eed4258a Use negative-hex format for error codes in ssl_client2/ssl_server2 2019-06-03 16:07:50 +01:00
Hanno Becker
a0e20d04b2 Rename MBEDTLS_SSL_CID to MBEDTLS_SSL_DTLS_CONNECTION_ID
Files modified via

sed -i 's/MBEDTLS_SSL_CID\([^_]\|$\)/MBEDTLS_SSL_DTLS_CONNECTION_ID\1/g' **/*.c **/*.h **/*.sh **/*.function
2019-06-03 16:07:50 +01:00
Hanno Becker
8367ccc03b Allow to configure the stack's behaviour on unexpected CIDs
This commit modifies the CID configuration API mbedtls_ssl_conf_cid_len()
to allow the configuration of the stack's behaviour when receiving an
encrypted DTLS record with unexpected CID.
2019-06-03 16:07:50 +01:00
Hanno Becker
3a96828ead Add missing compile-time guard around CID API in ssl_server2 2019-06-03 16:07:50 +01:00
Hanno Becker
b42ec0df02 Add support for change of CID to ssl_client2 / ssl_server2
And add tests for various CID configuration changes during
renegotiation to ssl-opt.sh.
2019-06-03 16:07:50 +01:00
Hanno Becker
ad4a137965 Add CID configuration API
Context:
The CID draft does not require that the length of CIDs used for incoming
records must not change in the course of a connection. Since the record
header does not contain a length field for the CID, this means that if
CIDs of varying lengths are used, the CID length must be inferred from
other aspects of the record header (such as the epoch) and/or by means
outside of the protocol, e.g. by coding its length in the CID itself.

Inferring the CID length from the record's epoch is theoretically possible
in DTLS 1.2, but it requires the information about the epoch to be present
even if the epoch is no longer used: That's because one should silently drop
records from old epochs, but not the entire datagrams to which they belong
(there might be entire flights in a single datagram, including a change of
epoch); however, in order to do so, one needs to parse the record's content
length, the position of which is only known once the CID length for the epoch
is known. In conclusion, it puts a significant burden on the implementation
to infer the CID length from the record epoch, which moreover mangles record
processing with the high-level logic of the protocol (determining which epochs
are in use in which flights, when they are changed, etc. -- this would normally
determine when we drop epochs).

Moreover, with DTLS 1.3, CIDs are no longer uniquely associated to epochs,
but every epoch may use a set of CIDs of varying lengths -- in that case,
it's even theoretically impossible to do record header parsing based on
the epoch configuration only.

We must therefore seek a way for standalone record header parsing, which
means that we must either (a) fix the CID lengths for incoming records,
or (b) allow the application-code to configure a callback to implement
an application-specific CID parsing which would somehow infer the length
of the CID from the CID itself.

Supporting multiple lengths for incoming CIDs significantly increases
complexity while, on the other hand, the restriction to a fixed CID length
for incoming CIDs (which the application controls - in contrast to the
lengths of the CIDs used when writing messages to the peer) doesn't
appear to severely limit the usefulness of the CID extension.

Therefore, the initial implementation of the CID feature will require
a fixed length for incoming CIDs, which is what this commit enforces,
in the following way:

In order to avoid a change of API in case support for variable lengths
CIDs shall be added at some point, we keep mbedtls_ssl_set_cid(), which
includes a CID length parameter, but add a new API mbedtls_ssl_conf_cid_len()
which applies to an SSL configuration, and which fixes the CID length that
any call to mbetls_ssl_set_cid() which applies to an SSL context that is bound
to the given SSL configuration must use.

