From 687c500da335d0082f7e310c3f8b3cabc2d48a6c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 29 Jun 2018 09:04:46 +0100 Subject: [PATCH 001/113] Return from debugging functions if SSL context is unset The debugging functions - mbedtls_debug_print_ret, - mbedtls_debug_print_buf, - mbedtls_debug_print_mpi, and - mbedtls_debug_print_crt return immediately if the SSL configuration bound to the passed SSL context is NULL, has no debugging functions configured, or if the debug threshold is below the debugging level. However, they do not check whether the provided SSL context is not NULL before accessing the SSL configuration bound to it, therefore leading to a segmentation fault if it is. In contrast, the debugging function - mbedtls_debug_print_msg does check for ssl != NULL before accessing ssl->conf. This commit unifies the checks by always returning immediately if ssl == NULL. --- library/debug.c | 44 ++++++++++++++++++++++++++++++++++++++------ 1 file changed, 38 insertions(+), 6 deletions(-) diff --git a/library/debug.c b/library/debug.c index db3924ac54..30c8c7bb81 100644 --- a/library/debug.c +++ b/library/debug.c @@ -86,8 +86,13 @@ void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level, char str[DEBUG_BUF_SIZE]; int ret; - if( NULL == ssl || NULL == ssl->conf || NULL == ssl->conf->f_dbg || level > debug_threshold ) + if( NULL == ssl || + NULL == ssl->conf || + NULL == ssl->conf->f_dbg || + level > debug_threshold ) + { return; + } va_start( argp, format ); #if defined(_WIN32) @@ -121,8 +126,13 @@ void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level, { char str[DEBUG_BUF_SIZE]; - if( ssl->conf == NULL || ssl->conf->f_dbg == NULL || level > debug_threshold ) + if( NULL == ssl || + NULL == ssl->conf || + NULL == ssl->conf->f_dbg || + level > debug_threshold ) + { return; + } /* * With non-blocking I/O and examples that just retry immediately, @@ -146,8 +156,13 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level, char txt[17]; size_t i, idx = 0; - if( ssl->conf == NULL || ssl->conf->f_dbg == NULL || level > debug_threshold ) + if( NULL == ssl || + NULL == ssl->conf || + NULL == ssl->conf->f_dbg || + level > debug_threshold ) + { return; + } mbedtls_snprintf( str + idx, sizeof( str ) - idx, "dumping '%s' (%u bytes)\n", text, (unsigned int) len ); @@ -199,8 +214,13 @@ void mbedtls_debug_print_ecp( const mbedtls_ssl_context *ssl, int level, { char str[DEBUG_BUF_SIZE]; - if( ssl->conf == NULL || ssl->conf->f_dbg == NULL || level > debug_threshold ) + if( NULL == ssl || + NULL == ssl->conf || + NULL == ssl->conf->f_dbg || + level > debug_threshold ) + { return; + } mbedtls_snprintf( str, sizeof( str ), "%s(X)", text ); mbedtls_debug_print_mpi( ssl, level, file, line, str, &X->X ); @@ -219,8 +239,14 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level, int j, k, zeros = 1; size_t i, n, idx = 0; - if( ssl->conf == NULL || ssl->conf->f_dbg == NULL || X == NULL || level > debug_threshold ) + if( NULL == ssl || + NULL == ssl->conf || + NULL == ssl->conf->f_dbg || + NULL == X || + level > debug_threshold ) + { return; + } for( n = X->n - 1; n > 0; n-- ) if( X->p[n] != 0 ) @@ -345,8 +371,14 @@ void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level, char str[DEBUG_BUF_SIZE]; int i = 0; - if( ssl->conf == NULL || ssl->conf->f_dbg == NULL || crt == NULL || level > debug_threshold ) + if( NULL == ssl || + NULL == ssl->conf || + NULL == ssl->conf->f_dbg || + NULL == crt || + level > debug_threshold ) + { return; + } while( crt != NULL ) { From 485aaaf2b9e44a807232cbf504ced924b7447acd Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 29 Jun 2018 09:10:39 +0100 Subject: [PATCH 002/113] Adapt ChangeLog --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 0598cfa1a1..fd25ac7282 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,8 @@ Bugfix * Replace printf with mbedtls_printf in aria. Found by TrinityTonic in #1908. * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len() and mbedtls_ssl_get_record_expansion() after a session reset. Fixes #1941. + * Return from various debugging routines immediately if the + provided SSL context is unset. Changes * Copy headers preserving timestamps when doing a "make install". From aa035d89a66736d119e9f750cf4324dfe69a26b5 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 23 Aug 2018 16:40:43 +0100 Subject: [PATCH 003/113] Move ChangeLog entry from Bugfix to Changes section --- ChangeLog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index fd25ac7282..efaefa7dfd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,8 +13,6 @@ Bugfix * Replace printf with mbedtls_printf in aria. Found by TrinityTonic in #1908. * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len() and mbedtls_ssl_get_record_expansion() after a session reset. Fixes #1941. - * Return from various debugging routines immediately if the - provided SSL context is unset. Changes * Copy headers preserving timestamps when doing a "make install". @@ -23,6 +21,8 @@ Changes Drozd. Fixes #1215 raised by randombit. * Improve compatibility with some alternative CCM implementations by using CCM test vectors from RAM. + * Return from various debugging routines immediately if the + provided SSL context is unset. = mbed TLS 2.12.0 branch released 2018-07-25 From a92c5455cdcc503fce9d814c98e2de769fcaa017 Mon Sep 17 00:00:00 2001 From: Christian Walther Date: Wed, 28 Nov 2018 13:32:27 +0100 Subject: [PATCH 004/113] Fix private DER output shifted by one byte. --- programs/pkey/key_app_writer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/pkey/key_app_writer.c b/programs/pkey/key_app_writer.c index 13602c2e53..ebf6ad134b 100644 --- a/programs/pkey/key_app_writer.c +++ b/programs/pkey/key_app_writer.c @@ -173,7 +173,7 @@ static int write_private_key( mbedtls_pk_context *key, const char *output_file ) return( ret ); len = ret; - c = output_buf + sizeof(output_buf) - len - 1; + c = output_buf + sizeof(output_buf) - len; } if( ( f = fopen( output_file, "w" ) ) == NULL ) From e0f90f65571c4862c9e33ed1bf5cfc7823625f7f Mon Sep 17 00:00:00 2001 From: Christian Walther Date: Wed, 28 Nov 2018 15:12:26 +0100 Subject: [PATCH 005/113] Add ChangeLog entry --- ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index 8f0e8c1c79..22d7dd4914 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,12 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.xx.x branch released xxxx-xx-xx + +Bugfix + * Fix private key DER output in the key_app_writer example. File contents + were shifted by one byte, creating an invalid ASN.1 tag. Fixed by + Christian Walther in #2239. + = mbed TLS 2.14.0 branch released 2018-11-19 Security From 15db850fe9e73298b45625617840173f1ade8b7e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 14 Dec 2018 18:23:13 +0100 Subject: [PATCH 006/113] run-test-suites: update the documentation Update the documentation to mention the optional verbosity level with -v. Print the documentation on --help. Die on an unsupported option. --- tests/scripts/run-test-suites.pl | 35 ++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/tests/scripts/run-test-suites.pl b/tests/scripts/run-test-suites.pl index d0d4046215..7ffbd745bd 100755 --- a/tests/scripts/run-test-suites.pl +++ b/tests/scripts/run-test-suites.pl @@ -4,19 +4,21 @@ # # This file is part of mbed TLS (https://tls.mbed.org) # -# Copyright (c) 2015-2016, ARM Limited, All Rights Reserved -# -# Purpose -# -# Executes all the available test suites, and provides a basic summary of the -# results. -# -# Usage: run-test-suites.pl [-v] -# -# Options : -# -v|--verbose - Provide a pass/fail/skip breakdown per test suite and -# in total -# +# Copyright (c) 2015-2018, ARM Limited, All Rights Reserved + +=head1 SYNOPSIS + +Execute all the test suites and print a summary of the results. + + run-test-suites.pl [[-v|--verbose] [VERBOSITY]] + +Options: + + -v|--verbose Print detailed failure information. + -v 2|--verbose=2 Print detailed failure information and summary messages. + -v 3|--verbose=3 Print detailed information about every test case. + +=cut use warnings; use strict; @@ -24,10 +26,13 @@ use strict; use utf8; use open qw(:std utf8); -use Getopt::Long; +use Getopt::Long qw(:config auto_help); +use Pod::Usage; my $verbose = 0; -GetOptions( "verbose|v:1" => \$verbose ); +GetOptions( + 'verbose|v:1' => \$verbose, + ) or die; # All test suites = executable files, excluding source files, debug # and profiling information, etc. We can't just grep {! /\./} because From ac372cc687a1e240c742cd8f961fa79b913ed191 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 29 Nov 2018 10:15:06 +0000 Subject: [PATCH 007/113] Add a facility to skip running some test suites With the build option SKIP_TEST_SUITES=..., the specified test suites are built, but skipped when running tests. Usage: make check SKIP_TEST_SUITES=timing,gcm or cmake -D SKIP_TEST_SUITES=timing,gcm ... The list can be separated by any of space, comma or semicolon, and each element can be a regular expression in ERE syntax except that "." stands for itself. Skipping "foo" skips not only "foo" itself but also any "foo.bar", but does not skip "foobar". --- tests/CMakeLists.txt | 13 ++++++++++- tests/Makefile | 3 ++- tests/scripts/run-test-suites.pl | 37 ++++++++++++++++++++++++++++---- 3 files changed, 47 insertions(+), 6 deletions(-) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 58126bedcf..6f9f926605 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -20,6 +20,13 @@ endif() # on non-POSIX platforms. add_definitions("-D_POSIX_C_SOURCE=200809L") +# Test suites caught by SKIP_TEST_SUITES are built but not executed. +# "foo" as a skip pattern skips "test_suite_foo" and "test_suite_foo.bar" +# but not "test_suite_foobar". +string(REGEX REPLACE "[ ,;]" "|" SKIP_TEST_SUITES_REGEX "${SKIP_TEST_SUITES}") +string(REPLACE "." "\\." SKIP_TEST_SUITES_REGEX "${SKIP_TEST_SUITES_REGEX}") +set(SKIP_TEST_SUITES_REGEX "^(${SKIP_TEST_SUITES_REGEX})(\$|\\.)") + function(add_test_suite suite_name) if(ARGV1) set(data_name ${ARGV1}) @@ -36,7 +43,11 @@ function(add_test_suite suite_name) include_directories(${CMAKE_CURRENT_SOURCE_DIR}) add_executable(test_suite_${data_name} test_suite_${data_name}.c) target_link_libraries(test_suite_${data_name} ${libs}) - add_test(${data_name}-suite test_suite_${data_name} --verbose) + if(${data_name} MATCHES ${SKIP_TEST_SUITES_REGEX}) + message(STATUS "The test suite ${data_name} will not be executed.") + else() + add_test(${data_name}-suite test_suite_${data_name} --verbose) + endif() endfunction(add_test_suite) if(CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_CLANG) diff --git a/tests/Makefile b/tests/Makefile index b6e49bf8a6..4ef74177b9 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -113,8 +113,9 @@ ifneq ($(wildcard TESTS/.*),) endif endif +# Test suites caught by SKIP_TEST_SUITES are built but not executed. check: $(BINARIES) - perl scripts/run-test-suites.pl + perl scripts/run-test-suites.pl --skip=$(SKIP_TEST_SUITES) test: check diff --git a/tests/scripts/run-test-suites.pl b/tests/scripts/run-test-suites.pl index 7ffbd745bd..1c9dc1dfcb 100755 --- a/tests/scripts/run-test-suites.pl +++ b/tests/scripts/run-test-suites.pl @@ -10,13 +10,16 @@ Execute all the test suites and print a summary of the results. - run-test-suites.pl [[-v|--verbose] [VERBOSITY]] + run-test-suites.pl [[-v|--verbose] [VERBOSITY]] [--skip=SUITE[...]] Options: -v|--verbose Print detailed failure information. -v 2|--verbose=2 Print detailed failure information and summary messages. -v 3|--verbose=3 Print detailed information about every test case. + --skip=SUITE[,SUITE...] + Skip the specified SUITE(s). This option can be used + multiple times. =cut @@ -26,11 +29,13 @@ use strict; use utf8; use open qw(:std utf8); -use Getopt::Long qw(:config auto_help); +use Getopt::Long qw(:config auto_help gnu_compat); use Pod::Usage; my $verbose = 0; +my @skip_patterns = (); GetOptions( + 'skip=s' => \@skip_patterns, 'verbose|v:1' => \$verbose, ) or die; @@ -41,6 +46,17 @@ my @suites = grep { -x $_ || /\.exe$/ } glob 'test_suite_*'; @suites = grep { !/\.c$/ && !/\.data$/ && -f } @suites; die "$0: no test suite found\n" unless @suites; +# "foo" as a skip pattern skips "test_suite_foo" and "test_suite_foo.bar" +# but not "test_suite_foobar". +my $skip_re = + ( '\Atest_suite_(' . + join('|', map { + s/[ ,;]/|/g; # allow any of " ,;|" as separators + s/\./\./g; # "." in the input means ".", not "any character" + $_ + } @skip_patterns) . + ')(\z|\.)' ); + # in case test suites are linked dynamically $ENV{'LD_LIBRARY_PATH'} = '../library'; $ENV{'DYLD_LIBRARY_PATH'} = '../library'; @@ -50,6 +66,7 @@ my $prefix = $^O eq "MSWin32" ? '' : './'; my ($failed_suites, $total_tests_run, $failed, $suite_cases_passed, $suite_cases_failed, $suite_cases_skipped, $total_cases_passed, $total_cases_failed, $total_cases_skipped ); +my $suites_skipped = 0; sub pad_print_center { my( $width, $padchar, $string ) = @_; @@ -60,6 +77,12 @@ sub pad_print_center { for my $suite (@suites) { print "$suite ", "." x ( 72 - length($suite) - 2 - 4 ), " "; + if( $suite =~ /$skip_re/o ) { + print "SKIP\n"; + ++$suites_skipped; + next; + } + my $command = "$prefix$suite"; if( $verbose ) { $command .= ' -v'; @@ -106,7 +129,10 @@ for my $suite (@suites) print "-" x 72, "\n"; print $failed_suites ? "FAILED" : "PASSED"; -printf " (%d suites, %d tests run)\n", scalar @suites, $total_tests_run; +printf( " (%d suites, %d tests run%s)\n", + scalar(@suites) - $suites_skipped, + $total_tests_run, + $suites_skipped ? ", $suites_skipped suites skipped" : "" ); if( $verbose > 1 ) { print " test cases passed :", $total_cases_passed, "\n"; @@ -116,8 +142,11 @@ if( $verbose > 1 ) { "\n"; print " of available tests :", ( $total_cases_passed + $total_cases_failed + $total_cases_skipped ), - "\n" + "\n"; + if( $suites_skipped != 0 ) { + print "Note: $suites_skipped suites were skipped.\n"; } +} exit( $failed_suites ? 1 : 0 ); From c8fff7b2e7056ffbd55aceb628a401c3e7652793 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 29 Nov 2018 10:55:21 +0000 Subject: [PATCH 008/113] Declare test_suite_aes.ofb to CMake --- tests/CMakeLists.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 6f9f926605..6388b1ab2c 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -63,6 +63,7 @@ endif(MSVC) add_test_suite(aes aes.ecb) add_test_suite(aes aes.cbc) add_test_suite(aes aes.cfb) +add_test_suite(aes aes.ofb) add_test_suite(aes aes.rest) add_test_suite(aes aes.xts) add_test_suite(arc4) From 9aeea93cc363fefe28f7c34517e7f853d29374b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Janiszewski?= Date: Tue, 30 Oct 2018 23:00:15 +0100 Subject: [PATCH 009/113] Rename globals to avoid shadowing by various function arguments It's easier and more telling to rename the globals used only for test, rather than rename all the shadowing function arguments. --- library/ccm.c | 26 +++++++++++++------------- library/gcm.c | 42 +++++++++++++++++++++--------------------- library/pkcs5.c | 12 ++++++------ 3 files changed, 40 insertions(+), 40 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index 01e58b0436..8331f5d829 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -445,10 +445,10 @@ static const unsigned char msg[CCM_SELFTEST_PT_MAX_LEN] = { 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, }; -static const size_t iv_len [NB_TESTS] = { 7, 8, 12 }; -static const size_t add_len[NB_TESTS] = { 8, 16, 20 }; -static const size_t msg_len[NB_TESTS] = { 4, 16, 24 }; -static const size_t tag_len[NB_TESTS] = { 4, 6, 8 }; +static const size_t iv_len_test_data [NB_TESTS] = { 7, 8, 12 }; +static const size_t add_len_test_data[NB_TESTS] = { 8, 16, 20 }; +static const size_t msg_len_test_data[NB_TESTS] = { 4, 16, 24 }; +static const size_t tag_len_test_data[NB_TESTS] = { 4, 6, 8 }; static const unsigned char res[NB_TESTS][CCM_SELFTEST_CT_MAX_LEN] = { { 0x71, 0x62, 0x01, 0x5b, 0x4d, 0xac, 0x25, 0x5d }, @@ -491,15 +491,15 @@ int mbedtls_ccm_self_test( int verbose ) memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN ); memset( ciphertext, 0, CCM_SELFTEST_CT_MAX_LEN ); - memcpy( plaintext, msg, msg_len[i] ); + memcpy( plaintext, msg, msg_len_test_data[i] ); - ret = mbedtls_ccm_encrypt_and_tag( &ctx, msg_len[i], - iv, iv_len[i], ad, add_len[i], + ret = mbedtls_ccm_encrypt_and_tag( &ctx, msg_len_test_data[i], + iv, iv_len_test_data[i], ad, add_len_test_data[i], plaintext, ciphertext, - ciphertext + msg_len[i], tag_len[i] ); + ciphertext + msg_len_test_data[i], tag_len_test_data[i] ); if( ret != 0 || - memcmp( ciphertext, res[i], msg_len[i] + tag_len[i] ) != 0 ) + memcmp( ciphertext, res[i], msg_len_test_data[i] + tag_len_test_data[i] ) != 0 ) { if( verbose != 0 ) mbedtls_printf( "failed\n" ); @@ -508,13 +508,13 @@ int mbedtls_ccm_self_test( int verbose ) } memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN ); - ret = mbedtls_ccm_auth_decrypt( &ctx, msg_len[i], - iv, iv_len[i], ad, add_len[i], + ret = mbedtls_ccm_auth_decrypt( &ctx, msg_len_test_data[i], + iv, iv_len_test_data[i], ad, add_len_test_data[i], ciphertext, plaintext, - ciphertext + msg_len[i], tag_len[i] ); + ciphertext + msg_len_test_data[i], tag_len_test_data[i] ); if( ret != 0 || - memcmp( plaintext, msg, msg_len[i] ) != 0 ) + memcmp( plaintext, msg, msg_len_test_data[i] ) != 0 ) { if( verbose != 0 ) mbedtls_printf( "failed\n" ); diff --git a/library/gcm.c b/library/gcm.c index 675926a518..8294019437 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -560,7 +560,7 @@ void mbedtls_gcm_free( mbedtls_gcm_context *ctx ) static const int key_index[MAX_TESTS] = { 0, 0, 1, 1, 1, 1 }; -static const unsigned char key[MAX_TESTS][32] = +static const unsigned char key_test_data[MAX_TESTS][32] = { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -572,13 +572,13 @@ static const unsigned char key[MAX_TESTS][32] = 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08 }, }; -static const size_t iv_len[MAX_TESTS] = +static const size_t iv_len_test_data[MAX_TESTS] = { 12, 12, 12, 12, 8, 60 }; static const int iv_index[MAX_TESTS] = { 0, 0, 1, 1, 1, 2 }; -static const unsigned char iv[MAX_TESTS][64] = +static const unsigned char iv_test_data[MAX_TESTS][64] = { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, @@ -594,7 +594,7 @@ static const unsigned char iv[MAX_TESTS][64] = 0xa6, 0x37, 0xb3, 0x9b }, }; -static const size_t add_len[MAX_TESTS] = +static const size_t add_len_test_data[MAX_TESTS] = { 0, 0, 0, 20, 20, 20 }; static const int add_index[MAX_TESTS] = @@ -737,7 +737,7 @@ static const unsigned char ct[MAX_TESTS * 3][64] = 0x44, 0xae, 0x7e, 0x3f }, }; -static const unsigned char tag[MAX_TESTS * 3][16] = +static const unsigned char tag_test_data[MAX_TESTS * 3][16] = { { 0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61, 0x36, 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a }, @@ -797,7 +797,7 @@ int mbedtls_gcm_self_test( int verbose ) mbedtls_printf( " AES-GCM-%3d #%d (%s): ", key_len, i, "enc" ); - ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]], + ret = mbedtls_gcm_setkey( &ctx, cipher, key_test_data[key_index[i]], key_len ); /* * AES-192 is an optional feature that may be unavailable when @@ -816,14 +816,14 @@ int mbedtls_gcm_self_test( int verbose ) ret = mbedtls_gcm_crypt_and_tag( &ctx, MBEDTLS_GCM_ENCRYPT, pt_len[i], - iv[iv_index[i]], iv_len[i], - additional[add_index[i]], add_len[i], + iv_test_data[iv_index[i]], iv_len_test_data[i], + additional[add_index[i]], add_len_test_data[i], pt[pt_index[i]], buf, 16, tag_buf ); if( ret != 0 ) goto exit; if ( memcmp( buf, ct[j * 6 + i], pt_len[i] ) != 0 || - memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 ) + memcmp( tag_buf, tag_test_data[j * 6 + i], 16 ) != 0 ) { ret = 1; goto exit; @@ -840,22 +840,22 @@ int mbedtls_gcm_self_test( int verbose ) mbedtls_printf( " AES-GCM-%3d #%d (%s): ", key_len, i, "dec" ); - ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]], + ret = mbedtls_gcm_setkey( &ctx, cipher, key_test_data[key_index[i]], key_len ); if( ret != 0 ) goto exit; ret = mbedtls_gcm_crypt_and_tag( &ctx, MBEDTLS_GCM_DECRYPT, pt_len[i], - iv[iv_index[i]], iv_len[i], - additional[add_index[i]], add_len[i], + iv_test_data[iv_index[i]], iv_len_test_data[i], + additional[add_index[i]], add_len_test_data[i], ct[j * 6 + i], buf, 16, tag_buf ); if( ret != 0 ) goto exit; if( memcmp( buf, pt[pt_index[i]], pt_len[i] ) != 0 || - memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 ) + memcmp( tag_buf, tag_test_data[j * 6 + i], 16 ) != 0 ) { ret = 1; goto exit; @@ -872,14 +872,14 @@ int mbedtls_gcm_self_test( int verbose ) mbedtls_printf( " AES-GCM-%3d #%d split (%s): ", key_len, i, "enc" ); - ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]], + ret = mbedtls_gcm_setkey( &ctx, cipher, key_test_data[key_index[i]], key_len ); if( ret != 0 ) goto exit; ret = mbedtls_gcm_starts( &ctx, MBEDTLS_GCM_ENCRYPT, - iv[iv_index[i]], iv_len[i], - additional[add_index[i]], add_len[i] ); + iv_test_data[iv_index[i]], iv_len_test_data[i], + additional[add_index[i]], add_len_test_data[i] ); if( ret != 0 ) goto exit; @@ -907,7 +907,7 @@ int mbedtls_gcm_self_test( int verbose ) goto exit; if( memcmp( buf, ct[j * 6 + i], pt_len[i] ) != 0 || - memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 ) + memcmp( tag_buf, tag_test_data[j * 6 + i], 16 ) != 0 ) { ret = 1; goto exit; @@ -924,14 +924,14 @@ int mbedtls_gcm_self_test( int verbose ) mbedtls_printf( " AES-GCM-%3d #%d split (%s): ", key_len, i, "dec" ); - ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]], + ret = mbedtls_gcm_setkey( &ctx, cipher, key_test_data[key_index[i]], key_len ); if( ret != 0 ) goto exit; ret = mbedtls_gcm_starts( &ctx, MBEDTLS_GCM_DECRYPT, - iv[iv_index[i]], iv_len[i], - additional[add_index[i]], add_len[i] ); + iv_test_data[iv_index[i]], iv_len_test_data[i], + additional[add_index[i]], add_len_test_data[i] ); if( ret != 0 ) goto exit; @@ -960,7 +960,7 @@ int mbedtls_gcm_self_test( int verbose ) goto exit; if( memcmp( buf, pt[pt_index[i]], pt_len[i] ) != 0 || - memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 ) + memcmp( tag_buf, tag_test_data[j * 6 + i], 16 ) != 0 ) { ret = 1; goto exit; diff --git a/library/pkcs5.c b/library/pkcs5.c index 50133435ce..86ab3e7a2a 100644 --- a/library/pkcs5.c +++ b/library/pkcs5.c @@ -304,10 +304,10 @@ int mbedtls_pkcs5_self_test( int verbose ) #define MAX_TESTS 6 -static const size_t plen[MAX_TESTS] = +static const size_t plen_test_data[MAX_TESTS] = { 8, 8, 8, 24, 9 }; -static const unsigned char password[MAX_TESTS][32] = +static const unsigned char password_test_data[MAX_TESTS][32] = { "password", "password", @@ -316,10 +316,10 @@ static const unsigned char password[MAX_TESTS][32] = "pass\0word", }; -static const size_t slen[MAX_TESTS] = +static const size_t slen_test_data[MAX_TESTS] = { 4, 4, 4, 36, 5 }; -static const unsigned char salt[MAX_TESTS][40] = +static const unsigned char salt_test_data[MAX_TESTS][40] = { "salt", "salt", @@ -380,8 +380,8 @@ int mbedtls_pkcs5_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " PBKDF2 (SHA1) #%d: ", i ); - ret = mbedtls_pkcs5_pbkdf2_hmac( &sha1_ctx, password[i], plen[i], salt[i], - slen[i], it_cnt[i], key_len[i], key ); + ret = mbedtls_pkcs5_pbkdf2_hmac( &sha1_ctx, password_test_data[i], plen_test_data[i], salt_test_data[i], + slen_test_data[i], it_cnt[i], key_len[i], key ); if( ret != 0 || memcmp( result_key[i], key, key_len[i] ) != 0 ) { From c79e92b802258219810f958de1e587d76b8c338c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Janiszewski?= Date: Wed, 31 Oct 2018 20:43:05 +0100 Subject: [PATCH 010/113] Rename remaining test data --- library/ccm.c | 24 +++++++------ library/gcm.c | 93 +++++++++++++++++++++++++++++-------------------- library/pkcs5.c | 14 ++++---- 3 files changed, 76 insertions(+), 55 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index 8331f5d829..0dd712a1d7 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -423,23 +423,23 @@ int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, /* * The data is the same for all tests, only the used length changes */ -static const unsigned char key[] = { +static const unsigned char key_test_data[] = { 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f }; -static const unsigned char iv[] = { +static const unsigned char iv_test_data[] = { 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b }; -static const unsigned char ad[] = { +static const unsigned char ad_test_data[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13 }; -static const unsigned char msg[CCM_SELFTEST_PT_MAX_LEN] = { +static const unsigned char msg_test_data[CCM_SELFTEST_PT_MAX_LEN] = { 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, @@ -450,7 +450,7 @@ static const size_t add_len_test_data[NB_TESTS] = { 8, 16, 20 }; static const size_t msg_len_test_data[NB_TESTS] = { 4, 16, 24 }; static const size_t tag_len_test_data[NB_TESTS] = { 4, 6, 8 }; -static const unsigned char res[NB_TESTS][CCM_SELFTEST_CT_MAX_LEN] = { +static const unsigned char res_test_data[NB_TESTS][CCM_SELFTEST_CT_MAX_LEN] = { { 0x71, 0x62, 0x01, 0x5b, 0x4d, 0xac, 0x25, 0x5d }, { 0xd2, 0xa1, 0xf0, 0xe0, 0x51, 0xea, 0x5f, 0x62, 0x08, 0x1a, 0x77, 0x92, 0x07, 0x3d, 0x59, 0x3d, @@ -476,7 +476,7 @@ int mbedtls_ccm_self_test( int verbose ) mbedtls_ccm_init( &ctx ); - if( mbedtls_ccm_setkey( &ctx, MBEDTLS_CIPHER_ID_AES, key, 8 * sizeof key ) != 0 ) + if( mbedtls_ccm_setkey( &ctx, MBEDTLS_CIPHER_ID_AES, key_test_data, 8 * sizeof key_test_data ) != 0 ) { if( verbose != 0 ) mbedtls_printf( " CCM: setup failed" ); @@ -491,15 +491,16 @@ int mbedtls_ccm_self_test( int verbose ) memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN ); memset( ciphertext, 0, CCM_SELFTEST_CT_MAX_LEN ); - memcpy( plaintext, msg, msg_len_test_data[i] ); + memcpy( plaintext, msg_test_data, msg_len_test_data[i] ); ret = mbedtls_ccm_encrypt_and_tag( &ctx, msg_len_test_data[i], - iv, iv_len_test_data[i], ad, add_len_test_data[i], + iv_test_data, iv_len_test_data[i], + ad_test_data, add_len_test_data[i], plaintext, ciphertext, ciphertext + msg_len_test_data[i], tag_len_test_data[i] ); if( ret != 0 || - memcmp( ciphertext, res[i], msg_len_test_data[i] + tag_len_test_data[i] ) != 0 ) + memcmp( ciphertext, res_test_data[i], msg_len_test_data[i] + tag_len_test_data[i] ) != 0 ) { if( verbose != 0 ) mbedtls_printf( "failed\n" ); @@ -509,12 +510,13 @@ int mbedtls_ccm_self_test( int verbose ) memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN ); ret = mbedtls_ccm_auth_decrypt( &ctx, msg_len_test_data[i], - iv, iv_len_test_data[i], ad, add_len_test_data[i], + iv_test_data, iv_len_test_data[i], + ad_test_data, add_len_test_data[i], ciphertext, plaintext, ciphertext + msg_len_test_data[i], tag_len_test_data[i] ); if( ret != 0 || - memcmp( plaintext, msg, msg_len_test_data[i] ) != 0 ) + memcmp( plaintext, msg_test_data, msg_len_test_data[i] ) != 0 ) { if( verbose != 0 ) mbedtls_printf( "failed\n" ); diff --git a/library/gcm.c b/library/gcm.c index 8294019437..bfaa13ce44 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -557,7 +557,7 @@ void mbedtls_gcm_free( mbedtls_gcm_context *ctx ) */ #define MAX_TESTS 6 -static const int key_index[MAX_TESTS] = +static const int key_index_test_data[MAX_TESTS] = { 0, 0, 1, 1, 1, 1 }; static const unsigned char key_test_data[MAX_TESTS][32] = @@ -575,7 +575,7 @@ static const unsigned char key_test_data[MAX_TESTS][32] = static const size_t iv_len_test_data[MAX_TESTS] = { 12, 12, 12, 12, 8, 60 }; -static const int iv_index[MAX_TESTS] = +static const int iv_index_test_data[MAX_TESTS] = { 0, 0, 1, 1, 1, 2 }; static const unsigned char iv_test_data[MAX_TESTS][64] = @@ -597,10 +597,10 @@ static const unsigned char iv_test_data[MAX_TESTS][64] = static const size_t add_len_test_data[MAX_TESTS] = { 0, 0, 0, 20, 20, 20 }; -static const int add_index[MAX_TESTS] = +static const int add_index_test_data[MAX_TESTS] = { 0, 0, 0, 1, 1, 1 }; -static const unsigned char additional[MAX_TESTS][64] = +static const unsigned char additional_test_data[MAX_TESTS][64] = { { 0x00 }, { 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, @@ -608,13 +608,13 @@ static const unsigned char additional[MAX_TESTS][64] = 0xab, 0xad, 0xda, 0xd2 }, }; -static const size_t pt_len[MAX_TESTS] = +static const size_t pt_len_test_data[MAX_TESTS] = { 0, 16, 64, 60, 60, 60 }; -static const int pt_index[MAX_TESTS] = +static const int pt_index_test_data[MAX_TESTS] = { 0, 0, 1, 1, 1, 1 }; -static const unsigned char pt[MAX_TESTS][64] = +static const unsigned char pt_test_data[MAX_TESTS][64] = { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, @@ -628,7 +628,7 @@ static const unsigned char pt[MAX_TESTS][64] = 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55 }, }; -static const unsigned char ct[MAX_TESTS * 3][64] = +static const unsigned char ct_test_data[MAX_TESTS * 3][64] = { { 0x00 }, { 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92, @@ -797,7 +797,7 @@ int mbedtls_gcm_self_test( int verbose ) mbedtls_printf( " AES-GCM-%3d #%d (%s): ", key_len, i, "enc" ); - ret = mbedtls_gcm_setkey( &ctx, cipher, key_test_data[key_index[i]], + ret = mbedtls_gcm_setkey( &ctx, cipher, key_test_data[key_index_test_data[i]], key_len ); /* * AES-192 is an optional feature that may be unavailable when @@ -815,14 +815,17 @@ int mbedtls_gcm_self_test( int verbose ) } ret = mbedtls_gcm_crypt_and_tag( &ctx, MBEDTLS_GCM_ENCRYPT, - pt_len[i], - iv_test_data[iv_index[i]], iv_len_test_data[i], - additional[add_index[i]], add_len_test_data[i], - pt[pt_index[i]], buf, 16, tag_buf ); + pt_len_test_data[i], + iv_test_data[iv_index_test_data[i]], + iv_len_test_data[i], + additional_test_data[add_index_test_data[i]], + add_len_test_data[i], + pt_test_data[pt_index_test_data[i]], + buf, 16, tag_buf ); if( ret != 0 ) goto exit; - if ( memcmp( buf, ct[j * 6 + i], pt_len[i] ) != 0 || + if ( memcmp( buf, ct_test_data[j * 6 + i], pt_len_test_data[i] ) != 0 || memcmp( tag_buf, tag_test_data[j * 6 + i], 16 ) != 0 ) { ret = 1; @@ -840,21 +843,24 @@ int mbedtls_gcm_self_test( int verbose ) mbedtls_printf( " AES-GCM-%3d #%d (%s): ", key_len, i, "dec" ); - ret = mbedtls_gcm_setkey( &ctx, cipher, key_test_data[key_index[i]], + ret = mbedtls_gcm_setkey( &ctx, cipher, key_test_data[key_index_test_data[i]], key_len ); if( ret != 0 ) goto exit; ret = mbedtls_gcm_crypt_and_tag( &ctx, MBEDTLS_GCM_DECRYPT, - pt_len[i], - iv_test_data[iv_index[i]], iv_len_test_data[i], - additional[add_index[i]], add_len_test_data[i], - ct[j * 6 + i], buf, 16, tag_buf ); + pt_len_test_data[i], + iv_test_data[iv_index_test_data[i]], + iv_len_test_data[i], + additional_test_data[add_index_test_data[i]], + add_len_test_data[i], + ct_test_data[j * 6 + i], buf, 16, tag_buf ); if( ret != 0 ) goto exit; - if( memcmp( buf, pt[pt_index[i]], pt_len[i] ) != 0 || + if( memcmp( buf, pt_test_data[pt_index_test_data[i]], + pt_len_test_data[i] ) != 0 || memcmp( tag_buf, tag_test_data[j * 6 + i], 16 ) != 0 ) { ret = 1; @@ -872,32 +878,38 @@ int mbedtls_gcm_self_test( int verbose ) mbedtls_printf( " AES-GCM-%3d #%d split (%s): ", key_len, i, "enc" ); - ret = mbedtls_gcm_setkey( &ctx, cipher, key_test_data[key_index[i]], + ret = mbedtls_gcm_setkey( &ctx, cipher, key_test_data[key_index_test_data[i]], key_len ); if( ret != 0 ) goto exit; ret = mbedtls_gcm_starts( &ctx, MBEDTLS_GCM_ENCRYPT, - iv_test_data[iv_index[i]], iv_len_test_data[i], - additional[add_index[i]], add_len_test_data[i] ); + iv_test_data[iv_index_test_data[i]], + iv_len_test_data[i], + additional_test_data[add_index_test_data[i]], + add_len_test_data[i] ); if( ret != 0 ) goto exit; - if( pt_len[i] > 32 ) + if( pt_len_test_data[i] > 32 ) { - size_t rest_len = pt_len[i] - 32; - ret = mbedtls_gcm_update( &ctx, 32, pt[pt_index[i]], buf ); + size_t rest_len = pt_len_test_data[i] - 32; + ret = mbedtls_gcm_update( &ctx, 32, + pt_test_data[pt_index_test_data[i]], + buf ); if( ret != 0 ) goto exit; - ret = mbedtls_gcm_update( &ctx, rest_len, pt[pt_index[i]] + 32, + ret = mbedtls_gcm_update( &ctx, rest_len, + pt_test_data[pt_index_test_data[i]] + 32, buf + 32 ); if( ret != 0 ) goto exit; } else { - ret = mbedtls_gcm_update( &ctx, pt_len[i], pt[pt_index[i]], buf ); + ret = mbedtls_gcm_update( &ctx, pt_len_test_data[i], + pt_test_data[pt_index_test_data[i]], buf ); if( ret != 0 ) goto exit; } @@ -906,7 +918,7 @@ int mbedtls_gcm_self_test( int verbose ) if( ret != 0 ) goto exit; - if( memcmp( buf, ct[j * 6 + i], pt_len[i] ) != 0 || + if( memcmp( buf, ct_test_data[j * 6 + i], pt_len_test_data[i] ) != 0 || memcmp( tag_buf, tag_test_data[j * 6 + i], 16 ) != 0 ) { ret = 1; @@ -924,32 +936,36 @@ int mbedtls_gcm_self_test( int verbose ) mbedtls_printf( " AES-GCM-%3d #%d split (%s): ", key_len, i, "dec" ); - ret = mbedtls_gcm_setkey( &ctx, cipher, key_test_data[key_index[i]], + ret = mbedtls_gcm_setkey( &ctx, cipher, + key_test_data[key_index_test_data[i]], key_len ); if( ret != 0 ) goto exit; ret = mbedtls_gcm_starts( &ctx, MBEDTLS_GCM_DECRYPT, - iv_test_data[iv_index[i]], iv_len_test_data[i], - additional[add_index[i]], add_len_test_data[i] ); + iv_test_data[iv_index_test_data[i]], + iv_len_test_data[i], + additional_test_data[add_index_test_data[i]], + add_len_test_data[i] ); if( ret != 0 ) goto exit; - if( pt_len[i] > 32 ) + if( pt_len_test_data[i] > 32 ) { - size_t rest_len = pt_len[i] - 32; - ret = mbedtls_gcm_update( &ctx, 32, ct[j * 6 + i], buf ); + size_t rest_len = pt_len_test_data[i] - 32; + ret = mbedtls_gcm_update( &ctx, 32, ct_test_data[j * 6 + i], buf ); if( ret != 0 ) goto exit; - ret = mbedtls_gcm_update( &ctx, rest_len, ct[j * 6 + i] + 32, + ret = mbedtls_gcm_update( &ctx, rest_len, ct_test_data[j * 6 + i] + 32, buf + 32 ); if( ret != 0 ) goto exit; } else { - ret = mbedtls_gcm_update( &ctx, pt_len[i], ct[j * 6 + i], + ret = mbedtls_gcm_update( &ctx, pt_len_test_data[i], + ct_test_data[j * 6 + i], buf ); if( ret != 0 ) goto exit; @@ -959,7 +975,8 @@ int mbedtls_gcm_self_test( int verbose ) if( ret != 0 ) goto exit; - if( memcmp( buf, pt[pt_index[i]], pt_len[i] ) != 0 || + if( memcmp( buf, pt_test_data[pt_index_test_data[i]], + pt_len_test_data[i] ) != 0 || memcmp( tag_buf, tag_test_data[j * 6 + i], 16 ) != 0 ) { ret = 1; diff --git a/library/pkcs5.c b/library/pkcs5.c index 86ab3e7a2a..b5407c87c5 100644 --- a/library/pkcs5.c +++ b/library/pkcs5.c @@ -328,13 +328,13 @@ static const unsigned char salt_test_data[MAX_TESTS][40] = "sa\0lt", }; -static const uint32_t it_cnt[MAX_TESTS] = +static const uint32_t it_cnt_test_data[MAX_TESTS] = { 1, 2, 4096, 4096, 4096 }; -static const uint32_t key_len[MAX_TESTS] = +static const uint32_t key_len_test_data[MAX_TESTS] = { 20, 20, 20, 25, 16 }; -static const unsigned char result_key[MAX_TESTS][32] = +static const unsigned char result_key_test_data[MAX_TESTS][32] = { { 0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71, 0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06, @@ -380,10 +380,12 @@ int mbedtls_pkcs5_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " PBKDF2 (SHA1) #%d: ", i ); - ret = mbedtls_pkcs5_pbkdf2_hmac( &sha1_ctx, password_test_data[i], plen_test_data[i], salt_test_data[i], - slen_test_data[i], it_cnt[i], key_len[i], key ); + ret = mbedtls_pkcs5_pbkdf2_hmac( &sha1_ctx, password_test_data[i], + plen_test_data[i], salt_test_data[i], + slen_test_data[i], it_cnt_test_data[i], + key_len_test_data[i], key ); if( ret != 0 || - memcmp( result_key[i], key, key_len[i] ) != 0 ) + memcmp( result_key_test_data[i], key, key_len_test_data[i] ) != 0 ) { if( verbose != 0 ) mbedtls_printf( "failed\n" ); From ee3c435063e40fd800f4e09568b603cbc62bdf7f Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 10 Jan 2019 03:10:02 -0500 Subject: [PATCH 011/113] Whitespace fix for ccm, gcm, and pkcs5 Fix whitespace mistakes in ccm, gcm, and pkcs5. --- library/ccm.c | 15 +++++++---- library/gcm.c | 69 ++++++++++++++++++++++++++++--------------------- library/pkcs5.c | 12 ++++++--- 3 files changed, 57 insertions(+), 39 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index 0dd712a1d7..2c87b3e033 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -80,7 +80,8 @@ int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx, CCM_VALIDATE_RET( ctx != NULL ); CCM_VALIDATE_RET( key != NULL ); - cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, MBEDTLS_MODE_ECB ); + cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, + MBEDTLS_MODE_ECB ); if( cipher_info == NULL ) return( MBEDTLS_ERR_CCM_BAD_INPUT ); @@ -476,7 +477,8 @@ int mbedtls_ccm_self_test( int verbose ) mbedtls_ccm_init( &ctx ); - if( mbedtls_ccm_setkey( &ctx, MBEDTLS_CIPHER_ID_AES, key_test_data, 8 * sizeof key_test_data ) != 0 ) + if( mbedtls_ccm_setkey( &ctx, MBEDTLS_CIPHER_ID_AES, key_test_data, + 8 * sizeof key_test_data ) != 0 ) { if( verbose != 0 ) mbedtls_printf( " CCM: setup failed" ); @@ -497,10 +499,12 @@ int mbedtls_ccm_self_test( int verbose ) iv_test_data, iv_len_test_data[i], ad_test_data, add_len_test_data[i], plaintext, ciphertext, - ciphertext + msg_len_test_data[i], tag_len_test_data[i] ); + ciphertext + msg_len_test_data[i], + tag_len_test_data[i] ); if( ret != 0 || - memcmp( ciphertext, res_test_data[i], msg_len_test_data[i] + tag_len_test_data[i] ) != 0 ) + memcmp( ciphertext, res_test_data[i], + msg_len_test_data[i] + tag_len_test_data[i] ) != 0 ) { if( verbose != 0 ) mbedtls_printf( "failed\n" ); @@ -513,7 +517,8 @@ int mbedtls_ccm_self_test( int verbose ) iv_test_data, iv_len_test_data[i], ad_test_data, add_len_test_data[i], ciphertext, plaintext, - ciphertext + msg_len_test_data[i], tag_len_test_data[i] ); + ciphertext + msg_len_test_data[i], + tag_len_test_data[i] ); if( ret != 0 || memcmp( plaintext, msg_test_data, msg_len_test_data[i] ) != 0 ) diff --git a/library/gcm.c b/library/gcm.c index bfaa13ce44..5121a7ac7e 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -175,7 +175,8 @@ int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx, GCM_VALIDATE_RET( key != NULL ); GCM_VALIDATE_RET( keybits == 128 || keybits == 192 || keybits == 256 ); - cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, MBEDTLS_MODE_ECB ); + cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, + MBEDTLS_MODE_ECB ); if( cipher_info == NULL ) return( MBEDTLS_ERR_GCM_BAD_INPUT ); @@ -335,8 +336,8 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, gcm_mult( ctx, ctx->y, ctx->y ); } - if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->base_ectr, - &olen ) ) != 0 ) + if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, + ctx->base_ectr, &olen ) ) != 0 ) { return( ret ); } @@ -797,7 +798,8 @@ int mbedtls_gcm_self_test( int verbose ) mbedtls_printf( " AES-GCM-%3d #%d (%s): ", key_len, i, "enc" ); - ret = mbedtls_gcm_setkey( &ctx, cipher, key_test_data[key_index_test_data[i]], + ret = mbedtls_gcm_setkey( &ctx, cipher, + key_test_data[key_index_test_data[i]], key_len ); /* * AES-192 is an optional feature that may be unavailable when @@ -815,17 +817,18 @@ int mbedtls_gcm_self_test( int verbose ) } ret = mbedtls_gcm_crypt_and_tag( &ctx, MBEDTLS_GCM_ENCRYPT, - pt_len_test_data[i], - iv_test_data[iv_index_test_data[i]], - iv_len_test_data[i], - additional_test_data[add_index_test_data[i]], - add_len_test_data[i], - pt_test_data[pt_index_test_data[i]], - buf, 16, tag_buf ); + pt_len_test_data[i], + iv_test_data[iv_index_test_data[i]], + iv_len_test_data[i], + additional_test_data[add_index_test_data[i]], + add_len_test_data[i], + pt_test_data[pt_index_test_data[i]], + buf, 16, tag_buf ); if( ret != 0 ) goto exit; - if ( memcmp( buf, ct_test_data[j * 6 + i], pt_len_test_data[i] ) != 0 || + if ( memcmp( buf, ct_test_data[j * 6 + i], + pt_len_test_data[i] ) != 0 || memcmp( tag_buf, tag_test_data[j * 6 + i], 16 ) != 0 ) { ret = 1; @@ -843,18 +846,19 @@ int mbedtls_gcm_self_test( int verbose ) mbedtls_printf( " AES-GCM-%3d #%d (%s): ", key_len, i, "dec" ); - ret = mbedtls_gcm_setkey( &ctx, cipher, key_test_data[key_index_test_data[i]], + ret = mbedtls_gcm_setkey( &ctx, cipher, + key_test_data[key_index_test_data[i]], key_len ); if( ret != 0 ) goto exit; ret = mbedtls_gcm_crypt_and_tag( &ctx, MBEDTLS_GCM_DECRYPT, - pt_len_test_data[i], - iv_test_data[iv_index_test_data[i]], - iv_len_test_data[i], - additional_test_data[add_index_test_data[i]], - add_len_test_data[i], - ct_test_data[j * 6 + i], buf, 16, tag_buf ); + pt_len_test_data[i], + iv_test_data[iv_index_test_data[i]], + iv_len_test_data[i], + additional_test_data[add_index_test_data[i]], + add_len_test_data[i], + ct_test_data[j * 6 + i], buf, 16, tag_buf ); if( ret != 0 ) goto exit; @@ -878,16 +882,17 @@ int mbedtls_gcm_self_test( int verbose ) mbedtls_printf( " AES-GCM-%3d #%d split (%s): ", key_len, i, "enc" ); - ret = mbedtls_gcm_setkey( &ctx, cipher, key_test_data[key_index_test_data[i]], + ret = mbedtls_gcm_setkey( &ctx, cipher, + key_test_data[key_index_test_data[i]], key_len ); if( ret != 0 ) goto exit; ret = mbedtls_gcm_starts( &ctx, MBEDTLS_GCM_ENCRYPT, - iv_test_data[iv_index_test_data[i]], - iv_len_test_data[i], - additional_test_data[add_index_test_data[i]], - add_len_test_data[i] ); + iv_test_data[iv_index_test_data[i]], + iv_len_test_data[i], + additional_test_data[add_index_test_data[i]], + add_len_test_data[i] ); if( ret != 0 ) goto exit; @@ -901,15 +906,16 @@ int mbedtls_gcm_self_test( int verbose ) goto exit; ret = mbedtls_gcm_update( &ctx, rest_len, - pt_test_data[pt_index_test_data[i]] + 32, - buf + 32 ); + pt_test_data[pt_index_test_data[i]] + 32, + buf + 32 ); if( ret != 0 ) goto exit; } else { ret = mbedtls_gcm_update( &ctx, pt_len_test_data[i], - pt_test_data[pt_index_test_data[i]], buf ); + pt_test_data[pt_index_test_data[i]], + buf ); if( ret != 0 ) goto exit; } @@ -918,7 +924,8 @@ int mbedtls_gcm_self_test( int verbose ) if( ret != 0 ) goto exit; - if( memcmp( buf, ct_test_data[j * 6 + i], pt_len_test_data[i] ) != 0 || + if( memcmp( buf, ct_test_data[j * 6 + i], + pt_len_test_data[i] ) != 0 || memcmp( tag_buf, tag_test_data[j * 6 + i], 16 ) != 0 ) { ret = 1; @@ -953,11 +960,13 @@ int mbedtls_gcm_self_test( int verbose ) if( pt_len_test_data[i] > 32 ) { size_t rest_len = pt_len_test_data[i] - 32; - ret = mbedtls_gcm_update( &ctx, 32, ct_test_data[j * 6 + i], buf ); + ret = mbedtls_gcm_update( &ctx, 32, ct_test_data[j * 6 + i], + buf ); if( ret != 0 ) goto exit; - ret = mbedtls_gcm_update( &ctx, rest_len, ct_test_data[j * 6 + i] + 32, + ret = mbedtls_gcm_update( &ctx, rest_len, + ct_test_data[j * 6 + i] + 32, buf + 32 ); if( ret != 0 ) goto exit; diff --git a/library/pkcs5.c b/library/pkcs5.c index b5407c87c5..e7d805c2c6 100644 --- a/library/pkcs5.c +++ b/library/pkcs5.c @@ -76,7 +76,8 @@ static int pkcs5_parse_pbkdf2_params( const mbedtls_asn1_buf *params, * } * */ - if( ( ret = mbedtls_asn1_get_tag( &p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) + if( ( ret = mbedtls_asn1_get_tag( &p, end, &salt->len, + MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret ); salt->p = p; @@ -141,7 +142,8 @@ int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode, return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ); - if( ( ret = mbedtls_asn1_get_alg( &p, end, &kdf_alg_oid, &kdf_alg_params ) ) != 0 ) + if( ( ret = mbedtls_asn1_get_alg( &p, end, &kdf_alg_oid, + &kdf_alg_params ) ) != 0 ) return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret ); // Only PBKDF2 supported at the moment @@ -202,7 +204,8 @@ int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode, if( ( ret = mbedtls_cipher_setup( &cipher_ctx, cipher_info ) ) != 0 ) goto exit; - if( ( ret = mbedtls_cipher_setkey( &cipher_ctx, key, 8 * keylen, (mbedtls_operation_t) mode ) ) != 0 ) + if( ( ret = mbedtls_cipher_setkey( &cipher_ctx, key, 8 * keylen, + (mbedtls_operation_t) mode ) ) != 0 ) goto exit; if( ( ret = mbedtls_cipher_crypt( &cipher_ctx, iv, enc_scheme_params.len, @@ -217,7 +220,8 @@ exit: } #endif /* MBEDTLS_ASN1_PARSE_C */ -int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, const unsigned char *password, +int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, + const unsigned char *password, size_t plen, const unsigned char *salt, size_t slen, unsigned int iteration_count, uint32_t key_length, unsigned char *output ) From 4d7082288fe7a63134784cc71c5aa0eb65d9ce37 Mon Sep 17 00:00:00 2001 From: ILUXONCHIK Date: Tue, 27 Mar 2018 16:31:42 +0100 Subject: [PATCH 012/113] add entry to ChangeLog --- ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index b39b95391d..b6fa8079d1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,13 @@ Bugfix previously lead to a stack overflow on constrained targets. * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions in the header files, which missed the precompilation check. #971 + * Server's RSA certificate in certs.c was SHA-1 signed. In the default + mbedTLS configuration only SHA-2 signed certificates are accepted. + This certificate is used in the demo server programs, which lead the + client programs to fail at the peer's certificate verification + due to an unacceptable hash signature. The certificate has been + updated to one that is SHA-256 signed. Fix contributed by + Illya Gerasymchuk. = mbed TLS 2.16.0 branch released 2018-12-21 From 914df7937db7a6f8bd51110fa323dd27a37ec2ea Mon Sep 17 00:00:00 2001 From: ILUXONCHIK Date: Wed, 28 Mar 2018 09:18:47 +0100 Subject: [PATCH 013/113] server SHA-256 certificate now follows the same logic as CA SHA-256 certificate --- library/certs.c | 83 ++++++++++++++++++++++++++++++++----------------- 1 file changed, 55 insertions(+), 28 deletions(-) diff --git a/library/certs.c b/library/certs.c index ff0f11e923..8fda8b88f9 100644 --- a/library/certs.c +++ b/library/certs.c @@ -141,13 +141,40 @@ const size_t mbedtls_test_cli_key_ec_len = sizeof( mbedtls_test_cli_key_ec ); "n20NRVA1Vjs6GAROr4NqW4k/+LofY9y0LLDE+p0oIEKXIsIvhPr39swxSA==\r\n" \ "-----END CERTIFICATE-----\r\n" +#define TEST_SRV_CRT_RSA_SHA256 \ +"-----BEGIN CERTIFICATE-----\r\n" \ +"MIIDPzCCAiegAwIBAgIJANBEZkZxdopmMA0GCSqGSIb3DQEBCwUAMDsxCzAJBgNV\r\n" \ +"BAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVz\r\n" \ +"dCBDQTAeFw0xODAzMjcxNDEzMjFaFw0yNzA1MDQxNDEzMjFaMDQxCzAJBgNVBAYT\r\n" \ +"Ak5MMREwDwYDVQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjAN\r\n" \ +"BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxK\r\n" \ +"zzoTFtBa5M2jAIin7h5rlqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJ\r\n" \ +"HJa8/sEEUrM21KP64bF22JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91sl\r\n" \ +"c0boC4pPaQy1AJDh2oIQZn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/\r\n" \ +"VqgaHkQYDw+Fi9qLRF7iGMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7Hxydr\r\n" \ +"xwU9esQCPJodPg/oNJhby3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQAB\r\n" \ +"o00wSzAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwCQYDVR0TBAIwADAf\r\n" \ +"BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQsFAAOC\r\n" \ +"AQEAcvY0HeIT7zmweE5/xk20kvFc0Qbc9dLzdxDlGLv7kDx/9brxjCRTa0/YejuT\r\n" \ +"Pm8diFs1U6OvlzdROkbZpncW9c62mkg5zRrCo3T2E0SZx9GP8JNlo7MhiESjDsFO\r\n" \ +"hcCGCKRnjOlyX4w25hA9JkwnkayeeTWnLwXS0BoFI2liWZNOLlxaSudffD4P1Hls\r\n" \ +"vYOE0cU99bIkaZa9/aNygcjB08dUrD5AFvQO7S7gPCrpDrnuHEXi8EFlbGZfTAHy\r\n" \ +"u+ozycErFLhYhZjtKUs2d1YsK4QKlI1PVjlucfrRXaEnLbi37cKqT68EceHh6ztd\r\n" \ +"lPlhwRx+VicKsW8NHZ3k/wl3Yg==\r\n" \ +"-----END CERTIFICATE-----\r\n" + + const char mbedtls_test_ca_crt_rsa[] = TEST_CA_CRT_RSA_SHA256; const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa ); + +const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA_SHA256; +const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa ); + #define TEST_CA_CRT_RSA_SOME static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256; -#endif +#endif /* TEST_CA_CR_RSA_SOME */ #if !defined(TEST_CA_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C) #define TEST_CA_CRT_RSA_SHA1 \ @@ -173,14 +200,39 @@ static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256; "7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n" \ "-----END CERTIFICATE-----\r\n" +#define TEST_SRV_CRT_RSA_SHA1 \ +"-----BEGIN CERTIFICATE-----\r\n" \ +"MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \ +"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \ +"MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \ +"A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \ +"AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" \ +"owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" \ +"NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" \ +"tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" \ +"hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" \ +"HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" \ +"VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" \ +"FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAAFzC0rF\r\n" \ +"y6De8WMcdgQrEw3AhBHFjzqnxZw1ene4IBSC7lTw8rBSy3jOWQdPUWn+0y/pCeeF\r\n" \ +"kti6sevFdl1hLemGtd4q+T9TKEKGg3ND4ARfB5AUZZ9uEHq8WBkiwus5clGS17Qd\r\n" \ +"dS/TOisB59tQruLx1E1bPLtBKyqk4koC5WAULJwfpswGSyWJTpYwIpxcWE3D2tBu\r\n" \ +"UB6MZfXZFzWmWEOyKbeoXjXe8GBCGgHLywvYDsGQ36HSGtEsAvR2QaTLSxWYcfk1\r\n" \ +"fbDn4jSWkb4yZy1r01UEigFQtONieGwRFaUqEcFJHJvEEGVgh9keaVlOj2vrwf5r\r\n" \ +"4mN4lW7gLdenN6g=\r\n" \ +"-----END CERTIFICATE-----\r\n"; + #if !defined (TEST_CA_CRT_RSA_SOME) const char mbedtls_test_ca_crt_rsa[] = TEST_CA_CRT_RSA_SHA1; const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa ); -#endif + +const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA_SHA1; +const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa ); +#endif /* TEST_CA_CRT_RSA_SOME */ static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1; -#endif +#endif /* !TEST_CA_CRT_RSA_SOME || MBEDTLS_SHA1_C */ const char mbedtls_test_ca_key_rsa[] = "-----BEGIN RSA PRIVATE KEY-----\r\n" @@ -218,31 +270,6 @@ const size_t mbedtls_test_ca_key_rsa_len = sizeof( mbedtls_test_ca_key_rsa ); const char mbedtls_test_ca_pwd_rsa[] = "PolarSSLTest"; const size_t mbedtls_test_ca_pwd_rsa_len = sizeof( mbedtls_test_ca_pwd_rsa ) - 1; -/* tests/data_files/server2.crt */ -const char mbedtls_test_srv_crt_rsa[] = -"-----BEGIN CERTIFICATE-----\r\n" -"MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" -"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" -"MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" -"A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" -"AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" -"owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" -"NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" -"tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" -"hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" -"HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" -"VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" -"FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAAFzC0rF\r\n" -"y6De8WMcdgQrEw3AhBHFjzqnxZw1ene4IBSC7lTw8rBSy3jOWQdPUWn+0y/pCeeF\r\n" -"kti6sevFdl1hLemGtd4q+T9TKEKGg3ND4ARfB5AUZZ9uEHq8WBkiwus5clGS17Qd\r\n" -"dS/TOisB59tQruLx1E1bPLtBKyqk4koC5WAULJwfpswGSyWJTpYwIpxcWE3D2tBu\r\n" -"UB6MZfXZFzWmWEOyKbeoXjXe8GBCGgHLywvYDsGQ36HSGtEsAvR2QaTLSxWYcfk1\r\n" -"fbDn4jSWkb4yZy1r01UEigFQtONieGwRFaUqEcFJHJvEEGVgh9keaVlOj2vrwf5r\r\n" -"4mN4lW7gLdenN6g=\r\n" -"-----END CERTIFICATE-----\r\n"; -const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa ); - -/* tests/data_files/server2.key */ const char mbedtls_test_srv_key_rsa[] = "-----BEGIN RSA PRIVATE KEY-----\r\n" "MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n" From 2f27790565ae511a8486028cd6679799a99c578a Mon Sep 17 00:00:00 2001 From: ILUXONCHIK Date: Wed, 28 Mar 2018 09:22:15 +0100 Subject: [PATCH 014/113] define TEST_SRV_CRT_RSA_SOME in similar logic to TEST_CA_CRT_RSA_SOME --- library/certs.