While this creates a slight redundancy of parameters, it allows to
potentially add an API like mbedtls_ssl_conf_cid_len_cb() later which
could allow users to register a callback which dynamically infers the
length of a CID at record header parsing time, without changing the
rest of the API.
2019-06-03 16:07:50 +01:00
Hanno Becker
554b6ea30a Correct compile-time guard around unhexify() in ssl_server2 2019-06-03 14:43:16 +01:00
Hanno Becker
dec2552a92 Change formating of CID debug output in ssl_client2/ssl_server2 2019-06-03 14:43:16 +01:00
Hanno Becker
735c716e2a Print peer CID from ssl_server2 2019-06-03 14:42:08 +01:00
Hanno Becker
982182f342 Improve wording of CID debug msg in ssl_server2 example application 2019-06-03 14:42:08 +01:00
Hanno Becker
a7d2542248 ssl_server2: Add cmd line options to configure use of CID extension 2019-06-03 14:42:08 +01:00
Ron Eldor
51c4507b9c Remove unneeded whitespaces
Delete extra whitespace in Changelog and in paramter alignment.
2019-05-15 17:49:54 +03:00
Ron Eldor
801faf0fa1 Fix mingw CI failures
Change `%z` formatting of `size_t` to `%u` and casting to unsigned.
2019-05-15 17:45:24 +03:00
Ron Eldor
f75e252909 Add test for export keys functionality
Add test in `ssl-opts.sh` that the export keys callback
is actually called.
2019-05-15 13:57:39 +03:00
Ron Eldor
51d3ab544f Add public API for tls_prf
Add a public API for key derivation, introducing an enum for `tls_prf`
type.
2019-05-15 13:53:02 +03:00
Ron Eldor
b7fd64ce2b Add eap-tls key derivation in the examples.
Add support for eap-tls key derivation functionality,
in `ssl_client2` and `ssl_server2` reference applications.
2019-05-15 13:41:42 +03:00
Jaeden Amero
1439b09049 Merge remote-tracking branch 'origin/pr/2540' into development
* origin/pr/2540:
  Add guards for MBEDTLS_X509_CRL_PARSE_C in sample
2019-04-24 11:20:31 +01:00
Jaeden Amero
3956a847e6 Merge remote-tracking branch 'origin/pr/2092' into development
* origin/pr/2092:
  Add more missing parentheses around macro parameters
  Add further missing brackets around macro parameters
  Adapt ChangeLog
  Improve macro hygiene
2019-04-24 11:17:21 +01:00
Ron Eldor
80d0419189 Add guards for MBEDTLS_X509_CRL_PARSE_C in sample
Add checks in `ssl_server2` that `MBEDTLS_X509_CRL_PARSE_C` is defined
to fix compilation issue. Fixes #560.
2019-04-04 15:05:18 +03:00
Hanno Becker
d6d100beb7 Fix ssl_client2 and ssl_server2 if !PLATFORM_C
The CA callback changes introduce mbedtls_calloc() and
mbedtls_free() to ssl_client2 and ssl_server2, which
wasn't defined unless MBEDTLS_PLATFORM_C was set.
2019-03-30 06:27:43 +00:00
Hanno Becker
cbb590369c Minor fixes to CA callback tests 2019-03-28 16:13:44 +00:00
Jarno Lamsa
1b4a2bad7a Add possibility to use ca_callbacks in ssl programs 2019-03-28 16:13:43 +00:00
Jaeden Amero
415620c1f2 Merge remote-tracking branch 'origin/pr/2105' into development
Additional work done as part of merge:
    - Run ./tests/scripts/check-generated-files.sh and check in the
      resulting changes to programs/ssl/query_config.c
2019-02-22 10:33:15 +00:00
Hanno Becker
1eeca41472 Improve macro hygiene
This commit improves hygiene and formatting of macro definitions
throughout the library. Specifically:
- It adds brackets around parameters to avoid unintended
  interpretation of arguments, e.g. due to operator precedence.
- It adds uses of the `do { ... } while( 0 )` idiom for macros that
  can be used as commands.
2019-02-19 17:59:00 +00:00
Andres Amaya Garcia
bc81884e3a Query config through ssl_server2 and ssl_client2 cmdline 2019-02-07 10:36:50 +00:00
Andrzej Kurek
b274f2739e Documentation fixes 2019-02-05 05:06:35 -05:00
Andrzej Kurek
c470b6b021 Merge development commit 8e76332 into development-psa
Additional changes to temporarily enable running tests:
ssl_srv.c and test_suite_ecdh use mbedtls_ecp_group_load instead of
mbedtls_ecdh_setup
test_suite_ctr_drbg uses mbedtls_ctr_drbg_update instead of 
mbedtls_ctr_drbg_update_ret
2019-01-31 08:20:20 -05:00
Jaeden Amero
6f4a8ef1ee Merge remote-tracking branch 'origin/pr/2137' into development 2019-01-30 14:55:09 +00:00
Hanno Becker
32809e8c70 PSA: Adapt ssl_server2 to modified key allocation API 2019-01-25 14:31:00 +00:00
Hanno Becker
9bd8842c77 PSA: Adapt ssl_server2 to hew key policy initialization API 2019-01-25 14:27:01 +00:00
Andrzej Kurek
2349c4db88 Adapt to the new key allocation mechanism 2019-01-08 09:36:01 -05:00
Manuel Pégourié-Gonnard
3ef6a6dc5c Fix const-ness in mbedtls_param_failed()
The previous prototype gave warnings are the strings produced by #cond and
__FILE__ are const, so we shouldn't implicitly cast them to non-const.