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/library/certs.c b/library/certs.c index 8fda8b88f9..d8dd699624 100644 --- a/library/certs.c +++ b/library/certs.c @@ -166,11 +166,11 @@ const size_t mbedtls_test_cli_key_ec_len = sizeof( mbedtls_test_cli_key_ec ); const char mbedtls_test_ca_crt_rsa[] = TEST_CA_CRT_RSA_SHA256; const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa ); +#define TEST_CA_CRT_RSA_SOME const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA_SHA256; const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa ); - -#define TEST_CA_CRT_RSA_SOME +#define TEST_SRV_CRT_RSA_SOME static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256; @@ -225,10 +225,12 @@ static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256; #if !defined (TEST_CA_CRT_RSA_SOME) const char mbedtls_test_ca_crt_rsa[] = TEST_CA_CRT_RSA_SHA1; const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa ); +#endif +#if !defined(TEST_SRV_CRT_RSA_SOME) const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA_SHA1; const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa ); -#endif /* TEST_CA_CRT_RSA_SOME */ +#endif static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1; From d94b3e7368e648ef0ade2eb7ddc7de0c0c06fdef Mon Sep 17 00:00:00 2001 From: ILUXONCHIK Date: Wed, 28 Mar 2018 09:53:51 +0100 Subject: [PATCH 015/113] refactor server SHA-1 certificate definition into a new block --- library/certs.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/library/certs.c b/library/certs.c index d8dd699624..f85729515f 100644 --- a/library/certs.c +++ b/library/certs.c @@ -174,7 +174,7 @@ const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa ); static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256; -#endif /* TEST_CA_CR_RSA_SOME */ +#endif /* MBEDTLS_SHA256_C */ #if !defined(TEST_CA_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C) #define TEST_CA_CRT_RSA_SHA1 \ @@ -200,6 +200,16 @@ static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256; "7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n" \ "-----END CERTIFICATE-----\r\n" +#if !defined (TEST_CA_CRT_RSA_SOME) +const char mbedtls_test_ca_crt_rsa[] = TEST_CA_CRT_RSA_SHA1; +const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa ); +#endif + +static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1; + +#endif /* !TEST_CA_CRT_RSA_SOME || MBEDTLS_SHA1_C */ + +#if !defined(TEST_SRV_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C) #define TEST_SRV_CRT_RSA_SHA1 \ "-----BEGIN CERTIFICATE-----\r\n" \ "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \ @@ -222,19 +232,12 @@ static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256; "4mN4lW7gLdenN6g=\r\n" \ "-----END CERTIFICATE-----\r\n"; -#if !defined (TEST_CA_CRT_RSA_SOME) -const char mbedtls_test_ca_crt_rsa[] = TEST_CA_CRT_RSA_SHA1; -const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa ); -#endif - #if !defined(TEST_SRV_CRT_RSA_SOME) const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA_SHA1; const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa ); #endif -static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1; - -#endif /* !TEST_CA_CRT_RSA_SOME || MBEDTLS_SHA1_C */ +#endif /* !TEST_SRV_CRT_RSA_SOME || MBEDTLS_SHA1_C */ const char mbedtls_test_ca_key_rsa[] = "-----BEGIN RSA PRIVATE KEY-----\r\n" From 2bd7f99685c2cba9d3c00c96dcf8a97b3e4517eb Mon Sep 17 00:00:00 2001 From: ILUXONCHIK Date: Wed, 28 Mar 2018 12:26:46 +0100 Subject: [PATCH 016/113] refactor SHA-1 certificate defintions and assignment As per refactoring suggestion that I made in #1520. --- library/certs.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/library/certs.c b/library/certs.c index f85729515f..02c2215f3e 100644 --- a/library/certs.c +++ b/library/certs.c @@ -176,7 +176,7 @@ static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256; #endif /* MBEDTLS_SHA256_C */ -#if !defined(TEST_CA_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_SHA1_C) || !defined(TEST_CA_CRT_RSA_SOME) || !defined(TEST_SRV_CRT_RSA_SOME) #define TEST_CA_CRT_RSA_SHA1 \ "-----BEGIN CERTIFICATE-----\r\n" \ "MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \ @@ -200,16 +200,6 @@ static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256; "7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n" \ "-----END CERTIFICATE-----\r\n" -#if !defined (TEST_CA_CRT_RSA_SOME) -const char mbedtls_test_ca_crt_rsa[] = TEST_CA_CRT_RSA_SHA1; -const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa ); -#endif - -static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1; - -#endif /* !TEST_CA_CRT_RSA_SOME || MBEDTLS_SHA1_C */ - -#if !defined(TEST_SRV_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C) #define TEST_SRV_CRT_RSA_SHA1 \ "-----BEGIN CERTIFICATE-----\r\n" \ "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \ @@ -232,12 +222,19 @@ static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1; "4mN4lW7gLdenN6g=\r\n" \ "-----END CERTIFICATE-----\r\n"; +#if !defined (TEST_CA_CRT_RSA_SOME) +const char mbedtls_test_ca_crt_rsa[] = TEST_CA_CRT_RSA_SHA1; +const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa ); +#endif + #if !defined(TEST_SRV_CRT_RSA_SOME) const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA_SHA1; const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa ); #endif -#endif /* !TEST_SRV_CRT_RSA_SOME || MBEDTLS_SHA1_C */ +static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1; + +#endif /* MBEDTLS_SHA1_C || !TEST_CA_CRT_RSA_SOME || !TEST_SRV_CRT_RSA_SOME */ const char mbedtls_test_ca_key_rsa[] = "-----BEGIN RSA PRIVATE KEY-----\r\n" From acfee8eb040205148d49dea50722cfcd5baf4d89 Mon Sep 17 00:00:00 2001 From: ILUXONCHIK Date: Fri, 30 Mar 2018 09:42:50 +0100 Subject: [PATCH 017/113] refactor CA and SRV certificates into separate blocks --- library/certs.c | 85 ++++++++++++++++++++++++------------------------- 1 file changed, 42 insertions(+), 43 deletions(-) diff --git a/library/certs.c b/library/certs.c index 02c2215f3e..abe19a47b0 100644 --- a/library/certs.c +++ b/library/certs.c @@ -116,7 +116,6 @@ const size_t mbedtls_test_cli_key_ec_len = sizeof( mbedtls_test_cli_key_ec ); #endif /* MBEDTLS_ECDSA_C */ #if defined(MBEDTLS_RSA_C) - #if defined(MBEDTLS_SHA256_C) #define TEST_CA_CRT_RSA_SHA256 \ "-----BEGIN CERTIFICATE-----\r\n" \ @@ -141,42 +140,13 @@ const size_t mbedtls_test_cli_key_ec_len = sizeof( mbedtls_test_cli_key_ec ); "n20NRVA1Vjs6GAROr4NqW4k/+LofY9y0LLDE+p0oIEKXIsIvhPr39swxSA==\r\n" \ "-----END CERTIFICATE-----\r\n" -#define TEST_SRV_CRT_RSA_SHA256 \ -"-----BEGIN CERTIFICATE-----\r\n" \ -"MIIDPzCCAiegAwIBAgIJANBEZkZxdopmMA0GCSqGSIb3DQEBCwUAMDsxCzAJBgNV\r\n" \ -"BAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVz\r\n" \ -"dCBDQTAeFw0xODAzMjcxNDEzMjFaFw0yNzA1MDQxNDEzMjFaMDQxCzAJBgNVBAYT\r\n" \ -"Ak5MMREwDwYDVQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjAN\r\n" \ -"BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxK\r\n" \ -"zzoTFtBa5M2jAIin7h5rlqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJ\r\n" \ -"HJa8/sEEUrM21KP64bF22JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91sl\r\n" \ -"c0boC4pPaQy1AJDh2oIQZn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/\r\n" \ -"VqgaHkQYDw+Fi9qLRF7iGMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7Hxydr\r\n" \ -"xwU9esQCPJodPg/oNJhby3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQAB\r\n" \ -"o00wSzAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwCQYDVR0TBAIwADAf\r\n" \ -"BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQsFAAOC\r\n" \ -"AQEAcvY0HeIT7zmweE5/xk20kvFc0Qbc9dLzdxDlGLv7kDx/9brxjCRTa0/YejuT\r\n" \ -"Pm8diFs1U6OvlzdROkbZpncW9c62mkg5zRrCo3T2E0SZx9GP8JNlo7MhiESjDsFO\r\n" \ -"hcCGCKRnjOlyX4w25hA9JkwnkayeeTWnLwXS0BoFI2liWZNOLlxaSudffD4P1Hls\r\n" \ -"vYOE0cU99bIkaZa9/aNygcjB08dUrD5AFvQO7S7gPCrpDrnuHEXi8EFlbGZfTAHy\r\n" \ -"u+ozycErFLhYhZjtKUs2d1YsK4QKlI1PVjlucfrRXaEnLbi37cKqT68EceHh6ztd\r\n" \ -"lPlhwRx+VicKsW8NHZ3k/wl3Yg==\r\n" \ -"-----END CERTIFICATE-----\r\n" - - +static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256; const char mbedtls_test_ca_crt_rsa[] = TEST_CA_CRT_RSA_SHA256; const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa ); #define TEST_CA_CRT_RSA_SOME - -const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA_SHA256; -const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa ); -#define TEST_SRV_CRT_RSA_SOME - -static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256; - #endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA1_C) || !defined(TEST_CA_CRT_RSA_SOME) || !defined(TEST_SRV_CRT_RSA_SOME) +#if !defined(TEST_CA_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C) #define TEST_CA_CRT_RSA_SHA1 \ "-----BEGIN CERTIFICATE-----\r\n" \ "MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \ @@ -200,6 +170,43 @@ static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256; "7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n" \ "-----END CERTIFICATE-----\r\n" +static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1; + +#if !defined (TEST_CA_CRT_RSA_SOME) +const char mbedtls_test_ca_crt_rsa[] = TEST_CA_CRT_RSA_SHA1; +const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa ); +#endif /* !TEST_CA_CRT_RSA_SOME */ +#endif /* !TEST_CA_CRT_RSA_COME || MBEDTLS_SHA1_C */ + +#if defined(MBEDTLS_SHA256_C) +#define TEST_SRV_CRT_RSA_SHA256 \ +"-----BEGIN CERTIFICATE-----\r\n" \ +"MIIDPzCCAiegAwIBAgIJANBEZkZxdopmMA0GCSqGSIb3DQEBCwUAMDsxCzAJBgNV\r\n" \ +"BAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVz\r\n" \ +"dCBDQTAeFw0xODAzMjcxNDEzMjFaFw0yNzA1MDQxNDEzMjFaMDQxCzAJBgNVBAYT\r\n" \ +"Ak5MMREwDwYDVQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjAN\r\n" \ +"BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxK\r\n" \ +"zzoTFtBa5M2jAIin7h5rlqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJ\r\n" \ +"HJa8/sEEUrM21KP64bF22JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91sl\r\n" \ +"c0boC4pPaQy1AJDh2oIQZn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/\r\n" \ +"VqgaHkQYDw+Fi9qLRF7iGMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7Hxydr\r\n" \ +"xwU9esQCPJodPg/oNJhby3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQAB\r\n" \ +"o00wSzAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwCQYDVR0TBAIwADAf\r\n" \ +"BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQsFAAOC\r\n" \ +"AQEAcvY0HeIT7zmweE5/xk20kvFc0Qbc9dLzdxDlGLv7kDx/9brxjCRTa0/YejuT\r\n" \ +"Pm8diFs1U6OvlzdROkbZpncW9c62mkg5zRrCo3T2E0SZx9GP8JNlo7MhiESjDsFO\r\n" \ +"hcCGCKRnjOlyX4w25hA9JkwnkayeeTWnLwXS0BoFI2liWZNOLlxaSudffD4P1Hls\r\n" \ +"vYOE0cU99bIkaZa9/aNygcjB08dUrD5AFvQO7S7gPCrpDrnuHEXi8EFlbGZfTAHy\r\n" \ +"u+ozycErFLhYhZjtKUs2d1YsK4QKlI1PVjlucfrRXaEnLbi37cKqT68EceHh6ztd\r\n" \ +"lPlhwRx+VicKsW8NHZ3k/wl3Yg==\r\n" \ +"-----END CERTIFICATE-----\r\n" + +const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA_SHA256; +const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa ); +#define TEST_SRV_CRT_RSA_SOME +#endif /* MBEDTLS_SHA256_C */ + +#if !defined(TEST_SRV_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C) #define TEST_SRV_CRT_RSA_SHA1 \ "-----BEGIN CERTIFICATE-----\r\n" \ "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \ @@ -222,19 +229,11 @@ static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256; "4mN4lW7gLdenN6g=\r\n" \ "-----END CERTIFICATE-----\r\n"; -#if !defined (TEST_CA_CRT_RSA_SOME) -const char mbedtls_test_ca_crt_rsa[] = TEST_CA_CRT_RSA_SHA1; -const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa ); -#endif - #if !defined(TEST_SRV_CRT_RSA_SOME) -const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA_SHA1; +const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA_SHA1; const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa ); -#endif - -static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1; - -#endif /* MBEDTLS_SHA1_C || !TEST_CA_CRT_RSA_SOME || !TEST_SRV_CRT_RSA_SOME */ +#endif /* TEST_SRV_CRT_RSA_SOME */ +#endif /* !TEST_CA_CRT_RSA_SOME || MBEDTLS_SHA1_C */ const char mbedtls_test_ca_key_rsa[] = "-----BEGIN RSA PRIVATE KEY-----\r\n" From 574ac577b0ec6d0b4db7268c07b03269399b4a7d Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 16 Jan 2019 23:14:41 +0200 Subject: [PATCH 018/113] Specify server certificate to use in SHA-1 test Specify the SHA-1 server certificate to use in the SHA-1 test, because now the default certificates use SHA256 certificates. --- tests/ssl-opt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 335f59d029..a8456bd79c 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -4009,7 +4009,7 @@ run_test "Per-version suites: TLS 1.2" \ requires_gnutls run_test "ClientHello without extensions, SHA-1 allowed" \ - "$P_SRV debug_level=3" \ + "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt" \ "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \ 0 \ -s "dumping 'client hello extensions' (0 bytes)" From c49ada41d43cd06ac6f805bbbc6cb19a7c552cf4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 28 Jan 2019 09:20:59 +0100 Subject: [PATCH 019/113] Fix backwards include of x509.h in oid.h As agreed during the workshop, temporarily move definitions to oid.h even if they might not semantically belong here, as a short-term measure allowing to build libmbecrypto on its own (without X.509 files present in the source tree) but still provide all the things Mbed TLS currently expects, and more specifically preserve the API and ABI exposed by libmbedtls. --- include/mbedtls/oid.h | 26 ++++++++++++++++++++++---- include/mbedtls/x509.h | 36 +++++++++++++++++++----------------- library/oid.c | 14 +++++--------- 3 files changed, 46 insertions(+), 30 deletions(-) diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h index 6fbd018aaa..afe7a819c2 100644 --- a/include/mbedtls/oid.h +++ b/include/mbedtls/oid.h @@ -43,13 +43,31 @@ #include "md.h" #endif -#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C) -#include "x509.h" -#endif - #define MBEDTLS_ERR_OID_NOT_FOUND -0x002E /**< OID is not found. */ #define MBEDTLS_ERR_OID_BUF_TOO_SMALL -0x000B /**< output buffer is too small */ +/* This is for the benefit of X.509, but defined here in order to avoid + * having a "backwards" include of x.509.h here */ +/* + * X.509 extension types (internal, arbitrary values for bitsets) + */ +#define MBEDTLS_OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER (1 << 0) +#define MBEDTLS_OID_X509_EXT_SUBJECT_KEY_IDENTIFIER (1 << 1) +#define MBEDTLS_OID_X509_EXT_KEY_USAGE (1 << 2) +#define MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES (1 << 3) +#define MBEDTLS_OID_X509_EXT_POLICY_MAPPINGS (1 << 4) +#define MBEDTLS_OID_X509_EXT_SUBJECT_ALT_NAME (1 << 5) +#define MBEDTLS_OID_X509_EXT_ISSUER_ALT_NAME (1 << 6) +#define MBEDTLS_OID_X509_EXT_SUBJECT_DIRECTORY_ATTRS (1 << 7) +#define MBEDTLS_OID_X509_EXT_BASIC_CONSTRAINTS (1 << 8) +#define MBEDTLS_OID_X509_EXT_NAME_CONSTRAINTS (1 << 9) +#define MBEDTLS_OID_X509_EXT_POLICY_CONSTRAINTS (1 << 10) +#define MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE (1 << 11) +#define MBEDTLS_OID_X509_EXT_CRL_DISTRIBUTION_POINTS (1 << 12) +#define MBEDTLS_OID_X509_EXT_INIHIBIT_ANYPOLICY (1 << 13) +#define MBEDTLS_OID_X509_EXT_FRESHEST_CRL (1 << 14) +#define MBEDTLS_OID_X509_EXT_NS_CERT_TYPE (1 << 16) + /* * Top level OID tuples */ diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index d6db9c6e37..d9361b3366 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -142,24 +142,26 @@ * * Comments refer to the status for using certificates. Status can be * different for writing certificates or reading CRLs or CSRs. + * + * Those are defined in oid.h as oid.c needs them in a data structure. Since + * these were previously defined here, let's have aliases for compatibility. */ -#define MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER (1 << 0) -#define MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER (1 << 1) -#define MBEDTLS_X509_EXT_KEY_USAGE (1 << 2) -#define MBEDTLS_X509_EXT_CERTIFICATE_POLICIES (1 << 3) -#define MBEDTLS_X509_EXT_POLICY_MAPPINGS (1 << 4) -#define MBEDTLS_X509_EXT_SUBJECT_ALT_NAME (1 << 5) /* Supported (DNS) */ -#define MBEDTLS_X509_EXT_ISSUER_ALT_NAME (1 << 6) -#define MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS (1 << 7) -#define MBEDTLS_X509_EXT_BASIC_CONSTRAINTS (1 << 8) /* Supported */ -#define MBEDTLS_X509_EXT_NAME_CONSTRAINTS (1 << 9) -#define MBEDTLS_X509_EXT_POLICY_CONSTRAINTS (1 << 10) -#define MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE (1 << 11) -#define MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS (1 << 12) -#define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY (1 << 13) -#define MBEDTLS_X509_EXT_FRESHEST_CRL (1 << 14) - -#define MBEDTLS_X509_EXT_NS_CERT_TYPE (1 << 16) +#define MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER MBEDTLS_OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER +#define MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER MBEDTLS_OID_X509_EXT_SUBJECT_KEY_IDENTIFIER +#define MBEDTLS_X509_EXT_KEY_USAGE MBEDTLS_OID_X509_EXT_KEY_USAGE +#define MBEDTLS_X509_EXT_CERTIFICATE_POLICIES MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES +#define MBEDTLS_X509_EXT_POLICY_MAPPINGS MBEDTLS_OID_X509_EXT_POLICY_MAPPINGS +#define MBEDTLS_X509_EXT_SUBJECT_ALT_NAME MBEDTLS_OID_X509_EXT_SUBJECT_ALT_NAME /* Supported (DNS) */ +#define MBEDTLS_X509_EXT_ISSUER_ALT_NAME MBEDTLS_OID_X509_EXT_ISSUER_ALT_NAME +#define MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS MBEDTLS_OID_X509_EXT_SUBJECT_DIRECTORY_ATTRS +#define MBEDTLS_X509_EXT_BASIC_CONSTRAINTS MBEDTLS_OID_X509_EXT_BASIC_CONSTRAINTS /* Supported */ +#define MBEDTLS_X509_EXT_NAME_CONSTRAINTS MBEDTLS_OID_X509_EXT_NAME_CONSTRAINTS +#define MBEDTLS_X509_EXT_POLICY_CONSTRAINTS MBEDTLS_OID_X509_EXT_POLICY_CONSTRAINTS +#define MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE +#define MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS MBEDTLS_OID_X509_EXT_CRL_DISTRIBUTION_POINTS +#define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY MBEDTLS_OID_X509_EXT_INIHIBIT_ANYPOLICY +#define MBEDTLS_X509_EXT_FRESHEST_CRL MBEDTLS_OID_X509_EXT_FRESHEST_CRL +#define MBEDTLS_X509_EXT_NS_CERT_TYPE MBEDTLS_OID_X509_EXT_NS_CERT_TYPE /* * Storage format identifiers diff --git a/library/oid.c b/library/oid.c index edea950f8f..a7ee528431 100644 --- a/library/oid.c +++ b/library/oid.c @@ -41,10 +41,6 @@ #define mbedtls_snprintf snprintf #endif -#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C) -#include "mbedtls/x509.h" -#endif - /* * Macro to automatically add the size of #define'd OIDs */ @@ -260,23 +256,23 @@ static const oid_x509_ext_t oid_x509_ext[] = { { { ADD_LEN( MBEDTLS_OID_BASIC_CONSTRAINTS ), "id-ce-basicConstraints", "Basic Constraints" }, - MBEDTLS_X509_EXT_BASIC_CONSTRAINTS, + MBEDTLS_OID_X509_EXT_BASIC_CONSTRAINTS, }, { { ADD_LEN( MBEDTLS_OID_KEY_USAGE ), "id-ce-keyUsage", "Key Usage" }, - MBEDTLS_X509_EXT_KEY_USAGE, + MBEDTLS_OID_X509_EXT_KEY_USAGE, }, { { ADD_LEN( MBEDTLS_OID_EXTENDED_KEY_USAGE ), "id-ce-extKeyUsage", "Extended Key Usage" }, - MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE, + MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE, }, { { ADD_LEN( MBEDTLS_OID_SUBJECT_ALT_NAME ), "id-ce-subjectAltName", "Subject Alt Name" }, - MBEDTLS_X509_EXT_SUBJECT_ALT_NAME, + MBEDTLS_OID_X509_EXT_SUBJECT_ALT_NAME, }, { { ADD_LEN( MBEDTLS_OID_NS_CERT_TYPE ), "id-netscape-certtype", "Netscape Certificate Type" }, - MBEDTLS_X509_EXT_NS_CERT_TYPE, + MBEDTLS_OID_X509_EXT_NS_CERT_TYPE, }, { { NULL, 0, NULL, NULL }, From 430a66f19ac13e43d86df9cdd6f108b3dafa1e6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 28 Jan 2019 09:28:20 +0100 Subject: [PATCH 020/113] Fix backwards config dependency on oid.c The file oid.c had conditional inclusion of functions based on a config.h define that belongs to X.509, which is backwards. For now, just include those functions unconditionally and rely on the linker to garbage-collect them if not used. In the longer term X.509-specific functions are likely to be removed from libmbedcrypto, but at this step the goal is to preserve the API (and even ABI) of libmbedcrypto for as long as possible while separating the source trees of Mbed Crypto and Mbed TLS. --- include/mbedtls/oid.h | 2 -- library/oid.c | 2 -- 2 files changed, 4 deletions(-) diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h index afe7a819c2..65e626e11d 100644 --- a/include/mbedtls/oid.h +++ b/include/mbedtls/oid.h @@ -442,7 +442,6 @@ typedef struct mbedtls_oid_descriptor_t */ int mbedtls_oid_get_numeric_string( char *buf, size_t size, const mbedtls_asn1_buf *oid ); -#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C) /** * \brief Translate an X.509 extension OID into local values * @@ -452,7 +451,6 @@ int mbedtls_oid_get_numeric_string( char *buf, size_t size, const mbedtls_asn1_b * \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND */ int mbedtls_oid_get_x509_ext_type( const mbedtls_asn1_buf *oid, int *ext_type ); -#endif /** * \brief Translate an X.509 attribute type OID into the short name diff --git a/library/oid.c b/library/oid.c index a7ee528431..294bbd6617 100644 --- a/library/oid.c +++ b/library/oid.c @@ -148,7 +148,6 @@ int FN_NAME( ATTR1_TYPE ATTR1, ATTR2_TYPE ATTR2, const char **oid , \ return( MBEDTLS_ERR_OID_NOT_FOUND ); \ } -#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C) /* * For X520 attribute types */ @@ -296,7 +295,6 @@ static const mbedtls_oid_descriptor_t oid_ext_key_usage[] = FN_OID_TYPED_FROM_ASN1(mbedtls_oid_descriptor_t, ext_key_usage, oid_ext_key_usage) FN_OID_GET_ATTR1(mbedtls_oid_get_extended_key_usage, mbedtls_oid_descriptor_t, ext_key_usage, const char *, description) -#endif /* MBEDTLS_X509_USE_C || MBEDTLS_X509_CREATE_C */ #if defined(MBEDTLS_MD_C) /* From e6bcad3f797515bc9961593ca4100ce955ea693b Mon Sep 17 00:00:00 2001 From: Peter Kolbus Date: Tue, 11 Dec 2018 14:01:44 -0600 Subject: [PATCH 021/113] Fix DEADCODE in mbedtls_mpi_exp_mod() In mbedtls_mpi_exp_mod(), the limit check on wsize is never true when MBEDTLS_MPI_WINDOW_SIZE is at least 6. Wrap in a preprocessor guard to remove the dead code and resolve a Coverity finding from the DEADCODE checker. Change-Id: Ice7739031a9e8249283a04de11150565b613ae89 --- library/bignum.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/bignum.c b/library/bignum.c index 87015af0c8..47e4529bef 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1869,8 +1869,10 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 : ( i > 79 ) ? 4 : ( i > 23 ) ? 3 : 1; +#if( MBEDTLS_MPI_WINDOW_SIZE < 6 ) if( wsize > MBEDTLS_MPI_WINDOW_SIZE ) wsize = MBEDTLS_MPI_WINDOW_SIZE; +#endif j = N->n + 1; MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) ); From 60c6da23521732a152e3024c774bb526821d0134 Mon Sep 17 00:00:00 2001 From: Peter Kolbus Date: Thu, 27 Dec 2018 06:59:04 -0600 Subject: [PATCH 022/113] all.sh: Test MBEDTLS_MPI_WINDOW_SIZE=1 There were no tests for a non-default MPI window size. Add one. Change-Id: Ic08fbc9161d0b3ee67eb3c91f9baf602646c9dfe --- tests/scripts/all.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 182f7fff40..48b1773d42 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -976,6 +976,16 @@ support_test_mx32 () { esac } +component_test_min_mpi_window_size () { + msg "build: Default + MBEDTLS_MPI_WINDOW_SIZE=1 (ASan build)" # ~ 10s + scripts/config.pl set MBEDTLS_MPI_WINDOW_SIZE 1 + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: MBEDTLS_MPI_WINDOW_SIZE=1 - main suites (inc. selftests) (ASan build)" # ~ 10s + make test +} + component_test_have_int32 () { msg "build: gcc, force 32-bit bignum limbs" scripts/config.pl unset MBEDTLS_HAVE_ASM From 5da93f8903bcc91da934b89b0a02fbfeea12deb2 Mon Sep 17 00:00:00 2001 From: Peter Kolbus Date: Sat, 9 Feb 2019 10:21:57 -0600 Subject: [PATCH 023/113] Update ChangeLog --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 5c2fbbbd4f..32fc393174 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,10 @@ Changes produced by some optimizing compilers, showing up as failures in e.g. RSA or ECC signature operations. Reported in #1722, fix suggested by Aurelien Jarno and submitted by Jeffrey Martin. + * Remove dead code from bignum.c in the default configuration. + Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309. + * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh. + Contributed by Peter Kolbus (Garmin). = mbed TLS 2.16.0 branch released 2018-12-21 From 3467dcf452a9ee9f2fcde740f46f8696706d4601 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Tue, 12 Feb 2019 15:30:26 +0200 Subject: [PATCH 024/113] Use certificates from data_files and refer them Use the server certificate from `data_files` folder, for formality, and refer to the source, for easier reproduction. --- library/certs.c | 44 +++++++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/library/certs.c b/library/certs.c index abe19a47b0..b54ff611f7 100644 --- a/library/certs.c +++ b/library/certs.c @@ -179,26 +179,27 @@ const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa ); #endif /* !TEST_CA_CRT_RSA_COME || MBEDTLS_SHA1_C */ #if defined(MBEDTLS_SHA256_C) -#define TEST_SRV_CRT_RSA_SHA256 \ -"-----BEGIN CERTIFICATE-----\r\n" \ -"MIIDPzCCAiegAwIBAgIJANBEZkZxdopmMA0GCSqGSIb3DQEBCwUAMDsxCzAJBgNV\r\n" \ -"BAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVz\r\n" \ -"dCBDQTAeFw0xODAzMjcxNDEzMjFaFw0yNzA1MDQxNDEzMjFaMDQxCzAJBgNVBAYT\r\n" \ -"Ak5MMREwDwYDVQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjAN\r\n" \ -"BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxK\r\n" \ -"zzoTFtBa5M2jAIin7h5rlqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJ\r\n" \ -"HJa8/sEEUrM21KP64bF22JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91sl\r\n" \ -"c0boC4pPaQy1AJDh2oIQZn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/\r\n" \ -"VqgaHkQYDw+Fi9qLRF7iGMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7Hxydr\r\n" \ -"xwU9esQCPJodPg/oNJhby3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQAB\r\n" \ -"o00wSzAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwCQYDVR0TBAIwADAf\r\n" \ -"BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQsFAAOC\r\n" \ -"AQEAcvY0HeIT7zmweE5/xk20kvFc0Qbc9dLzdxDlGLv7kDx/9brxjCRTa0/YejuT\r\n" \ -"Pm8diFs1U6OvlzdROkbZpncW9c62mkg5zRrCo3T2E0SZx9GP8JNlo7MhiESjDsFO\r\n" \ -"hcCGCKRnjOlyX4w25hA9JkwnkayeeTWnLwXS0BoFI2liWZNOLlxaSudffD4P1Hls\r\n" \ -"vYOE0cU99bIkaZa9/aNygcjB08dUrD5AFvQO7S7gPCrpDrnuHEXi8EFlbGZfTAHy\r\n" \ -"u+ozycErFLhYhZjtKUs2d1YsK4QKlI1PVjlucfrRXaEnLbi37cKqT68EceHh6ztd\r\n" \ -"lPlhwRx+VicKsW8NHZ3k/wl3Yg==\r\n" \ +/* tests/data_files/server2-sha256.crt */ +#define TEST_SRV_CRT_RSA_SHA256 \ +"-----BEGIN CERTIFICATE-----\r\n" \ +"MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \ +"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \ +"MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \ +"A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \ +"AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" \ +"owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" \ +"NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" \ +"tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" \ +"hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" \ +"HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" \ +"VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" \ +"FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAGGEshT5\r\n" \ +"kvnRmLVScVeUEdwIrvW7ezbGbUvJ8VxeJ79/HSjlLiGbMc4uUathwtzEdi9R/4C5\r\n" \ +"DXBNeEPTkbB+fhG1W06iHYj/Dp8+aaG7fuDxKVKHVZSqBnmQLn73ymyclZNHii5A\r\n" \ +"3nTS8WUaHAzxN/rajOtoM7aH1P9tULpHrl+7HOeLMpxUnwI12ZqZaLIzxbcdJVcr\r\n" \ +"ra2F00aXCGkYVLvyvbZIq7LC+yVysej5gCeQYD7VFOEks0jhFjrS06gP0/XnWv6v\r\n" \ +"eBoPez9d+CCjkrhseiWzXOiriIMICX48EloO/DrsMRAtvlwq7EDz4QhILz6ffndm\r\n" \ +"e4K1cVANRPN2o9Y=\r\n" \ "-----END CERTIFICATE-----\r\n" const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA_SHA256; @@ -207,7 +208,8 @@ const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa ); #endif /* MBEDTLS_SHA256_C */ #if !defined(TEST_SRV_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C) -#define TEST_SRV_CRT_RSA_SHA1 \ +/* tests/data_files/server2.crt */ +#define TEST_SRV_CRT_RSA_SHA1 \ "-----BEGIN CERTIFICATE-----\r\n" \ "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \ "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \ From 28cb6fbd472cd58aa6b50cceb67f72e4cbe80642 Mon Sep 17 00:00:00 2001 From: k-stachowiak Date: Mon, 18 Feb 2019 12:01:03 +0100 Subject: [PATCH 025/113] Unbump version to 0.0.0 --- doxygen/input/doc_mainpage.h | 2 +- doxygen/mbedtls.doxyfile | 2 +- include/mbedtls/version.h | 10 +++++----- library/CMakeLists.txt | 6 +++--- tests/suites/test_suite_version.data | 4 ++-- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h index ffc3cecbeb..d9177fb2d9 100644 --- a/doxygen/input/doc_mainpage.h +++ b/doxygen/input/doc_mainpage.h @@ -24,7 +24,7 @@ */ /** - * @mainpage mbed TLS v2.16.0 source code documentation + * @mainpage mbed TLS v0.0.0 source code documentation * * This documentation describes the internal structure of mbed TLS. It was * automatically generated from specially formatted comment blocks in diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 574db8d463..b0190e4488 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -28,7 +28,7 @@ DOXYFILE_ENCODING = UTF-8 # identify the project. Note that if you do not use Doxywizard you need # to put quotes around the project name if it contains spaces. -PROJECT_NAME = "mbed TLS v2.16.0" +PROJECT_NAME = "mbed TLS v0.0.0" # The PROJECT_NUMBER tag can be used to enter a project or revision number. # This could be handy for archiving the generated documentation or diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h index 56e7398a2a..3f2e12ca52 100644 --- a/include/mbedtls/version.h +++ b/include/mbedtls/version.h @@ -38,8 +38,8 @@ * The version number x.y.z is split into three parts. * Major, Minor, Patchlevel */ -#define MBEDTLS_VERSION_MAJOR 2 -#define MBEDTLS_VERSION_MINOR 16 +#define MBEDTLS_VERSION_MAJOR 0 +#define MBEDTLS_VERSION_MINOR 0 #define MBEDTLS_VERSION_PATCH 0 /** @@ -47,9 +47,9 @@ * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x02100000 -#define MBEDTLS_VERSION_STRING "2.16.0" -#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.16.0" +#define MBEDTLS_VERSION_NUMBER 0x00000000 +#define MBEDTLS_VERSION_STRING "0.0.0" +#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 0.0.0" #if defined(MBEDTLS_VERSION_C) diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 6d45fe4bd9..bd58b8a14d 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -182,20 +182,20 @@ endif(USE_STATIC_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY) if(NOT USE_CRYPTO_SUBMODULE) add_library(mbedcrypto SHARED ${src_crypto}) - set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.0 SOVERSION 3) + set_target_properties(mbedcrypto PROPERTIES VERSION 0.0.0 SOVERSION 3) target_link_libraries(mbedcrypto ${libs}) target_include_directories(mbedcrypto PUBLIC ${CMAKE_SOURCE_DIR}/include/) endif() add_library(mbedx509 SHARED ${src_x509}) - set_target_properties(mbedx509 PROPERTIES VERSION 2.16.0 SOVERSION 0) + set_target_properties(mbedx509 PROPERTIES VERSION 0.0.0 SOVERSION 0) target_link_libraries(mbedx509 ${libs} mbedcrypto) target_include_directories(mbedx509 PUBLIC ${CMAKE_SOURCE_DIR}/include/ PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/) add_library(mbedtls SHARED ${src_tls}) - set_target_properties(mbedtls PROPERTIES VERSION 2.16.0 SOVERSION 12) + set_target_properties(mbedtls PROPERTIES VERSION 0.0.0 SOVERSION 12) target_link_libraries(mbedtls ${libs} mbedx509) target_include_directories(mbedtls PUBLIC ${CMAKE_SOURCE_DIR}/include/ diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data index 62bb782125..7165f368a1 100644 --- a/tests/suites/test_suite_version.data +++ b/tests/suites/test_suite_version.data @@ -1,8 +1,8 @@ Check compiletime library version -check_compiletime_version:"2.16.0" +check_compiletime_version:"0.0.0" Check runtime library version -check_runtime_version:"2.16.0" +check_runtime_version:"0.0.0" Check for MBEDTLS_VERSION_C check_feature:"MBEDTLS_VERSION_C":0 From 17a38d3a74d4c6788a4fe0230cefc639d897c6d7 Mon Sep 17 00:00:00 2001 From: k-stachowiak Date: Mon, 18 Feb 2019 15:29:56 +0100 Subject: [PATCH 026/113] Reenable GnuTLS next based tests --- tests/ssl-opt.sh | 29 ++++++++--------------------- 1 file changed, 8 insertions(+), 21 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index bc783103ac..286b128616 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -6701,13 +6701,7 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \ -c "fragmenting handshake message" \ -C "error" -## The two tests below are disabled due to a bug in GnuTLS client that causes -## handshake failures when the NewSessionTicket message is lost, see -## https://gitlab.com/gnutls/gnutls/issues/543 -## We can re-enable them when a fixed version fo GnuTLS is available -## and installed in our CI system. -skip_next_test -requires_gnutls +requires_gnutls_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C @@ -6719,12 +6713,11 @@ run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ - "$G_CLI -u --insecure 127.0.0.1" \ + "$G_NEXT_CLI -u --insecure 127.0.0.1" \ 0 \ -s "fragmenting handshake message" -skip_next_test -requires_gnutls +requires_gnutls_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C @@ -6736,7 +6729,7 @@ run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ hs_timeout=250-60000 mtu=512 force_version=dtls1" \ - "$G_CLI -u --insecure 127.0.0.1" \ + "$G_NEXT_CLI -u --insecure 127.0.0.1" \ 0 \ -s "fragmenting handshake message" @@ -7306,29 +7299,23 @@ run_test "DTLS proxy: 3d, gnutls server" \ -s "Extra-header:" \ -c "Extra-header:" -# The next two test are disabled because they tend to trigger a bug in the -# version of GnuTLS that's currently installed on our CI. The bug occurs when -# different fragments of the same handshake message are received out-of-order -# by GnuTLS and results in a timeout. It's been fixed in GnuTLS 3.5.2. -skip_next_test -requires_gnutls +requires_gnutls_next client_needs_more_time 8 not_with_valgrind # risk of non-mbedtls peer timing out run_test "DTLS proxy: 3d, gnutls server, fragmentation" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$G_SRV -u --mtu 512" \ + "$G_NEXT_SRV -u --mtu 512" \ "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \ 0 \ -s "Extra-header:" \ -c "Extra-header:" -skip_next_test -requires_gnutls +requires_gnutls_next client_needs_more_time 8 not_with_valgrind # risk of non-mbedtls peer timing out run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$G_SRV -u --mtu 512" \ + "$G_NEXT_SRV -u --mtu 512" \ "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2" \ 0 \ -s "Extra-header:" \ From 640972405907eabc898f660f9cf83e3ab1faecb4 Mon Sep 17 00:00:00 2001 From: k-stachowiak Date: Tue, 19 Feb 2019 12:25:24 +0100 Subject: [PATCH 027/113] Update change log --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 5c2fbbbd4f..e0c3a0a640 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,8 @@ Changes produced by some optimizing compilers, showing up as failures in e.g. RSA or ECC signature operations. Reported in #1722, fix suggested by Aurelien Jarno and submitted by Jeffrey Martin. + * Re-enable certain ssl-opt.sh tests that depend on a more recent GnuTLS + version, as one has become available and integrated with the CI system. = mbed TLS 2.16.0 branch released 2018-12-21 From cddbd01e4fd02facd61a05a4803ef9528e523fbf Mon Sep 17 00:00:00 2001 From: k-stachowiak Date: Tue, 19 Feb 2019 12:40:34 +0100 Subject: [PATCH 028/113] Reword changelog entry --- ChangeLog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e0c3a0a640..33247f7378 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,8 +35,8 @@ Changes produced by some optimizing compilers, showing up as failures in e.g. RSA or ECC signature operations. Reported in #1722, fix suggested by Aurelien Jarno and submitted by Jeffrey Martin. - * Re-enable certain ssl-opt.sh tests that depend on a more recent GnuTLS - version, as one has become available and integrated with the CI system. + * Re-enable certain interoperability tests in ssl-opt.sh which had previously + been disabled for lack of a sufficiently recent version of GnuTLS on the CI. = mbed TLS 2.16.0 branch released 2018-12-21 From 85a6dd40ba290eb6b5bc414d79559bd013365179 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 15 Oct 2018 16:32:42 +0200 Subject: [PATCH 029/113] Add tests for RSA encrypt/decrypt with NULL for empty message --- tests/suites/test_suite_pkcs1_v15.data | 6 ++++++ tests/suites/test_suite_pkcs1_v15.function | 19 ++++++++++++------- tests/suites/test_suite_pkcs1_v21.data | 8 ++++++++ tests/suites/test_suite_pkcs1_v21.function | 19 ++++++++++++------- 4 files changed, 38 insertions(+), 14 deletions(-) diff --git a/tests/suites/test_suite_pkcs1_v15.data b/tests/suites/test_suite_pkcs1_v15.data index a4d6eb5457..4e76456fa1 100644 --- a/tests/suites/test_suite_pkcs1_v15.data +++ b/tests/suites/test_suite_pkcs1_v15.data @@ -1,3 +1,9 @@ +RSAES-V15 Encryption input=NULL with length=0 +pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_NONE:"":"aafd12f659cae63489b479e5076ddec2f06cb58f67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32":"42c6fce63a3b858ba89fe83004cac3651d1497c15090bf0086b9a4b9ff3bd451502838a413095aefe231832ba10bb467ae3f95c889cd8e9a6e32b4df633b2170d07a2168c086745f0017cf1d9facff2eee55af2fcb03730209173b2a0bbfb2d4c34d7ea93b3b0cb84a8a7b6371670e14482e6dcedbdd9efe66d906e0238586fe":0 + +RSAES-V15 Decryption empty output with NULL buffer +pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_NONE:"":"aafd12f659cae63489b479e5076ddec2f06cb58f":"42c6fce63a3b858ba89fe83004cac3651d1497c15090bf0086b9a4b9ff3bd451502838a413095aefe231832ba10bb467ae3f95c889cd8e9a6e32b4df633b2170d07a2168c086745f0017cf1d9facff2eee55af2fcb03730209173b2a0bbfb2d4c34d7ea93b3b0cb84a8a7b6371670e14482e6dcedbdd9efe66d906e0238586fe":0 + RSAES-V15 Encryption Test Vector Int pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"d436e99569fd32a7c8a05bbc90d32c49":"aafd12f659cae63489b479e5076ddec2f06cb58f67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32":"6c5ebca6116b1e91316613fbb5e93197270a849122d549122d05815e2626f80d20f7f3f038c98295203c0f7f6bb8c3568455c67dec82bca86be86eff43b56b7ba2d15375f9a42454c2a2c709953a6e4a977462e35fd21a9c2fb3c0ad2a370f7655267bf6f04814784982988e663b869fc8588475af860d499e5a6ffdfc2c6bfd":0 diff --git a/tests/suites/test_suite_pkcs1_v15.function b/tests/suites/test_suite_pkcs1_v15.function index 0723623a5f..3ef4e2ce3f 100644 --- a/tests/suites/test_suite_pkcs1_v15.function +++ b/tests/suites/test_suite_pkcs1_v15.function @@ -32,11 +32,11 @@ void pkcs1_rsaes_v15_encrypt( int mod, int radix_N, char * input_N, TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) ); TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 ); - + if( message_str->len == 0 ) + message_str->x = NULL; TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_buffer_rand, &info, MBEDTLS_RSA_PUBLIC, message_str->len, message_str->x, output ) == result ); if( result == 0 ) { - TEST_ASSERT( hexcmp( output, result_hex_str->x, ctx.len, result_hex_str->len ) == 0 ); } @@ -78,12 +78,17 @@ void pkcs1_rsaes_v15_decrypt( int mod, int radix_P, char * input_P, TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 ); TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 ); - - TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, &output_len, message_str->x, output, 1000 ) == result ); - if( result == 0 ) + if( result_hex_str->len == 0 ) { - - TEST_ASSERT( hexcmp( output, result_hex_str->x, output_len, result_hex_str->len) == 0 ); + TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, &output_len, message_str->x, NULL, 0 ) == result ); + } + else + { + TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, &output_len, message_str->x, output, 1000 ) == result ); + if( result == 0 ) + { + TEST_ASSERT( hexcmp( output, result_hex_str->x, output_len, result_hex_str->len) == 0 ); + } } exit: diff --git a/tests/suites/test_suite_pkcs1_v21.data b/tests/suites/test_suite_pkcs1_v21.data index 291c305a95..012867c0f9 100644 --- a/tests/suites/test_suite_pkcs1_v21.data +++ b/tests/suites/test_suite_pkcs1_v21.data @@ -187,6 +187,10 @@ pkcs1_rsaes_oaep_encrypt:2048:16:"ae45ed5601cec6b8cc05f803935c674ddbe0d75c4c09fd RSAES-OAEP Encryption Example 10_6 pkcs1_rsaes_oaep_encrypt:2048:16:"ae45ed5601cec6b8cc05f803935c674ddbe0d75c4c09fd7951fc6b0caec313a8df39970c518bffba5ed68f3f0d7f22a4029d413f1ae07e4ebe9e4177ce23e7f5404b569e4ee1bdcf3c1fb03ef113802d4f855eb9b5134b5a7c8085adcae6fa2fa1417ec3763be171b0c62b760ede23c12ad92b980884c641f5a8fac26bdad4a03381a22fe1b754885094c82506d4019a535a286afeb271bb9ba592de18dcf600c2aeeae56e02f7cf79fc14cf3bdc7cd84febbbf950ca90304b2219a7aa063aefa2c3c1980e560cd64afe779585b6107657b957857efde6010988ab7de417fc88d8f384c4e6e72c3f943e0c31c0c4a5cc36f879d8a3ac9d7d59860eaada6b83bb":16:"010001":MBEDTLS_MD_SHA1:"eaf1a73a1b0c4609537de69cd9228bbcfb9a8ca8c6c3efaf056fe4a7f4634ed00b7c39ec6922d7b8ea2c04ebac":"9f47ddf42e97eea856a9bdbc714eb3ac22f6eb32":"2d207a73432a8fb4c03051b3f73b28a61764098dfa34c47a20995f8115aa6816679b557e82dbee584908c6e69782d7deb34dbd65af063d57fca76a5fd069492fd6068d9984d209350565a62e5c77f23038c12cb10c6634709b547c46f6b4a709bd85ca122d74465ef97762c29763e06dbc7a9e738c78bfca0102dc5e79d65b973f28240caab2e161a78b57d262457ed8195d53e3c7ae9da021883c6db7c24afdd2322eac972ad3c354c5fcef1e146c3a0290fb67adf007066e00428d2cec18ce58f9328698defef4b2eb5ec76918fde1c198cbb38b7afc67626a9aefec4322bfd90d2563481c9a221f78c8272c82d1b62ab914e1c69f6af6ef30ca5260db4a46":0 +RSAES-OAEP Encryption input=NULL with length=0 +depends_on:MBEDTLS_SHA1_C +pkcs1_rsaes_oaep_encrypt:2048:16:"ae45ed5601cec6b8cc05f803935c674ddbe0d75c4c09fd7951fc6b0caec313a8df39970c518bffba5ed68f3f0d7f22a4029d413f1ae07e4ebe9e4177ce23e7f5404b569e4ee1bdcf3c1fb03ef113802d4f855eb9b5134b5a7c8085adcae6fa2fa1417ec3763be171b0c62b760ede23c12ad92b980884c641f5a8fac26bdad4a03381a22fe1b754885094c82506d4019a535a286afeb271bb9ba592de18dcf600c2aeeae56e02f7cf79fc14cf3bdc7cd84febbbf950ca90304b2219a7aa063aefa2c3c1980e560cd64afe779585b6107657b957857efde6010988ab7de417fc88d8f384c4e6e72c3f943e0c31c0c4a5cc36f879d8a3ac9d7d59860eaada6b83bb":16:"010001":MBEDTLS_MD_SHA1:"":"9f47ddf42e97eea856a9bdbc714eb3ac22f6eb32":"32b75304e631e94d4b02819642c7ffa66116af504cb3c4687420cc4b7f069fc6cc3b1a254611995ce2914a9e88152d38bbf87ccedcad9b9890341284e56e802a1b1f8f6bd3d5c991bd92eb8a8ea0a1d8bae141088ff8dceaebdb73515cf06ce33baa37c53093f1d1edc3502818cc70edcfddb41646374beb5b4f67f7f773e43778d4d31012e5a207c474e762ac3251ea6ede9018ad6e8e9ea65a3528a62b694eb9d8becff220a7c6c70d33eaafa52cf67a8090f67b6f9c43c6fe0b0f2375cbb9e611c0fcfef5312feb5e53d4a89d3d7e06c966e0c92ab9e5838239f390bcfd918d94c224df8e8ccb57ee364389908b6a0e550133f7565016804fbd6cb338314a":0 + RSAES-OAEP Decryption Test Vector Int pkcs1_rsaes_oaep_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_SHA1:"d436e99569fd32a7c8a05bbc90d32c49":"aafd12f659cae63489b479e5076ddec2f06cb58f":"1253e04dc0a5397bb44a7ab87e9bf2a039a33d1e996fc82a94ccd30074c95df763722017069e5268da5d1c0b4f872cf653c11df82314a67968dfeae28def04bb6d84b1c31d654a1970e5783bd6eb96a024c2ca2f4a90fe9f2ef5c9c140e5bb48da9536ad8700c84fc9130adea74e558d51a74ddf85d8b50de96838d6063e0955":0 @@ -370,6 +374,10 @@ pkcs1_rsaes_oaep_decrypt:2048:16:"ecf5aecd1e5515fffacbd75a2816c6ebf49018cdfb4638 RSAES-OAEP Decryption Example 10_6 pkcs1_rsaes_oaep_decrypt:2048:16:"ecf5aecd1e5515fffacbd75a2816c6ebf49018cdfb4638e185d66a7396b6f8090f8018c7fd95cc34b857dc17f0cc6516bb1346ab4d582cadad7b4103352387b70338d084047c9d9539b6496204b3dd6ea442499207bec01f964287ff6336c3984658336846f56e46861881c10233d2176bf15a5e96ddc780bc868aa77d3ce769":16:"bc46c464fc6ac4ca783b0eb08a3c841b772f7e9b2f28babd588ae885e1a0c61e4858a0fb25ac299990f35be85164c259ba1175cdd7192707135184992b6c29b746dd0d2cabe142835f7d148cc161524b4a09946d48b828473f1ce76b6cb6886c345c03e05f41d51b5c3a90a3f24073c7d74a4fe25d9cf21c75960f3fc3863183":16:"ae45ed5601cec6b8cc05f803935c674ddbe0d75c4c09fd7951fc6b0caec313a8df39970c518bffba5ed68f3f0d7f22a4029d413f1ae07e4ebe9e4177ce23e7f5404b569e4ee1bdcf3c1fb03ef113802d4f855eb9b5134b5a7c8085adcae6fa2fa1417ec3763be171b0c62b760ede23c12ad92b980884c641f5a8fac26bdad4a03381a22fe1b754885094c82506d4019a535a286afeb271bb9ba592de18dcf600c2aeeae56e02f7cf79fc14cf3bdc7cd84febbbf950ca90304b2219a7aa063aefa2c3c1980e560cd64afe779585b6107657b957857efde6010988ab7de417fc88d8f384c4e6e72c3f943e0c31c0c4a5cc36f879d8a3ac9d7d59860eaada6b83bb":16:"010001":MBEDTLS_MD_SHA1:"eaf1a73a1b0c4609537de69cd9228bbcfb9a8ca8c6c3efaf056fe4a7f4634ed00b7c39ec6922d7b8ea2c04ebac":"9f47ddf42e97eea856a9bdbc714eb3ac22f6eb32":"2d207a73432a8fb4c03051b3f73b28a61764098dfa34c47a20995f8115aa6816679b557e82dbee584908c6e69782d7deb34dbd65af063d57fca76a5fd069492fd6068d9984d209350565a62e5c77f23038c12cb10c6634709b547c46f6b4a709bd85ca122d74465ef97762c29763e06dbc7a9e738c78bfca0102dc5e79d65b973f28240caab2e161a78b57d262457ed8195d53e3c7ae9da021883c6db7c24afdd2322eac972ad3c354c5fcef1e146c3a0290fb67adf007066e00428d2cec18ce58f9328698defef4b2eb5ec76918fde1c198cbb38b7afc67626a9aefec4322bfd90d2563481c9a221f78c8272c82d1b62ab914e1c69f6af6ef30ca5260db4a46":0 +RSAES-OAEP Decryption empty output with NULL buffer +depends_on:MBEDTLS_SHA1_C +pkcs1_rsaes_oaep_decrypt:2048:16:"ecf5aecd1e5515fffacbd75a2816c6ebf49018cdfb4638e185d66a7396b6f8090f8018c7fd95cc34b857dc17f0cc6516bb1346ab4d582cadad7b4103352387b70338d084047c9d9539b6496204b3dd6ea442499207bec01f964287ff6336c3984658336846f56e46861881c10233d2176bf15a5e96ddc780bc868aa77d3ce769":16:"bc46c464fc6ac4ca783b0eb08a3c841b772f7e9b2f28babd588ae885e1a0c61e4858a0fb25ac299990f35be85164c259ba1175cdd7192707135184992b6c29b746dd0d2cabe142835f7d148cc161524b4a09946d48b828473f1ce76b6cb6886c345c03e05f41d51b5c3a90a3f24073c7d74a4fe25d9cf21c75960f3fc3863183":16:"ae45ed5601cec6b8cc05f803935c674ddbe0d75c4c09fd7951fc6b0caec313a8df39970c518bffba5ed68f3f0d7f22a4029d413f1ae07e4ebe9e4177ce23e7f5404b569e4ee1bdcf3c1fb03ef113802d4f855eb9b5134b5a7c8085adcae6fa2fa1417ec3763be171b0c62b760ede23c12ad92b980884c641f5a8fac26bdad4a03381a22fe1b754885094c82506d4019a535a286afeb271bb9ba592de18dcf600c2aeeae56e02f7cf79fc14cf3bdc7cd84febbbf950ca90304b2219a7aa063aefa2c3c1980e560cd64afe779585b6107657b957857efde6010988ab7de417fc88d8f384c4e6e72c3f943e0c31c0c4a5cc36f879d8a3ac9d7d59860eaada6b83bb":16:"010001":MBEDTLS_MD_SHA1:"":"9f47ddf42e97eea856a9bdbc714eb3ac22f6eb32":"32b75304e631e94d4b02819642c7ffa66116af504cb3c4687420cc4b7f069fc6cc3b1a254611995ce2914a9e88152d38bbf87ccedcad9b9890341284e56e802a1b1f8f6bd3d5c991bd92eb8a8ea0a1d8bae141088ff8dceaebdb73515cf06ce33baa37c53093f1d1edc3502818cc70edcfddb41646374beb5b4f67f7f773e43778d4d31012e5a207c474e762ac3251ea6ede9018ad6e8e9ea65a3528a62b694eb9d8becff220a7c6c70d33eaafa52cf67a8090f67b6f9c43c6fe0b0f2375cbb9e611c0fcfef5312feb5e53d4a89d3d7e06c966e0c92ab9e5838239f390bcfd918d94c224df8e8ccb57ee364389908b6a0e550133f7565016804fbd6cb338314a":0 + RSASSA-PSS Signing Test Vector Int pkcs1_rsassa_pss_sign:1024:16:"d17f655bf27c8b16d35462c905cc04a26f37e2a67fa9c0ce0dced472394a0df743fe7f929e378efdb368eddff453cf007af6d948e0ade757371f8a711e278f6b":16:"c6d92b6fee7414d1358ce1546fb62987530b90bd15e0f14963a5e2635adb69347ec0c01b2ab1763fd8ac1a592fb22757463a982425bb97a3a437c5bf86d03f2f":16:"a2ba40ee07e3b2bd2f02ce227f36a195024486e49c19cb41bbbdfbba98b22b0e577c2eeaffa20d883a76e65e394c69d4b3c05a1e8fadda27edb2a42bc000fe888b9b32c22d15add0cd76b3e7936e19955b220dd17d4ea904b1ec102b2e4de7751222aa99151024c7cb41cc5ea21d00eeb41f7c800834d2c6e06bce3bce7ea9a5":16:"010001":MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:"859eef2fd78aca00308bdc471193bf55bf9d78db8f8a672b484634f3c9c26e6478ae10260fe0dd8c082e53a5293af2173cd50c6d5d354febf78b26021c25c02712e78cd4694c9f469777e451e7f8e9e04cd3739c6bbfedae487fb55644e9ca74ff77a53cb729802f6ed4a5ffa8ba159890fc":"e3b5d5d002c1bce50c2b65ef88a188d83bce7e61":"8daa627d3de7595d63056c7ec659e54406f10610128baae821c8b2a0f3936d54dc3bdce46689f6b7951bb18e840542769718d5715d210d85efbb596192032c42be4c29972c856275eb6d5a45f05f51876fc6743deddd28caec9bb30ea99e02c3488269604fe497f74ccd7c7fca1671897123cbd30def5d54a2b5536ad90a747e":0 diff --git a/tests/suites/test_suite_pkcs1_v21.function b/tests/suites/test_suite_pkcs1_v21.function index 99be08ac0c..180bc4ae36 100644 --- a/tests/suites/test_suite_pkcs1_v21.function +++ b/tests/suites/test_suite_pkcs1_v21.function @@ -32,11 +32,11 @@ void pkcs1_rsaes_oaep_encrypt( int mod, int radix_N, char * input_N, TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) ); TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 ); - + if( message_str->len == 0 ) + message_str->x = NULL; TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_buffer_rand, &info, MBEDTLS_RSA_PUBLIC, message_str->len, message_str->x, output ) == result ); if( result == 0 ) { - TEST_ASSERT( hexcmp( output, result_hex_str->x, ctx.len, result_hex_str->len ) == 0 ); } @@ -79,12 +79,17 @@ void pkcs1_rsaes_oaep_decrypt( int mod, int radix_P, char * input_P, TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 ); TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 ); - - TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, &output_len, message_str->x, output, 1000 ) == result ); - if( result == 0 ) + if( result_hex_str->len == 0 ) { - - TEST_ASSERT( hexcmp( output, result_hex_str->x, output_len, result_hex_str->len ) == 0 ); + TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, &output_len, message_str->x, NULL, 0 ) == result ); + } + else + { + TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, &output_len, message_str->x, output, 1000 ) == result ); + if( result == 0 ) + { + TEST_ASSERT( hexcmp( output, result_hex_str->x, output_len, result_hex_str->len ) == 0 ); + } } exit: From adc558e2895ee72ea0121e8b3b63b8546fda7fed Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 6 Nov 2018 15:52:43 +0000 Subject: [PATCH 030/113] Fix test data missing some fake-random input The test function pkcs1_rsaes_v15_encrypt gets its fake-random input for padding from a test parameter. In one test case, the parameter was too short, causing a fallback to rand(). The reference output depends on this random input, so the test data was correct only for a platform with one particular rand() implementation. Supply sufficient fake-random input so that rand() isn't called. --- tests/suites/test_suite_pkcs1_v15.