While at it modifying most example programs:
- include the header that has the function declaration, so that the definition
  can be checked to match by the compiler
- fix whitespace
- make it work even if PLATFORM_C is not defined:
    - CHECK_PARAMS is not documented as depending on PLATFORM_C and there is
      no reason why it should
    - so, remove the corresponding #if defined in each program...
    - and add missing #defines for mbedtls_exit when needed

The result has been tested (make all test with -Werror) with the following
configurations:

- full with    CHECK_PARAMS with    PLATFORM_C
- full with    CHECK_PARAMS without PLATFORM_C
- full without CHECK_PARAMS without PLATFORM_C
- full without CHECK_PARAMS with    PLATFORM_C

Additionally, it has been manually tested that adding

    mbedtls_aes_init( NULL );

near the normal call to mbedtls_aes_init() in programs/aes/aescrypt2.c has the
expected effect when running the program.
2018-12-11 12:28:56 +01:00
Simon Butcher
63cb97e562 Add handlers for parameter validation in the sample programs
The sample programs require an additional handler function of
mbedtls_param_failed() to handle any failed parameter validation checks enabled
by the MBEDTLS_CHECK_PARAMS config.h option.
2018-12-11 12:28:56 +01:00
Hanno Becker
1d911cd59d Automatically allocate opaque PSK key slots in ssl_{client/server}2
Previously, command line arguments `psk_slot` and `psk_list_slot`
could be used to indicate the PSA key slots that the example
applications should use to store the PSK(s) provided.

This commit changes this approach to use the utility function
`mbedtls_psa_get_free_key_slot()` to obtain free key slots from
the PSA Crypto implementation automatically, so that users only
need to pass boolean flags `psk_opaque` and `psk_list_opaque`
on the command line to enable / disable PSA-based opaque PSKs.
2018-11-21 21:12:58 +00:00
Hanno Becker
c43b6ea847 Destroy PSA-based temporary opaque PSKs at the end of ssl_server2 2018-11-21 21:12:58 +00:00
Hanno Becker
b64ba5f2c0 Add support for opaque PSKs to ssl_server2 example application
This commit adds command line parameters `psk_slot` and `psk_list_slot`
to the example application `programs/ssl/ssl_server2`. These have the
following semantics:

- `psk_slot`: The same semantics as for the `ssl_client2` example
   application. That is, if a PSK is configured through the use
   of the command line parameters `psk` and `psk_identity`, then
   `psk_slot=X` can be used to import the PSK into PSA key slot X
   and registering it statically with the SSL configuration through
   the new API call mbedtls_ssl_conf_hs_opaque().
- `psk_list_slot`: In addition to the static PSK registered in the
   the SSL configuration, servers can register a callback for picking
   the PSK corresponding to the PSK identity that the client chose.
   The `ssl_server2` example application uses such a callback to select
   the PSK from a list of PSKs + Identities provided through the
   command line parameter `psk_list`, and to register the selected
   PSK via `mbedtls_ssl_set_hs_psk()`. In this case, the new parameter
   `psk_list_slot=X` has the effect of registering all PSKs provided in
   in `psk_list` as PSA keys in the key slots starting from slot `X`,
   and having the PSK selection callback register the chosen PSK
   through the new API function `mbedtls_ssl_set_hs_psk_opaque()`.
2018-11-21 21:12:58 +00:00
Hanno Becker
5a9942e7d2 Initialize PSA Crypto implementation in ssl_server2 2018-11-21 21:08:43 +00:00