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_pkcs1_v15.data b/tests/suites/test_suite_pkcs1_v15.data index 4e76456fa1..b4cf09a57e 100644 --- a/tests/suites/test_suite_pkcs1_v15.data +++ b/tests/suites/test_suite_pkcs1_v15.data @@ -1,5 +1,5 @@ RSAES-V15 Encryption input=NULL with length=0 -pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_NONE:"":"aafd12f659cae63489b479e5076ddec2f06cb58f67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32":"42c6fce63a3b858ba89fe83004cac3651d1497c15090bf0086b9a4b9ff3bd451502838a413095aefe231832ba10bb467ae3f95c889cd8e9a6e32b4df633b2170d07a2168c086745f0017cf1d9facff2eee55af2fcb03730209173b2a0bbfb2d4c34d7ea93b3b0cb84a8a7b6371670e14482e6dcedbdd9efe66d906e0238586fe":0 +pkcs1_rsaes_v15_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_NONE:"":"aafd12f659cae63489b479e5076ddec2f06cb58f67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb3267c6697351ff4aec29cdbaabf2fbe34676cac0":"42c6fce63a3b858ba89fe83004cac3651d1497c15090bf0086b9a4b9ff3bd451502838a413095aefe231832ba10bb467ae3f95c889cd8e9a6e32b4df633b2170d07a2168c086745f0017cf1d9facff2eee55af2fcb03730209173b2a0bbfb2d4c34d7ea93b3b0cb84a8a7b6371670e14482e6dcedbdd9efe66d906e0238586fe":0 RSAES-V15 Decryption empty output with NULL buffer pkcs1_rsaes_v15_decrypt:1024:16:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":16:"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":MBEDTLS_MD_NONE:"":"aafd12f659cae63489b479e5076ddec2f06cb58f":"42c6fce63a3b858ba89fe83004cac3651d1497c15090bf0086b9a4b9ff3bd451502838a413095aefe231832ba10bb467ae3f95c889cd8e9a6e32b4df633b2170d07a2168c086745f0017cf1d9facff2eee55af2fcb03730209173b2a0bbfb2d4c34d7ea93b3b0cb84a8a7b6371670e14482e6dcedbdd9efe66d906e0238586fe":0 From 60848e65741051452f56945b7ca380cb9c7ad60c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Feb 2019 15:06:15 +0000 Subject: [PATCH 031/113] Don't reuse CRT from initial handshake during renegotiation After mitigating the 'triple handshake attack' by checking that the peer's end-CRT didn't change during renegotation, the current code avoids re-parsing the CRT by moving the CRT-pointer from the old session to the new one. While efficient, this will no longer work once only the hash of the peer's CRT is stored beyond the handshake. This commit removes the code-path moving the old CRT, and instead frees the entire peer CRT chain from the initial handshake as soon as the 'triple handshake attack' protection has completed. --- library/ssl_tls.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 4c23f0e075..e8d4a7634a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5901,18 +5901,12 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); } - /* Move CRT chain structure to new session instance. */ - ssl->session_negotiate->peer_cert = ssl->session->peer_cert; - ssl->session->peer_cert = NULL; + /* Now we can safely free the original chain. */ + mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert ); + mbedtls_free( ssl->session_negotiate->peer_cert ); + ssl->session_negotiate->peer_cert = NULL; - /* Delete all remaining CRTs from the original CRT chain. */ - mbedtls_x509_crt_free( - ssl->session_negotiate->peer_cert->next ); - mbedtls_free( ssl->session_negotiate->peer_cert->next ); - ssl->session_negotiate->peer_cert->next = NULL; - - i += n; - continue; + /* Intentional fallthrough. */ } #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ From f852b1c03534a0fd9d45310c183191f8671c3d9b Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Feb 2019 11:42:30 +0000 Subject: [PATCH 032/113] Break overly long line in definition of mbedtls_ssl_get_session() --- library/ssl_tls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index e8d4a7634a..e3470f136a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8532,7 +8532,8 @@ const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ss #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_CLI_C) -int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *dst ) +int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, + mbedtls_ssl_session *dst ) { if( ssl == NULL || dst == NULL || From 1294a0b260997b6d0ae3927d00dab59156324511 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Feb 2019 12:38:15 +0000 Subject: [PATCH 033/113] Introduce helper function to clear peer CRT from session structure This commit introduces a helper function `ssl_clear_peer_cert()` which frees all data related to the peer's certificate from an `mbedtls_ssl_session` structure. Currently, this is the peer's certificate itself, while eventually, it'll be its digest only. --- library/ssl_tls.c | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index e3470f136a..1ccb278918 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5741,6 +5741,16 @@ static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ +static void ssl_clear_peer_cert( mbedtls_ssl_session *session ) +{ + if( session->peer_cert != NULL ) + { + mbedtls_x509_crt_free( session->peer_cert ); + mbedtls_free( session->peer_cert ); + session->peer_cert = NULL; + } +} + /* * Once the certificate message is read, parse it into a cert chain and * perform basic checks, but leave actual verification to the caller @@ -5834,13 +5844,8 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl ) /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */ i += 3; - /* In case we tried to reuse a session but it failed */ - if( ssl->session_negotiate->peer_cert != NULL ) - { - mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert ); - mbedtls_free( ssl->session_negotiate->peer_cert ); - ssl->session_negotiate->peer_cert = NULL; - } + /* In case we tried to reuse a session but it failed. */ + ssl_clear_peer_cert( ssl->session_negotiate ); /* Iterate through and parse the CRTs in the provided chain. */ while( i < ssl->in_hslen ) @@ -5902,9 +5907,7 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl ) } /* Now we can safely free the original chain. */ - mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert ); - mbedtls_free( ssl->session_negotiate->peer_cert ); - ssl->session_negotiate->peer_cert = NULL; + ssl_clear_peer_cert( ssl->session ); /* Intentional fallthrough. */ } @@ -9420,11 +9423,7 @@ void mbedtls_ssl_session_free( mbedtls_ssl_session *session ) return; #if defined(MBEDTLS_X509_CRT_PARSE_C) - if( session->peer_cert != NULL ) - { - mbedtls_x509_crt_free( session->peer_cert ); - mbedtls_free( session->peer_cert ); - } + ssl_clear_peer_cert( session ); #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) From a028c5bbd82d1d46a4fae5b374dfe7077cc5527a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Feb 2019 12:38:45 +0000 Subject: [PATCH 034/113] Introduce CRT counter to CRT chain parsing function So far, we've used the `peer_cert` pointer to detect whether we're parsing the first CRT, but that will soon be removed if `MBEDTLS_SSL_KEEP_PEER_CERTIFICATE` is unset. --- library/ssl_tls.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 1ccb278918..d2cb8937df 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5757,7 +5757,7 @@ static void ssl_clear_peer_cert( mbedtls_ssl_session *session ) */ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl ) { - int ret; + int ret, crt_cnt=0; size_t i, n; uint8_t alert; @@ -5884,7 +5884,7 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl ) } /* Check if we're handling the first CRT in the chain. */ - if( ssl->session_negotiate->peer_cert == NULL ) + if( crt_cnt++ == 0 ) { /* During client-side renegotiation, check that the server's * end-CRTs hasn't changed compared to the initial handshake, From 4a55f638e259d101229f903737618b697139432a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Feb 2019 12:49:06 +0000 Subject: [PATCH 035/113] Introduce helper to check for no-CRT notification from client This commit introduces a server-side static helper function `ssl_srv_check_client_no_crt_notification()`, which checks if the message we received during the incoming certificate state notifies the server of the lack of certificate on the client. For SSLv3, such a notification comes as a specific alert, while for all other TLS versions, it comes as a `Certificate` handshake message with an empty CRT list. --- library/ssl_tls.c | 109 +++++++++++++++++++++++----------------------- 1 file changed, 55 insertions(+), 54 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index d2cb8937df..f89029b359 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5761,52 +5761,6 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl ) size_t i, n; uint8_t alert; -#if defined(MBEDTLS_SSL_SRV_C) -#if defined(MBEDTLS_SSL_PROTO_SSL3) - /* - * Check if the client sent an empty certificate - */ - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && - ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) - { - if( ssl->in_msglen == 2 && - ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT && - ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && - ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) ); - - /* The client was asked for a certificate but didn't send - one. The client should know what's going on, so we - don't send an alert. */ - ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; - return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); - } - } -#endif /* MBEDTLS_SSL_PROTO_SSL3 */ - -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && - ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) - { - if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) && - ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && - ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE && - memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) ); - - /* The client was asked for a certificate but didn't send - one. The client should know what's going on, so we - don't send an alert. */ - ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; - return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); - } - } -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ - MBEDTLS_SSL_PROTO_TLS1_2 */ -#endif /* MBEDTLS_SSL_SRV_C */ if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) { @@ -5967,6 +5921,48 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl ) return( 0 ); } +#if defined(MBEDTLS_SSL_SRV_C) +static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl ) +{ + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + return( -1 ); + +#if defined(MBEDTLS_SSL_PROTO_SSL3) + /* + * Check if the client sent an empty certificate + */ + if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) + { + if( ssl->in_msglen == 2 && + ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT && + ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && + ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) ); + return( 0 ); + } + + return( -1 ); + } +#endif /* MBEDTLS_SSL_PROTO_SSL3 */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ + defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) && + ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && + ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE && + memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) ); + return( 0 ); + } + + return( -1 ); +#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ + MBEDTLS_SSL_PROTO_TLS1_2 */ +} +#endif /* MBEDTLS_SSL_SRV_C */ + int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) { int ret; @@ -6029,16 +6025,21 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) return( ret ); } +#if defined(MBEDTLS_SSL_SRV_C) + if( ssl_srv_check_client_no_crt_notification( ssl ) == 0 ) + { + ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; + ssl->state++; + + if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) + return( 0 ); + + return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); + } +#endif /* MBEDTLS_SSL_SRV_C */ + if( ( ret = ssl_parse_certificate_chain( ssl ) ) != 0 ) { -#if defined(MBEDTLS_SSL_SRV_C) - if( ret == MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE && - authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) - { - ret = 0; - } -#endif - ssl->state++; return( ret ); } From 7a955a043edbc48ec6b8dbf2dd660b1fc11deff5 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Feb 2019 13:08:01 +0000 Subject: [PATCH 036/113] Clear peer's CRT chain outside before parsing new one If an attempt for session resumption fails, the `session_negotiate` structure might be partially filled, and in particular already contain a peer certificate structure. This certificate structure needs to be freed before parsing the certificate sent in the `Certificate` message. This commit moves the code-path taking care of this from the helper function `ssl_parse_certificate_chain()`, whose purpose should be parsing only, to the top-level handler `mbedtls_ssl_parse_certificate()`. The fact that we don't know the state of `ssl->session_negotiate` after a failed attempt for session resumption is undesirable, and a separate issue #2414 has been opened to improve on this. --- library/ssl_tls.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f89029b359..6239d67c00 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5798,9 +5798,6 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl ) /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */ i += 3; - /* In case we tried to reuse a session but it failed. */ - ssl_clear_peer_cert( ssl->session_negotiate ); - /* Iterate through and parse the CRTs in the provided chain. */ while( i < ssl->in_hslen ) { @@ -6038,6 +6035,9 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_SRV_C */ + /* In case we tried to reuse a session but it failed. */ + ssl_clear_peer_cert( ssl->session_negotiate ); + if( ( ret = ssl_parse_certificate_chain( ssl ) ) != 0 ) { ssl->state++; From 6bdfab2cccaf91d8546b471a8e4e4d2979635caa Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Feb 2019 13:11:17 +0000 Subject: [PATCH 037/113] Unify state machine update in mbedtls_ssl_parse_certificate() The handler `mbedtls_ssl_parse_certificate()` for incoming `Certificate` messages contains many branches updating the handshake state. For easier reasoning about state evolution, this commit introduces a single code-path updating the state machine at the end of `mbedtls_ssl_parse_certificate()`. --- library/ssl_tls.c | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6239d67c00..8653afc83f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5962,7 +5962,7 @@ static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl ) int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) { - int ret; + int ret = 0; const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) @@ -5982,8 +5982,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); - ssl->state++; - return( 0 ); + goto exit; } #if defined(MBEDTLS_SSL_SRV_C) @@ -5991,8 +5990,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); - ssl->state++; - return( 0 ); + goto exit; } if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && @@ -6000,9 +5998,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) { ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); - - ssl->state++; - return( 0 ); + goto exit; } #endif @@ -6026,12 +6022,13 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) if( ssl_srv_check_client_no_crt_notification( ssl ) == 0 ) { ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; - ssl->state++; if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) - return( 0 ); + ret = 0; + else + ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE; - return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); + goto exit; } #endif /* MBEDTLS_SSL_SRV_C */ @@ -6039,10 +6036,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) ssl_clear_peer_cert( ssl->session_negotiate ); if( ( ret = ssl_parse_certificate_chain( ssl ) ) != 0 ) - { - ssl->state++; - return( ret ); - } + goto exit; #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) if( ssl->handshake->ecrs_enabled) @@ -6188,10 +6182,11 @@ crt_verify: #endif /* MBEDTLS_DEBUG_C */ } - ssl->state++; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); +exit: + + ssl->state++; return( ret ); } #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED From 214899390089dceb8c481787eacc43cdda750d62 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Feb 2019 13:20:55 +0000 Subject: [PATCH 038/113] Use helper macro to detect whether some ciphersuite uses CRTs --- library/ssl_tls.c | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8653afc83f..fdd3e7c379 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5557,13 +5557,7 @@ int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, /* * Handshake functions */ -#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ - !defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) && \ - !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ - !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ - !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \ - !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ - !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) +#if !defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) /* No certificate support -> dummy functions */ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) { @@ -5605,7 +5599,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } -#else +#else /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ /* Some certificate support -> implement write and parse */ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) @@ -6189,13 +6183,7 @@ exit: ssl->state++; return( ret ); } -#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED - !MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED - !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED - !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED - !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED - !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED - !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl ) { From 7177a88a36727edab6c6a031b9842f898e735fe2 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Feb 2019 13:36:46 +0000 Subject: [PATCH 039/113] Introduce helper function to determine whether suite uses server CRT This commit introduces a static helper function `mbedtls_ssl_ciphersuite_uses_srv_cert()` which determines whether a ciphersuite may make use of server-side CRTs. This function is in turn uses in `mbedtls_ssl_parse_certificate()` to skip certificate parsing for ciphersuites which don't involve CRTs. Note: Ciphersuites not using server-side CRTs don't allow client-side CRTs either, so it is safe to guard `mbedtls_ssl_{parse/write}_certificate()` this way. Note: Previously, the code uses a positive check over the suites - MBEDTLS_KEY_EXCHANGE_PSK - MBEDTLS_KEY_EXCHANGE_DHE_PSK - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK - MBEDTLS_KEY_EXCHANGE_ECJPAKE, while now, it uses a negative check over `mbedtls_ssl_ciphersuite_uses_srv_cert()`, which checks for the suites - MBEDTLS_KEY_EXCHANGE_RSA - MBEDTLS_KEY_EXCHANGE_RSA_PSK - MBEDTLS_KEY_EXCHANGE_DHE_RSA - MBEDTLS_KEY_EXCHANGE_ECDH_RSA - MBEDTLS_KEY_EXCHANGE_ECDHE_RSA - MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA - MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA This is equivalent since, together, those are all ciphersuites. Quoting ssl_ciphersuites.h: ``` typedef enum { MBEDTLS_KEY_EXCHANGE_NONE = 0, MBEDTLS_KEY_EXCHANGE_RSA, MBEDTLS_KEY_EXCHANGE_DHE_RSA, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, MBEDTLS_KEY_EXCHANGE_PSK, MBEDTLS_KEY_EXCHANGE_DHE_PSK, MBEDTLS_KEY_EXCHANGE_RSA_PSK, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, MBEDTLS_KEY_EXCHANGE_ECJPAKE, } mbedtls_key_exchange_type_t; ``` --- include/mbedtls/ssl_ciphersuites.h | 18 ++++++++++++++++++ library/ssl_tls.c | 21 ++++----------------- 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index 71053e5ba7..712678330f 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -486,6 +486,24 @@ static inline int mbedtls_ssl_ciphersuite_cert_req_allowed( const mbedtls_ssl_ci } } +static inline int mbedtls_ssl_ciphersuite_uses_srv_cert( const mbedtls_ssl_ciphersuite_t *info ) +{ + switch( info->key_exchange ) + { + case MBEDTLS_KEY_EXCHANGE_RSA: + case MBEDTLS_KEY_EXCHANGE_RSA_PSK: + case MBEDTLS_KEY_EXCHANGE_DHE_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: + case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: + return( 1 ); + + default: + return( 0 ); + } +} + #if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED) static inline int mbedtls_ssl_ciphersuite_uses_dhe( const mbedtls_ssl_ciphersuite_t *info ) { diff --git a/library/ssl_tls.c b/library/ssl_tls.c index fdd3e7c379..16f836df93 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5565,10 +5565,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); ssl->state++; @@ -5585,10 +5582,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); ssl->state++; @@ -5611,10 +5605,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); ssl->state++; @@ -5755,7 +5746,6 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl ) size_t i, n; uint8_t alert; - if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); @@ -5970,10 +5960,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); goto exit; From 28f2fcd08dd1b6172af0b6b6fcc14382e067508a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 7 Feb 2019 10:11:07 +0000 Subject: [PATCH 040/113] Add helper function to check whether a CRT msg is expected This commit adds a helper function `ssl_parse_certificate_coordinate()` which checks whether a `Certificate` message is expected from the peer. The logic is the following: - For ciphersuites which don't use server-side CRTs, no Certificate message is expected (neither for the server, nor the client). - On the server, no client certificate is expected in the following cases: * The server server didn't request a Certificate, which is controlled by the `authmode` setting. * A RSA-PSK suite is used; this is the only suite using server CRTs but not allowing client-side authentication. --- library/ssl_tls.c | 62 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 42 insertions(+), 20 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 16f836df93..ef3ec23330 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5944,11 +5944,49 @@ static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_SRV_C */ +/* Check if a certificate message is expected. + * Return either + * - SSL_CERTIFICATE_EXPECTED, or + * - SSL_CERTIFICATE_SKIP + * indicating whether a Certificate message is expected or not. + */ +#define SSL_CERTIFICATE_EXPECTED 0 +#define SSL_CERTIFICATE_SKIP 1 +static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl, + int authmode ) +{ + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + ssl->transform_negotiate->ciphersuite_info; + + if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) ) + return( SSL_CERTIFICATE_SKIP ); + +#if defined(MBEDTLS_SSL_SRV_C) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + { + if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) + return( SSL_CERTIFICATE_SKIP ); + + if( authmode == MBEDTLS_SSL_VERIFY_NONE ) + { + /* NOTE: Is it intentional that we set verify_result + * to SKIP_VERIFY on server-side only? */ + ssl->session_negotiate->verify_result = + MBEDTLS_X509_BADCERT_SKIP_VERIFY; + return( SSL_CERTIFICATE_SKIP ); + } + } +#endif /* MBEDTLS_SSL_SRV_C */ + + return( SSL_CERTIFICATE_EXPECTED ); +} + int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) { int ret = 0; - const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = - ssl->transform_negotiate->ciphersuite_info; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + ssl->transform_negotiate->ciphersuite_info; + int crt_expected; #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ? ssl->handshake->sni_authmode @@ -5960,29 +5998,13 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); - if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) ) + crt_expected = ssl_parse_certificate_coordinate( ssl, authmode ); + if( crt_expected == SSL_CERTIFICATE_SKIP ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); goto exit; } -#if defined(MBEDTLS_SSL_SRV_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) - { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); - goto exit; - } - - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && - authmode == MBEDTLS_SSL_VERIFY_NONE ) - { - ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); - goto exit; - } -#endif - #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) if( ssl->handshake->ecrs_enabled && ssl->handshake->ecrs_state == ssl_ecrs_crt_verify ) From 77adddc9e91b0405464724de45dec277515bac81 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 7 Feb 2019 12:32:43 +0000 Subject: [PATCH 041/113] Make use of macro and helper detecting whether CertRequest allowed This commit simplifies the client-side code for outgoing CertificateVerify messages, and server-side code for outgoing CertificateRequest messages and incoming CertificateVerify messages, through the use of the macro `MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED` indicating whether a ciphersuite allowing CertificateRequest messages is enabled in the configuration, as well as the helper function `mbedtls_ssl_ciphersuite_cert_req_allowed()` indicating whether a particular ciphersuite allows CertificateRequest messages. These were already used in the client-side code to simplify the parsing functions for CertificateRequest messages. --- library/ssl_cli.c | 28 +++++------------------- library/ssl_srv.c | 56 +++++++++-------------------------------------- 2 files changed, 15 insertions(+), 69 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 87fa1e0d91..b564bf6314 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -3456,12 +3456,7 @@ ecdh_calc_secret: return( 0 ); } -#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ - !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ - !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ - !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ - !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ - !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) +#if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info = @@ -3476,11 +3471,7 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) return( ret ); } - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); ssl->state++; @@ -3490,7 +3481,7 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } -#else +#else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; @@ -3519,11 +3510,7 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) return( ret ); } - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); ssl->state++; @@ -3666,12 +3653,7 @@ sign: return( ret ); } -#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && - !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && - !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && - !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && - !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && - !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl ) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 46e24e4431..5313b11a57 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2680,12 +2680,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) return( ret ); } -#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ - !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ - !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ - !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ - !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ - !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) +#if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info = @@ -2693,11 +2688,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); ssl->state++; @@ -2707,7 +2698,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } -#else +#else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; @@ -2731,11 +2722,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) #endif authmode = ssl->conf->authmode; - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE || + if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) || authmode == MBEDTLS_SSL_VERIFY_NONE ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); @@ -2874,12 +2861,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) return( ret ); } -#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && - !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && - !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && - !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && - !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && - !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) @@ -4048,12 +4030,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) return( 0 ); } -#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ - !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ - !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ - !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ - !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ - !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) +#if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info = @@ -4061,11 +4038,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); ssl->state++; @@ -4075,7 +4048,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } -#else +#else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; @@ -4092,11 +4065,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE || + if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) || ssl->session_negotiate->peer_cert == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); @@ -4241,12 +4210,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) return( ret ); } -#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && - !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && - !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && - !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && - !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && - !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl ) From fcd9e71cdf8284b8f514623cc930febb3e39ef16 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Feb 2019 14:35:46 +0000 Subject: [PATCH 042/113] Don't progress TLS state machine on peer CRT chain parsing error --- library/ssl_tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ef3ec23330..7d88582b68 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6039,7 +6039,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) ssl_clear_peer_cert( ssl->session_negotiate ); if( ( ret = ssl_parse_certificate_chain( ssl ) ) != 0 ) - goto exit; + return( ret ); #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) if( ssl->handshake->ecrs_enabled) From 6863619a2f94c23948a4abbf7269bc31437f99ab Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Feb 2019 14:36:34 +0000 Subject: [PATCH 043/113] Introduce helper function for peer CRT chain verification --- library/ssl_tls.c | 285 ++++++++++++++++++++++++---------------------- 1 file changed, 150 insertions(+), 135 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 7d88582b68..01428f03aa 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5981,11 +5981,155 @@ static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl, return( SSL_CERTIFICATE_EXPECTED ); } -int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) +static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl, + int authmode, + mbedtls_x509_crt *chain, + void *rs_ctx ) { int ret = 0; const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; + mbedtls_x509_crt *ca_chain; + mbedtls_x509_crl *ca_crl; + + if( authmode == MBEDTLS_SSL_VERIFY_NONE ) + return( 0 ); + +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + if( ssl->handshake->sni_ca_chain != NULL ) + { + ca_chain = ssl->handshake->sni_ca_chain; + ca_crl = ssl->handshake->sni_ca_crl; + } + else +#endif + { + ca_chain = ssl->conf->ca_chain; + ca_crl = ssl->conf->ca_crl; + } + + /* + * Main check: verify certificate + */ + ret = mbedtls_x509_crt_verify_restartable( + chain, + ca_chain, ca_crl, + ssl->conf->cert_profile, + ssl->hostname, + &ssl->session_negotiate->verify_result, + ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx ); + + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret ); + } + +#if defined(MBEDTLS_SSL__ECP_RESTARTABLE) + if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) + return( MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS ); +#endif + + /* + * Secondary checks: always done, but change 'ret' only if it was 0 + */ + +#if defined(MBEDTLS_ECP_C) + { + const mbedtls_pk_context *pk = &chain->pk; + + /* If certificate uses an EC key, make sure the curve is OK */ + if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) && + mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 ) + { + ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY; + + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) ); + if( ret == 0 ) + ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; + } + } +#endif /* MBEDTLS_ECP_C */ + + if( mbedtls_ssl_check_cert_usage( chain, + ciphersuite_info, + ! ssl->conf->endpoint, + &ssl->session_negotiate->verify_result ) != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) ); + if( ret == 0 ) + ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; + } + + /* mbedtls_x509_crt_verify_with_profile is supposed to report a + * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED, + * with details encoded in the verification flags. All other kinds + * of error codes, including those from the user provided f_vrfy + * functions, are treated as fatal and lead to a failure of + * ssl_parse_certificate even if verification was optional. */ + if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && + ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || + ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) ) + { + ret = 0; + } + + if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) ); + ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; + } + + if( ret != 0 ) + { + uint8_t alert; + + /* The certificate may have been rejected for several reasons. + Pick one and send the corresponding alert. Which alert to send + may be a subject of debate in some cases. */ + if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER ) + alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED; + else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH ) + alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; + else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE ) + alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; + else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE ) + alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; + else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE ) + alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; + else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK ) + alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; + else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY ) + alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; + else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED ) + alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED; + else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED ) + alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED; + else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) + alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA; + else + alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN; + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + alert ); + } + +#if defined(MBEDTLS_DEBUG_C) + if( ssl->session_negotiate->verify_result != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x", + ssl->session_negotiate->verify_result ) ); + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) ); + } +#endif /* MBEDTLS_DEBUG_C */ + + return( ret ); +} + +int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) +{ + int ret = 0; int crt_expected; #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET @@ -6050,140 +6194,11 @@ crt_verify: rs_ctx = &ssl->handshake->ecrs_ctx; #endif - if( authmode != MBEDTLS_SSL_VERIFY_NONE ) - { - mbedtls_x509_crt *ca_chain; - mbedtls_x509_crl *ca_crl; - -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - if( ssl->handshake->sni_ca_chain != NULL ) - { - ca_chain = ssl->handshake->sni_ca_chain; - ca_crl = ssl->handshake->sni_ca_crl; - } - else -#endif - { - ca_chain = ssl->conf->ca_chain; - ca_crl = ssl->conf->ca_crl; - } - - /* - * Main check: verify certificate - */ - ret = mbedtls_x509_crt_verify_restartable( - ssl->session_negotiate->peer_cert, - ca_chain, ca_crl, - ssl->conf->cert_profile, - ssl->hostname, - &ssl->session_negotiate->verify_result, - ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx ); - - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret ); - } - -#if defined(MBEDTLS_SSL__ECP_RESTARTABLE) - if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) - return( MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS ); -#endif - - /* - * Secondary checks: always done, but change 'ret' only if it was 0 - */ - -#if defined(MBEDTLS_ECP_C) - { - const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk; - - /* If certificate uses an EC key, make sure the curve is OK */ - if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) && - mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 ) - { - ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY; - - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) ); - if( ret == 0 ) - ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; - } - } -#endif /* MBEDTLS_ECP_C */ - - if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert, - ciphersuite_info, - ! ssl->conf->endpoint, - &ssl->session_negotiate->verify_result ) != 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) ); - if( ret == 0 ) - ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; - } - - /* mbedtls_x509_crt_verify_with_profile is supposed to report a - * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED, - * with details encoded in the verification flags. All other kinds - * of error codes, including those from the user provided f_vrfy - * functions, are treated as fatal and lead to a failure of - * ssl_parse_certificate even if verification was optional. */ - if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && - ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || - ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) ) - { - ret = 0; - } - - if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) ); - ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; - } - - if( ret != 0 ) - { - uint8_t alert; - - /* The certificate may have been rejected for several reasons. - Pick one and send the corresponding alert. Which alert to send - may be a subject of debate in some cases. */ - if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER ) - alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED; - else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH ) - alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; - else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE ) - alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; - else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE ) - alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; - else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE ) - alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; - else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK ) - alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; - else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY ) - alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; - else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED ) - alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED; - else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED ) - alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED; - else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) - alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA; - else - alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN; - mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - alert ); - } - -#if defined(MBEDTLS_DEBUG_C) - if( ssl->session_negotiate->verify_result != 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x", - ssl->session_negotiate->verify_result ) ); - } - else - { - MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) ); - } -#endif /* MBEDTLS_DEBUG_C */ - } + ret = ssl_parse_certificate_verify( ssl, authmode, + ssl->session_negotiate->peer_cert, + rs_ctx ); + if( ret != 0 ) + return( ret ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); From c7bd780e02eafea41ad2577b6cccc9bee06b761a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Feb 2019 15:37:23 +0000 Subject: [PATCH 044/113] Allow passing any X.509 CRT chain to ssl_parse_certificate_chain() This commit modifies the helper `ssl_parse_certificate_chain()` to accep any target X.509 CRT chain instead of hardcoding it to `session_negotiate->peer_cert`. This increases modularity and paves the way towards removing `mbedtls_ssl_session::peer_cert`. --- library/ssl_tls.c | 88 ++++++++++++++++++++++------------------------- 1 file changed, 41 insertions(+), 47 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 01428f03aa..fd697630f7 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5740,9 +5740,13 @@ static void ssl_clear_peer_cert( mbedtls_ssl_session *session ) * Once the certificate message is read, parse it into a cert chain and * perform basic checks, but leave actual verification to the caller */ -static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl ) +static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl, + mbedtls_x509_crt *chain ) { - int ret, crt_cnt=0; + int ret; +#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) + int crt_cnt=0; +#endif size_t i, n; uint8_t alert; @@ -5819,58 +5823,34 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl ) } /* Check if we're handling the first CRT in the chain. */ - if( crt_cnt++ == 0 ) +#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) + if( crt_cnt++ == 0 && + ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && + ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) { /* During client-side renegotiation, check that the server's * end-CRTs hasn't changed compared to the initial handshake, * mitigating the triple handshake attack. On success, reuse * the original end-CRT instead of parsing it again. */ -#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && - ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Check that peer CRT hasn't changed during renegotiation" ) ); + if( ssl_check_peer_crt_unchanged( ssl, + &ssl->in_msg[i], + n ) != 0 ) { - MBEDTLS_SSL_DEBUG_MSG( 3, ( "Check that peer CRT hasn't changed during renegotiation" ) ); - if( ssl_check_peer_crt_unchanged( ssl, - &ssl->in_msg[i], - n ) != 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) ); - mbedtls_ssl_send_alert_message( ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED ); - return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); - } - - /* Now we can safely free the original chain. */ - ssl_clear_peer_cert( ssl->session ); - - /* Intentional fallthrough. */ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) ); + mbedtls_ssl_send_alert_message( ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); } + + /* Now we can safely free the original chain. */ + ssl_clear_peer_cert( ssl->session ); + } #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ - /* Outside of client-side renegotiation, create a fresh X.509 CRT - * instance to parse the end-CRT into. */ - - ssl->session_negotiate->peer_cert = - mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ); - if( ssl->session_negotiate->peer_cert == NULL ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", - sizeof( mbedtls_x509_crt ) ) ); - mbedtls_ssl_send_alert_message( ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); - return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); - } - - mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert ); - - /* Intentional fall through */ - } - /* Parse the next certificate in the chain. */ - ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert, - ssl->in_msg + i, n ); + ret = mbedtls_x509_crt_parse_der( chain, ssl->in_msg + i, n ); switch( ret ) { case 0: /*ok*/ @@ -5898,7 +5878,7 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl ) i += n; } - MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert ); + MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", chain ); return( 0 ); } @@ -6179,10 +6159,24 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_SRV_C */ - /* In case we tried to reuse a session but it failed. */ + /* Clear existing peer CRT structure in case we tried to + * reuse a session but it failed, and allocate a new one. */ ssl_clear_peer_cert( ssl->session_negotiate ); + ssl->session_negotiate->peer_cert = + mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ); + if( ssl->session_negotiate->peer_cert == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", + sizeof( mbedtls_x509_crt ) ) ); + mbedtls_ssl_send_alert_message( ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } + mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert ); - if( ( ret = ssl_parse_certificate_chain( ssl ) ) != 0 ) + ret = ssl_parse_certificate_chain( ssl, ssl->session_negotiate->peer_cert ); + if( ret != 0 ) return( ret ); #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) From 52055ae91f0bfb93502f495cf80474ebca8cceae Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 6 Feb 2019 14:30:46 +0000 Subject: [PATCH 045/113] Give ssl_session_copy() external linkage A subsequent commit will need this function in the session ticket and session cache implementations. As the latter are server-side, this commit also removes the MBEDTLS_SSL_CLI_C guard. For now, the function is declared in ssl_internal.h and hence not part of the public API. --- include/mbedtls/ssl_internal.h | 3 +++ library/ssl_tls.c | 10 +++++----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index be7f41b1d7..e76f4f8648 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -766,6 +766,9 @@ int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl ); void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl ); #endif +int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst, + const mbedtls_ssl_session *src ); + /* constant-time buffer comparison */ static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n ) { diff --git a/library/ssl_tls.c b/library/ssl_tls.c index fd697630f7..ac652d2d78 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -279,8 +279,8 @@ static unsigned int ssl_mfl_code_to_length( int mfl ) } #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ -#if defined(MBEDTLS_SSL_CLI_C) -static int ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session *src ) +int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst, + const mbedtls_ssl_session *src ) { mbedtls_ssl_session_free( dst ); memcpy( dst, src, sizeof( mbedtls_ssl_session ) ); @@ -319,7 +319,6 @@ static int ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session return( 0 ); } -#endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl, @@ -7613,7 +7612,8 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 ) + if( ( ret = mbedtls_ssl_session_copy( ssl->session_negotiate, + session ) ) != 0 ) return( ret ); ssl->handshake->resume = 1; @@ -8548,7 +8548,7 @@ int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - return( ssl_session_copy( dst, ssl->session ) ); + return( mbedtls_ssl_session_copy( dst, ssl->session ) ); } #endif /* MBEDTLS_SSL_CLI_C */ From aee8717877f38731f15fb056c8046ea884ee24f1 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 6 Feb 2019 14:53:19 +0000 Subject: [PATCH 046/113] Simplify session cache implementation via mbedtls_ssl_session_copy() --- library/ssl_cache.c | 46 +++++++++++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/library/ssl_cache.c b/library/ssl_cache.c index 47867f132d..f5425944ed 100644 --- a/library/ssl_cache.c +++ b/library/ssl_cache.c @@ -40,6 +40,7 @@ #endif #include "mbedtls/ssl_cache.h" +#include "mbedtls/ssl_internal.h" #include @@ -92,9 +93,12 @@ int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session ) entry->session.id_len ) != 0 ) continue; - memcpy( session->master, entry->session.master, 48 ); - - session->verify_result = entry->session.verify_result; + ret = mbedtls_ssl_session_copy( session, &entry->session ); + if( ret != 0 ) + { + ret = 1; + goto exit; + } #if defined(MBEDTLS_X509_CRT_PARSE_C) /* @@ -102,6 +106,10 @@ int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session ) */ if( entry->peer_cert.p != NULL ) { + /* `session->peer_cert` is NULL after the call to + * mbedtls_ssl_session_copy(), because cache entries + * have the `peer_cert` field set to NULL. */ + if( ( session->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) ) ) == NULL ) { @@ -239,8 +247,6 @@ int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session ) #endif } - memcpy( &cur->session, session, sizeof( mbedtls_ssl_session ) ); - #if defined(MBEDTLS_X509_CRT_PARSE_C) /* * If we're reusing an entry, free its certificate first @@ -250,23 +256,39 @@ int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session ) mbedtls_free( cur->peer_cert.p ); memset( &cur->peer_cert, 0, sizeof(mbedtls_x509_buf) ); } +#endif /* MBEDTLS_X509_CRT_PARSE_C */ - /* - * Store peer certificate - */ - if( session->peer_cert != NULL ) + /* Copy the entire session; this temporarily makes a copy of the + * X.509 CRT structure even though we only want to store the raw CRT. + * This inefficiency will go away as soon as we implement on-demand + * parsing of CRTs, in which case there's no need for the `peer_cert` + * field anymore in the first place, and we're done after this call. */ + ret = mbedtls_ssl_session_copy( &cur->session, session ); + if( ret != 0 ) { - cur->peer_cert.p = mbedtls_calloc( 1, session->peer_cert->raw.len ); + ret = 1; + goto exit; + } + +#if defined(MBEDTLS_X509_CRT_PARSE_C) + /* If present, free the X.509 structure and only store the raw CRT data. */ + if( cur->session.peer_cert != NULL ) + { + cur->peer_cert.p = + mbedtls_calloc( 1, cur->session.peer_cert->raw.len ); if( cur->peer_cert.p == NULL ) { ret = 1; goto exit; } - memcpy( cur->peer_cert.p, session->peer_cert->raw.p, - session->peer_cert->raw.len ); + memcpy( cur->peer_cert.p, + cur->session.peer_cert->raw.p, + cur->session.peer_cert->raw.len ); cur->peer_cert.len = session->peer_cert->raw.len; + mbedtls_x509_crt_free( cur->session.peer_cert ); + mbedtls_free( cur->session.peer_cert ); cur->session.peer_cert = NULL; } #endif /* MBEDTLS_X509_CRT_PARSE_C */ From 0329f75a9315644212b4aac7ba6351f80a188acb Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 6 Feb 2019 15:04:32 +0000 Subject: [PATCH 047/113] Increase robustness and documentation of ticket implementation --- library/ssl_ticket.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index 7de4e66b12..2ad5436982 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -204,6 +204,9 @@ static int ssl_save_session( const mbedtls_ssl_session *session, if( left < sizeof( mbedtls_ssl_session ) ) return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + /* This also copies the values of pointer fields in the + * session to be serialized, but they'll be ignored when + * loading the session through ssl_load_session(). */ memcpy( p, session, sizeof( mbedtls_ssl_session ) ); p += sizeof( mbedtls_ssl_session ); left -= sizeof( mbedtls_ssl_session ); @@ -250,18 +253,24 @@ static int ssl_load_session( mbedtls_ssl_session *session, memcpy( session, p, sizeof( mbedtls_ssl_session ) ); p += sizeof( mbedtls_ssl_session ); + /* Non-NULL pointer fields of `session` are meaningless + * and potentially harmful. Zeroize them for safety. */ #if defined(MBEDTLS_X509_CRT_PARSE_C) + session->peer_cert = NULL; +#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) + session->ticket = NULL; +#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ + +#if defined(MBEDTLS_X509_CRT_PARSE_C) + /* Deserialize CRT from the end of the ticket. */ if( 3 > (size_t)( end - p ) ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2]; p += 3; - if( cert_len == 0 ) - { - session->peer_cert = NULL; - } - else + if( cert_len != 0 ) { int ret; From 8273df8383dca8ff23d11ba57d78c13ccd24c3af Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 6 Feb 2019 17:37:32 +0000 Subject: [PATCH 048/113] Re-classify errors on missing peer CRT mbedtls_ssl_parse_certificate() will fail if a ciphersuite requires a certificate, but none is provided. While it is sensible to double- check this, failure should be reported as an internal error and not as an unexpected message. --- library/ssl_cli.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index b564bf6314..b0c8b302e9 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2292,8 +2292,8 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, if( ssl->session_negotiate->peer_cert == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); - return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + /* Should never happen */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } /* @@ -2404,8 +2404,8 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) if( ssl->session_negotiate->peer_cert == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); - return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + /* Should never happen */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, @@ -2744,10 +2744,8 @@ start_processing: if( ssl->session_negotiate->peer_cert == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); - mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + /* Should never happen */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } /* From 4a82c1ccb416288579b32269ed60c13e53ba94dc Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Feb 2019 11:33:12 +0000 Subject: [PATCH 049/113] Improve documentation of mbedtls_ssl_get_peer_cert() --- include/mbedtls/ssl.h | 34 +++++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 46007a72bd..c4d6605b5b 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2972,18 +2972,34 @@ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl ); #if defined(MBEDTLS_X509_CRT_PARSE_C) /** - * \brief Return the peer certificate from the current connection + * \brief Return the peer certificate from the current connection. * - * Note: Can be NULL in case no certificate was sent during - * the handshake. Different calls for the same connection can - * return the same or different pointers for the same - * certificate and even a different certificate altogether. - * The peer cert CAN change in a single connection if - * renegotiation is performed. + * For ciphersuites not using certificate-based peer + * authentication (such as PSK-based ciphersuites), no + * peer certificate is available, and this function returns + * \c NULL. * - * \param ssl SSL context + * \param ssl The SSL context to use. This must be initialized and setup. * - * \return the current peer certificate + * \return The current peer certificate, or \c NULL if + * none is available. It is owned by the SSL context + * and valid only until the next call to the SSL API. + * + * \note For one-time inspection of the peer's certificate during + * the handshake, consider registering an X.509 CRT verification + * callback through mbedtls_ssl_conf_verify() instead of calling + * this function. Using mbedtls_ssl_conf_verify() also comes at + * the benefit of allowing you to influence the verification + * process, for example by masking expected and tolerated + * verification failures. + * + * \warning You must not use the pointer returned by this function + * after any further call to the SSL API, including + * mbedtls_ssl_read() and mbedtls_ssl_write(); this is + * because the pointer might change during renegotiation, + * which happens transparently to the user. + * If you want to use the certificate across API calls, + * you must make a copy. */ const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ From bb278f52ca2b32fd80966f4c81257c63010e8eee Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Feb 2019 17:04:00 +0000 Subject: [PATCH 050/113] Add configuration option to remove peer CRT after handshake --- include/mbedtls/config.h | 22 ++++++++++++++++++++++ include/mbedtls/ssl.h | 8 ++++++-- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index e6abf24d52..091ce018f1 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1354,6 +1354,28 @@ */ #define MBEDTLS_SSL_FALLBACK_SCSV +/** + * \def MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + * + * This option controls the presence of the API mbedtls_ssl_get_peer_cert() + * giving access to the peer's certificate after completion of the handshake. + * + * Unless you need mbedtls_ssl_peer_cert() in your application, it is + * recommended to disable this option for reduced RAM usage. + * + * \note If this option is disabled, mbedtls_ssl_get_peer_cert() is still + * defined, but always returns \c NULL. + * + * \note This option has no influence on the protection against the + * triple handshake attack. Even if it is disabled, Mbed TLS will + * still ensure that certificates do not change during renegotiation, + * for exaple by keeping a hash of the peer's certificate. + * + * Comment this macro to disable storing the peer's certificate + * after the handshake. + */ +#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + /** * \def MBEDTLS_SSL_HW_RECORD_ACCEL * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index c4d6605b5b..d736c21014 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2982,8 +2982,12 @@ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl ); * \param ssl The SSL context to use. This must be initialized and setup. * * \return The current peer certificate, or \c NULL if - * none is available. It is owned by the SSL context - * and valid only until the next call to the SSL API. + * none is available, which might be because the chosen + * ciphersuite does not use peer certificates, or because + * #MBEDTLS_SSL_KEEP_PEER_CERTIFICATE has been disabled. + * If this functions does not return \c NULL, the returned + * certificate is owned by the SSL context and valid only + * until the next call to the SSL API. * * \note For one-time inspection of the peer's certificate during * the handshake, consider registering an X.509 CRT verification From 8d84fd83ff5dd409a77e216c09b576d3b36481aa Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 7 Feb 2019 15:13:38 +0000 Subject: [PATCH 051/113] Update version_features.c --- library/version_features.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/version_features.c b/library/version_features.c index 61094d4ed7..4674dea905 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -456,6 +456,9 @@ static const char *features[] = { #if defined(MBEDTLS_SSL_FALLBACK_SCSV) "MBEDTLS_SSL_FALLBACK_SCSV", #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + "MBEDTLS_SSL_KEEP_PEER_CERTIFICATE", +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) "MBEDTLS_SSL_HW_RECORD_ACCEL", #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ From 9198ad110153626981e4ef70fe0504b27c30472f Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Feb 2019 17:00:50 +0000 Subject: [PATCH 052/113] Extend mbedtls_ssl_session by buffer holding peer CRT digest --- include/mbedtls/ssl.h | 25 ++++++++++++++++++++++++- library/ssl_tls.c | 27 +++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index d736c21014..6dcc43b933 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -787,6 +787,22 @@ typedef int mbedtls_ssl_async_resume_t( mbedtls_ssl_context *ssl, typedef void mbedtls_ssl_async_cancel_t( mbedtls_ssl_context *ssl ); #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ +#if defined(MBEDTLS_X509_CRT_PARSE_C) +#define MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN 48 +#if defined(MBEDTLS_SHA256_C) +#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA256 +#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN 32 +#elif defined(MBEDTLS_SHA512_C) +#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA384 +#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN 48 +#elif defined(MBEDTLS_SHA1_C) +#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA1 +#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN 20 +#else +#error "Bad configuration - need SHA-1, SHA-256 or SHA-512 enabled to compute digest of peer CRT." +#endif +#endif /* MBEDTLS_X509_CRT_PARSE_C */ + /* * This structure is used for storing current session data. */ @@ -802,7 +818,14 @@ struct mbedtls_ssl_session unsigned char master[48]; /*!< the master secret */ #if defined(MBEDTLS_X509_CRT_PARSE_C) - mbedtls_x509_crt *peer_cert; /*!< peer X.509 cert chain */ + mbedtls_x509_crt *peer_cert; /*!< peer X.509 cert chain */ +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + /*! The digest of the peer's end-CRT. This must be kept to detect CRT + * changes during renegotiation, mitigating the triple handshake attack. */ + unsigned char *peer_cert_digest; + size_t peer_cert_digest_len; + mbedtls_md_type_t peer_cert_digest_type; +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ uint32_t verify_result; /*!< verification result */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ac652d2d78..26832bc96c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -304,6 +304,22 @@ int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst, return( ret ); } } + +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + if( src->peer_cert_digest != NULL ) + { + dst->peer_cert_digest_len = src->peer_cert_digest_len; + dst->peer_cert_digest = + mbedtls_calloc( 1, dst->peer_cert_digest_len ); + if( dst->peer_cert_digest == NULL ) + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + + memcpy( dst->peer_cert_digest, src->peer_cert_digest, + src->peer_cert_digest_len ); + dst->peer_cert_digest_type = src->peer_cert_digest_type; + } +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) @@ -5733,6 +5749,17 @@ static void ssl_clear_peer_cert( mbedtls_ssl_session *session ) mbedtls_free( session->peer_cert ); session->peer_cert = NULL; } + +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + if( session->peer_cert_digest != NULL ) + { + /* Zeroization is not necessary. */ + mbedtls_free( session->peer_cert_digest ); + session->peer_cert_digest = NULL; + session->peer_cert_digest_type = MBEDTLS_MD_NONE; + session->peer_cert_digest_len = 0; + } +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ } /* From 6bbd94c4eb4646ae8d0bba2f27532b7496f2ff72 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Feb 2019 17:02:28 +0000 Subject: [PATCH 053/113] Compute digest of peer's end-CRT in mbedtls_ssl_parse_certificate() --- library/ssl_tls.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 26832bc96c..6a35486135 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6220,6 +6220,33 @@ crt_verify: if( ret != 0 ) return( ret ); +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + /* Remember digest of the peer's end-CRT. */ + ssl->session_negotiate->peer_cert_digest = + mbedtls_calloc( 1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN ); + if( ssl->session_negotiate->peer_cert_digest == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", + sizeof( MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN ) ) ); + mbedtls_ssl_send_alert_message( ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } + ret = mbedtls_md( mbedtls_md_info_from_type( + MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE ), + ssl->session_negotiate->peer_cert->raw.p, + ssl->session_negotiate->peer_cert->raw.len, + ssl->session_negotiate->peer_cert_digest ); + if( ret != 0 ) + return( ret ); + + ssl->session_negotiate->peer_cert_digest_type = + MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE; + ssl->session_negotiate->peer_cert_digest_len = + MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN; +#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); exit: From 177475a3aa5636bd846a9587761b3536c1f4c848 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Feb 2019 17:02:46 +0000 Subject: [PATCH 054/113] Mitigate triple handshake attack by comparing digests only This paves the way for the removal of the peer CRT chain from `mbedtls_ssl_session`. --- library/ssl_tls.c | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6a35486135..d4df533cf1 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5725,6 +5725,8 @@ write_msg: } #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) + +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl, unsigned char *crt_buf, size_t crt_buf_len ) @@ -5739,6 +5741,35 @@ static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl, return( memcmp( peer_crt->raw.p, crt_buf, crt_buf_len ) ); } +#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ +static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl, + unsigned char *crt_buf, + size_t crt_buf_len ) +{ + int ret; + unsigned char const * const peer_cert_digest = + ssl->session->peer_cert_digest; + mbedtls_md_type_t const peer_cert_digest_type = + ssl->session->peer_cert_digest_type; + mbedtls_md_info_t const * const digest_info = + mbedtls_md_info_from_type( peer_cert_digest_type ); + unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN]; + size_t digest_len; + + if( peer_cert_digest == NULL || digest_info == NULL ) + return( -1 ); + + digest_len = mbedtls_md_get_size( digest_info ); + if( digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN ) + return( -1 ); + + ret = mbedtls_md( digest_info, crt_buf, crt_buf_len, tmp_digest ); + if( ret != 0 ) + return( -1 ); + + return( memcmp( tmp_digest, peer_cert_digest, digest_len ) ); +} +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ static void ssl_clear_peer_cert( mbedtls_ssl_session *session ) From 3dad311ef02bd98e1a9b388082ec8c1f11bc53fe Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Feb 2019 17:19:52 +0000 Subject: [PATCH 055/113] Parse and verify peer CRT chain in local variable `mbedtls_ssl_parse_certificate()` parses the peer's certificate chain directly into the `peer_cert` field of the `mbedtls_ssl_session` structure being established. To allow to optionally remove this field from the session structure, this commit changes this to parse the peer's chain into a local variable instead first, which can then either be freed after CRT verification - in case the chain should not be stored - or mapped to the `peer_cert` if it should be kept. For now, only the latter is implemented. --- include/mbedtls/ssl_internal.h | 3 ++ library/ssl_tls.c | 66 ++++++++++++++++++++++++---------- 2 files changed, 51 insertions(+), 18 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index e76f4f8648..7cd0d1c4ac 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -331,6 +331,9 @@ struct mbedtls_ssl_handshake_params ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */ ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */ } ecrs_state; /*!< current (or last) operation */ +#if defined(MBEDTLS_X509_CRT_PARSE_C) + mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */ +#endif /* MBEDTLS_X509_CRT_PARSE_C */ size_t ecrs_n; /*!< place for saving a length */ #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index d4df533cf1..4ca8f326f4 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6176,6 +6176,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) const int authmode = ssl->conf->authmode; #endif void *rs_ctx = NULL; + mbedtls_x509_crt *chain = NULL; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); @@ -6190,6 +6191,8 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) if( ssl->handshake->ecrs_enabled && ssl->handshake->ecrs_state == ssl_ecrs_crt_verify ) { + chain = ssl->handshake->ecrs_peer_cert; + ssl->handshake->ecrs_peer_cert = NULL; goto crt_verify; } #endif @@ -6199,7 +6202,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) /* mbedtls_ssl_read_record may have sent an alert already. We let it decide whether to alert. */ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); - return( ret ); + goto exit; } #if defined(MBEDTLS_SSL_SRV_C) @@ -6219,22 +6222,24 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) /* Clear existing peer CRT structure in case we tried to * reuse a session but it failed, and allocate a new one. */ ssl_clear_peer_cert( ssl->session_negotiate ); - ssl->session_negotiate->peer_cert = - mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ); - if( ssl->session_negotiate->peer_cert == NULL ) + + chain = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ); + if( chain == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", sizeof( mbedtls_x509_crt ) ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); - return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); - } - mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert ); - ret = ssl_parse_certificate_chain( ssl, ssl->session_negotiate->peer_cert ); + ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; + goto exit; + } + mbedtls_x509_crt_init( chain ); + + ret = ssl_parse_certificate_chain( ssl, chain ); if( ret != 0 ) - return( ret ); + goto exit; #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) if( ssl->handshake->ecrs_enabled) @@ -6246,12 +6251,12 @@ crt_verify: #endif ret = ssl_parse_certificate_verify( ssl, authmode, - ssl->session_negotiate->peer_cert, - rs_ctx ); + chain, rs_ctx ); if( ret != 0 ) - return( ret ); + goto exit; #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + /* Remember digest of the peer's end-CRT. */ ssl->session_negotiate->peer_cert_digest = mbedtls_calloc( 1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN ); @@ -6262,15 +6267,16 @@ crt_verify: mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); - return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + + ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; + goto exit; } ret = mbedtls_md( mbedtls_md_info_from_type( - MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE ), - ssl->session_negotiate->peer_cert->raw.p, - ssl->session_negotiate->peer_cert->raw.len, + MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE ), + chain->raw.p, chain->raw.len, ssl->session_negotiate->peer_cert_digest ); if( ret != 0 ) - return( ret ); + goto exit; ssl->session_negotiate->peer_cert_digest_type = MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE; @@ -6278,11 +6284,30 @@ crt_verify: MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN; #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + ssl->session_negotiate->peer_cert = chain; + chain = NULL; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); exit: - ssl->state++; + if( ret == 0 ) + ssl->state++; + +#if defined(MBEDTLS_SSL__ECP_RESTARTABLE) + if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS ) + { + ssl->handshake->ecrs_peer_cert = chain; + chain = NULL; + } +#endif + + if( chain != NULL ) + { + mbedtls_x509_crt_free( chain ); + mbedtls_free( chain ); + } + return( ret ); } #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ @@ -9487,6 +9512,11 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) mbedtls_x509_crt_restart_free( &handshake->ecrs_ctx ); + if( handshake->ecrs_peer_cert != NULL ) + { + mbedtls_x509_crt_free( handshake->ecrs_peer_cert ); + mbedtls_free( handshake->ecrs_peer_cert ); + } #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) From c5fcbb33c0a6ca1de75a5942a4b3d1d9296f67e7 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 6 Feb 2019 15:23:38 +0000 Subject: [PATCH 056/113] Add peer CRT digest to session tickets This commit changes the format of session tickets to include the digest of the peer's CRT if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled. This commit does not yet remove the peer CRT itself. --- library/ssl_ticket.c | 62 +++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 59 insertions(+), 3 deletions(-) diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index 2ad5436982..ef9f7e13d7 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -187,9 +187,11 @@ int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx, /* * Serialize a session in the following format: - * 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session) - * n . n+2 peer_cert length = m (0 if no certificate) - * n+3 . n+2+m peer cert ASN.1 + * 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session) + * n . n+2 peer_cert length = m (0 if no certificate) + * n+3 . n+2+m peer cert ASN.1 + * n+3+m . n+3+m length of peer certificate digest = k (0 if n digest) + * n+4+m . n+4+k peer certificate digest (digest type encoded in session) */ static int ssl_save_session( const mbedtls_ssl_session *session, unsigned char *buf, size_t buf_len, @@ -199,6 +201,9 @@ static int ssl_save_session( const mbedtls_ssl_session *session, size_t left = buf_len; #if defined(MBEDTLS_X509_CRT_PARSE_C) size_t cert_len; +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + size_t cert_digest_len; +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ if( left < sizeof( mbedtls_ssl_session ) ) @@ -223,11 +228,32 @@ static int ssl_save_session( const mbedtls_ssl_session *session, *p++ = (unsigned char)( ( cert_len >> 16 ) & 0xFF ); *p++ = (unsigned char)( ( cert_len >> 8 ) & 0xFF ); *p++ = (unsigned char)( ( cert_len ) & 0xFF ); + left -= 3; if( session->peer_cert != NULL ) memcpy( p, session->peer_cert->raw.p, cert_len ); p += cert_len; + left -= cert_len; + +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + if( session->peer_cert_digest != NULL ) + cert_digest_len = 0; + else + cert_digest_len = session->peer_cert_digest_len; + + if( left < 1 + cert_digest_len ) + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + + *p++ = (unsigned char) cert_digest_len; + left--; + + if( session->peer_cert_digest != NULL ) + memcpy( p, session->peer_cert_digest, cert_digest_len ); + + p += cert_digest_len; + left -= cert_digest_len; +#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ *olen = p - buf; @@ -245,6 +271,9 @@ static int ssl_load_session( mbedtls_ssl_session *session, const unsigned char * const end = buf + len; #if defined(MBEDTLS_X509_CRT_PARSE_C) size_t cert_len; +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + size_t cert_digest_len; +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ if( sizeof( mbedtls_ssl_session ) > (size_t)( end - p ) ) @@ -257,6 +286,9 @@ static int ssl_load_session( mbedtls_ssl_session *session, * and potentially harmful. Zeroize them for safety. */ #if defined(MBEDTLS_X509_CRT_PARSE_C) session->peer_cert = NULL; +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + session->peer_cert_digest = NULL; +#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) session->ticket = NULL; @@ -295,6 +327,30 @@ static int ssl_load_session( mbedtls_ssl_session *session, p += cert_len; } +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + /* Deserialize CRT digest from the end of the ticket. */ + if( 1 > (size_t)( end - p ) ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + + cert_digest_len = (size_t) p[0]; + p++; + + if( cert_digest_len != 0 ) + { + if( cert_digest_len > (size_t)( end - p ) || + cert_digest_len != session->peer_cert_digest_len ) + { + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } + + session->peer_cert_digest = mbedtls_calloc( 1, cert_digest_len ); + if( session->peer_cert_digest == NULL ) + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + + memcpy( session->peer_cert_digest, p, cert_digest_len ); + p += cert_digest_len; + } +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ if( p != end ) From c966bd16beb036a2c73b685aed16e82c197ebab6 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 6 Feb 2019 15:40:27 +0000 Subject: [PATCH 057/113] Remove peer CRT from tickets if !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE --- library/ssl_ticket.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index ef9f7e13d7..e4054b4e5b 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -187,11 +187,16 @@ int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx, /* * Serialize a session in the following format: - * 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session) - * n . n+2 peer_cert length = m (0 if no certificate) - * n+3 . n+2+m peer cert ASN.1 - * n+3+m . n+3+m length of peer certificate digest = k (0 if n digest) - * n+4+m . n+4+k peer certificate digest (digest type encoded in session) + * + * - If MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is enabled: + * 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session) + * n . n+2 peer_cert length = m (0 if no certificate) + * n+3 . n+2+m peer cert ASN.1 + * + * - If MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled: + * 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session) + * n . n length of peer certificate digest = k (0 if n digest) + * n+1 . n+k peer certificate digest (digest type encoded in session) */ static int ssl_save_session( const mbedtls_ssl_session *session, unsigned char *buf, size_t buf_len, @@ -200,8 +205,9 @@ static int ssl_save_session( const mbedtls_ssl_session *session, unsigned char *p = buf; size_t left = buf_len; #if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) size_t cert_len; -#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +#else size_t cert_digest_len; #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -217,6 +223,7 @@ static int ssl_save_session( const mbedtls_ssl_session *session, left -= sizeof( mbedtls_ssl_session ); #if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) if( session->peer_cert == NULL ) cert_len = 0; else @@ -235,8 +242,7 @@ static int ssl_save_session( const mbedtls_ssl_session *session, p += cert_len; left -= cert_len; - -#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ if( session->peer_cert_digest != NULL ) cert_digest_len = 0; else @@ -270,8 +276,9 @@ static int ssl_load_session( mbedtls_ssl_session *session, const unsigned char *p = buf; const unsigned char * const end = buf + len; #if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) size_t cert_len; -#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +#else size_t cert_digest_len; #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -295,6 +302,7 @@ static int ssl_load_session( mbedtls_ssl_session *session, #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) /* Deserialize CRT from the end of the ticket. */ if( 3 > (size_t)( end - p ) ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -327,7 +335,7 @@ static int ssl_load_session( mbedtls_ssl_session *session, p += cert_len; } -#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ /* Deserialize CRT digest from the end of the ticket. */ if( 1 > (size_t)( end - p ) ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); From a887d1a5b6e71e1a080b1944474692cb622dd20e Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 6 Feb 2019 15:57:49 +0000 Subject: [PATCH 058/113] Remove peer CRT from cache if !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE --- include/mbedtls/ssl_cache.h | 3 ++- library/ssl_cache.c | 20 ++++++++++++-------- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/include/mbedtls/ssl_cache.h b/include/mbedtls/ssl_cache.h index 52ba0948c5..84254d3d15 100644 --- a/include/mbedtls/ssl_cache.h +++ b/include/mbedtls/ssl_cache.h @@ -70,7 +70,8 @@ struct mbedtls_ssl_cache_entry mbedtls_time_t timestamp; /*!< entry timestamp */ #endif mbedtls_ssl_session session; /*!< entry session */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) mbedtls_x509_buf peer_cert; /*!< entry peer_cert */ #endif mbedtls_ssl_cache_entry *next; /*!< chain pointer */ diff --git a/library/ssl_cache.c b/library/ssl_cache.c index f5425944ed..62a0a29879 100644 --- a/library/ssl_cache.c +++ b/library/ssl_cache.c @@ -100,7 +100,8 @@ int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session ) goto exit; } -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) /* * Restore peer certificate (without rest of the original chain) */ @@ -127,7 +128,7 @@ int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session ) goto exit; } } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ ret = 0; goto exit; @@ -247,7 +248,8 @@ int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session ) #endif } -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) /* * If we're reusing an entry, free its certificate first */ @@ -256,7 +258,7 @@ int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session ) mbedtls_free( cur->peer_cert.p ); memset( &cur->peer_cert, 0, sizeof(mbedtls_x509_buf) ); } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ /* Copy the entire session; this temporarily makes a copy of the * X.509 CRT structure even though we only want to store the raw CRT. @@ -270,7 +272,8 @@ int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session ) goto exit; } -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) /* If present, free the X.509 structure and only store the raw CRT data. */ if( cur->session.peer_cert != NULL ) { @@ -291,7 +294,7 @@ int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session ) mbedtls_free( cur->session.peer_cert ); cur->session.peer_cert = NULL; } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ ret = 0; @@ -333,9 +336,10 @@ void mbedtls_ssl_cache_free( mbedtls_ssl_cache_context *cache ) mbedtls_ssl_session_free( &prv->session ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) mbedtls_free( prv->peer_cert.p ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ mbedtls_free( prv ); } From 494dd7a6b4eed3c4fd35ad07895346e45ee90da6 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 6 Feb 2019 16:13:41 +0000 Subject: [PATCH 059/113] Add raw public key buffer bounds to mbedtls_x509_crt struct This commit adds an ASN.1 buffer field `pk_raw` to `mbedtls_x509_crt` which stores the bounds of the raw public key data within an X.509 CRT. This will be useful in subsequent commits to extract the peer's public key from its certificate chain. --- include/mbedtls/x509_crt.h | 1 + library/x509_crt.c | 2 ++ 2 files changed, 3 insertions(+) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 72c39019b1..b3f27be930 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -70,6 +70,7 @@ typedef struct mbedtls_x509_crt mbedtls_x509_time valid_from; /**< Start time of certificate validity. */ mbedtls_x509_time valid_to; /**< End time of certificate validity. */ + mbedtls_x509_buf pk_raw; mbedtls_pk_context pk; /**< Container for the public key context. */ mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */ diff --git a/library/x509_crt.c b/library/x509_crt.c index e3f169f2cf..5d82816f2b 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -996,11 +996,13 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt, /* * SubjectPublicKeyInfo */ + crt->pk_raw.p = p; if( ( ret = mbedtls_pk_parse_subpubkey( &p, end, &crt->pk ) ) != 0 ) { mbedtls_x509_crt_free( crt ); return( ret ); } + crt->pk_raw.len = p - crt->pk_raw.p; /* * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, From 75173121fe12a96a2b8d879aebda7377677892d0 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 6 Feb 2019 16:18:31 +0000 Subject: [PATCH 060/113] Add field for peer's raw public key to TLS handshake param structure When removing the (session-local) copy of the peer's CRT chain, we must keep a handshake-local copy of the peer's public key, as (naturally) every key exchange will make use of that public key at some point to verify that the peer actually owns the corresponding private key (e.g., verify signatures from ServerKeyExchange or CertificateVerify, or encrypt a PMS in a RSA-based exchange, or extract static (EC)DH parameters). This commit adds a PK context field `peer_pubkey` to the handshake parameter structure `mbedtls_handshake_params_init()` and adapts the init and free functions accordingly. It does not yet make actual use of the new field. --- include/mbedtls/ssl_internal.h | 4 ++++ library/ssl_tls.c | 10 ++++++++++ 2 files changed, 14 insertions(+) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 7cd0d1c4ac..5499115728 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -336,6 +336,10 @@ struct mbedtls_ssl_handshake_params #endif /* MBEDTLS_X509_CRT_PARSE_C */ size_t ecrs_n; /*!< place for saving a length */ #endif +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #if defined(MBEDTLS_SSL_PROTO_DTLS) unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */ unsigned int in_msg_seq; /*!< Incoming handshake sequence number */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 4ca8f326f4..290dbe08d1 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7173,6 +7173,11 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET; #endif + +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + mbedtls_pk_init( &handshake->peer_pubkey ); +#endif } static void ssl_transform_init( mbedtls_ssl_transform *transform ) @@ -9519,6 +9524,11 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) } #endif +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + mbedtls_pk_free( &handshake->peer_pubkey ); +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + #if defined(MBEDTLS_SSL_PROTO_DTLS) mbedtls_free( handshake->verify_cookie ); ssl_flight_free( handshake->flight ); From a27475335aba72c2743448f02a93b68c0c78d807 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 6 Feb 2019 16:19:04 +0000 Subject: [PATCH 061/113] Make a copy of peer's raw public key after verifying its CRT chain This commit modifies `mbedtls_ssl_parse_certificate()` to store a copy of the peer's public key after parsing and verifying the peer's CRT chain. So far, this leads to heavy memory duplication: We have the CRT chain in the I/O buffer, then parse (and, thereby, copy) it to a `mbedtls_x509_crt` structure, and then make another copy of the peer's public key, plus the overhead from the MPI and ECP structures. This inefficiency will soon go away to a significant extend, because: - Another PR adds functionality to parse CRTs without taking ownership of the input buffers. Applying this here will allow parsing and verifying the peer's chain without making an additional raw copy. The overhead reduces to the size of `mbedtls_x509_crt`, the public key, and the DN structures referenced in the CRT. - Once copyless parsing is in place and the removal of the peer CRT is fully implemented, we can extract the public key bounds from the parsed certificate and then free the entire chain before parsing the public key again. This means that we never store the parsed public key twice at the same time. --- library/ssl_tls.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 290dbe08d1..0afdd61c42 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6284,6 +6284,24 @@ crt_verify: MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN; #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + /* Make a copy of the peer's raw public key. */ + mbedtls_pk_init( &ssl->handshake->peer_pubkey ); + { + unsigned char *p, *end; + p = chain->pk_raw.p; + end = p + chain->pk_raw.len; + ret = mbedtls_pk_parse_subpubkey( &p, end, + &ssl->handshake->peer_pubkey ); + if( ret != 0 ) + { + /* We should have parsed the public key before. */ + ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; + goto exit; + } + } +#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + ssl->session_negotiate->peer_cert = chain; chain = NULL; From c7d7e29b462866638132e68e160202d2ba4379c3 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 6 Feb 2019 16:49:54 +0000 Subject: [PATCH 062/113] Adapt ssl_write_encrypted_pms() to use raw public key We must dispatch between the peer's public key stored as part of the peer's CRT in the current session structure (situation until now, and future behaviour if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is enabled), and the sole public key stored in the handshake structure (new, if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled). --- library/ssl_cli.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index b0c8b302e9..0056896c57 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2265,6 +2265,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, int ret; size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; unsigned char *p = ssl->handshake->premaster + pms_offset; + mbedtls_pk_context * peer_pk; if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN ) { @@ -2290,23 +2291,27 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, ssl->handshake->pmslen = 48; +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + peer_pk = &ssl->handshake->peer_pubkey; +#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ if( ssl->session_negotiate->peer_cert == NULL ) { /* Should never happen */ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } + peer_pk = &ssl->session_negotiate->peer_cert->pk; +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ /* * Now write it out, encrypted */ - if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, - MBEDTLS_PK_RSA ) ) + if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_RSA ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); } - if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk, + if( ( ret = mbedtls_pk_encrypt( peer_pk, p, ssl->handshake->pmslen, ssl->out_msg + offset + len_bytes, olen, MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes, From be7f50866d3aa8a0cc174a477af1f953de1e0a81 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 6 Feb 2019 17:44:07 +0000 Subject: [PATCH 063/113] Adapt ssl_get_ecdh_params_from_cert() to use raw public key We must dispatch between the peer's public key stored as part of the peer's CRT in the current session structure (situation until now, and future behaviour if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is enabled), and the sole public key stored in the handshake structure (new, if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled). --- library/ssl_cli.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 0056896c57..a758524398 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2406,21 +2406,26 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) { int ret; const mbedtls_ecp_keypair *peer_key; + mbedtls_pk_context * peer_pk; +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + peer_pk = &ssl->handshake->peer_pubkey; +#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ if( ssl->session_negotiate->peer_cert == NULL ) { /* Should never happen */ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } + peer_pk = &ssl->session_negotiate->peer_cert->pk; +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ - if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, - MBEDTLS_PK_ECKEY ) ) + if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECKEY ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); } - peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk ); + peer_key = mbedtls_pk_ec( *peer_pk ); if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key, MBEDTLS_ECDH_THEIRS ) ) != 0 ) From a6899bb89d8e0f5d264c37d972e0fb0c1069a920 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 6 Feb 2019 18:26:03 +0000 Subject: [PATCH 064/113] Adapt client-side signature verification to use raw public key We must dispatch between the peer's public key stored as part of the peer's CRT in the current session structure (situation until now, and future behaviour if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is enabled), and the sole public key stored in the handshake structure (new, if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled). --- library/ssl_cli.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index a758524398..d4022496d3 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2650,6 +2650,8 @@ start_processing: size_t params_len = p - params; void *rs_ctx = NULL; + mbedtls_pk_context * peer_pk; + /* * Handle the digitally-signed structure */ @@ -2752,16 +2754,21 @@ start_processing: MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen ); +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + peer_pk = &ssl->handshake->peer_pubkey; +#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ if( ssl->session_negotiate->peer_cert == NULL ) { /* Should never happen */ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } + peer_pk = &ssl->session_negotiate->peer_cert->pk; +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ /* * Verify signature */ - if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) + if( !mbedtls_pk_can_do( peer_pk, pk_alg ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, @@ -2774,8 +2781,7 @@ start_processing: rs_ctx = &ssl->handshake->ecrs_ctx.pk; #endif - if( ( ret = mbedtls_pk_verify_restartable( - &ssl->session_negotiate->peer_cert->pk, + if( ( ret = mbedtls_pk_verify_restartable( peer_pk, md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 ) { #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) From a1ab9be36721ba1922d6bc9c83ae3d590e5bdbbf Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 6 Feb 2019 18:31:04 +0000 Subject: [PATCH 065/113] Adapt server-side signature verification to use raw public key We must dispatch between the peer's public key stored as part of the peer's CRT in the current session structure (situation until now, and future behaviour if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is enabled), and the sole public key stored in the handshake structure (new, if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled). --- library/ssl_srv.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 5313b11a57..3fe0d6c079 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -4062,6 +4062,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) mbedtls_md_type_t md_alg; const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; + mbedtls_pk_context * peer_pk; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); @@ -4093,6 +4094,17 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) i = mbedtls_ssl_hs_hdr_len( ssl ); +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + peer_pk = &ssl->handshake->peer_pubkey; +#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + if( ssl->session_negotiate->peer_cert == NULL ) + { + /* Should never happen */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + peer_pk = &ssl->session_negotiate->peer_cert->pk; +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + /* * struct { * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only @@ -4107,8 +4119,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) hashlen = 36; /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */ - if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, - MBEDTLS_PK_ECDSA ) ) + if( mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECDSA ) ) { hash_start += 16; hashlen -= 16; @@ -4163,7 +4174,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) /* * Check the certificate's key type matches the signature alg */ - if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) + if( !mbedtls_pk_can_do( peer_pk, pk_alg ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) ); return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); @@ -4196,7 +4207,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) /* Calculate hash and verify signature */ ssl->handshake->calc_verify( ssl, hash ); - if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, + if( ( ret = mbedtls_pk_verify( peer_pk, md_alg, hash_start, hashlen, ssl->in_msg + i, sig_len ) ) != 0 ) { From 57b33c9e4eecdd2d9bcc696349391c37bca2f946 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 7 Feb 2019 13:28:57 +0000 Subject: [PATCH 066/113] Use mbedtls_ssl_get_peer_cert() to query peer cert in cert_app --- programs/x509/cert_app.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index 626c4d101e..38fbd51bf4 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -467,9 +467,12 @@ int main( int argc, char *argv[] ) /* * 5. Print the certificate */ +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + mbedtls_printf( " . Peer certificate information ... skipped\n" ); +#else mbedtls_printf( " . Peer certificate information ...\n" ); ret = mbedtls_x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ", - ssl.session->peer_cert ); + mbedtls_ssl_get_peer_cert( &ssl ) ); if( ret == -1 ) { mbedtls_printf( " failed\n ! mbedtls_x509_crt_info returned %d\n\n", ret ); @@ -477,6 +480,7 @@ int main( int argc, char *argv[] ) } mbedtls_printf( "%s\n", buf ); +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ mbedtls_ssl_close_notify( &ssl ); From 2a831a4ba7c1344ecd219e735adca1987e090154 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 7 Feb 2019 13:17:25 +0000 Subject: [PATCH 067/113] Adapt client auth detection in ssl_parse_certificate_verify() The server expects a CertificateVerify message only if it has previously received a Certificate from the client. So far, this was detected by looking at the `peer_cert` field in the current session. Preparing to remove the latter, this commit changes this to instead determine the presence of a peer certificate by checking the new `peer_cert_digest` pointer. --- library/ssl_srv.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 3fe0d6c079..c969089566 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -4066,14 +4066,29 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); - if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) || - ssl->session_negotiate->peer_cert == NULL ) + if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); ssl->state++; return( 0 ); } +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + if( ssl->session_negotiate->peer_cert == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); + ssl->state++; + return( 0 ); + } +#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + if( ssl->session_negotiate->peer_cert_digest == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); + ssl->state++; + return( 0 ); + } +#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + /* Read the message without adding it to the checksum */ ret = mbedtls_ssl_read_record( ssl, 0 /* no checksum update */ ); if( 0 != ret ) From abe6f66c00452dd314cfc3ca80c1136a420510cd Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 7 Feb 2019 13:29:55 +0000 Subject: [PATCH 068/113] Remove peer CRT from mbedtls_ssl_session if new option is disabled --- include/mbedtls/ssl.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 6dcc43b933..dad8ebd060 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -818,14 +818,15 @@ struct mbedtls_ssl_session unsigned char master[48]; /*!< the master secret */ #if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) mbedtls_x509_crt *peer_cert; /*!< peer X.509 cert chain */ -#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ /*! The digest of the peer's end-CRT. This must be kept to detect CRT * changes during renegotiation, mitigating the triple handshake attack. */ unsigned char *peer_cert_digest; size_t peer_cert_digest_len; mbedtls_md_type_t peer_cert_digest_type; -#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ +#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ uint32_t verify_result; /*!< verification result */ From 94cc26dfa6ba5d400c7b5731ca7dbcacb33b65e4 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 7 Feb 2019 12:26:46 +0000 Subject: [PATCH 069/113] Adapt session ticket implementation to removal of `peer_cert` field --- library/ssl_ticket.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index e4054b4e5b..a93a6ba144 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -292,8 +292,9 @@ static int ssl_load_session( mbedtls_ssl_session *session, /* Non-NULL pointer fields of `session` are meaningless * and potentially harmful. Zeroize them for safety. */ #if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) session->peer_cert = NULL; -#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +#else session->peer_cert_digest = NULL; #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ From 6d1986e6f5184bfb5669528cb7a0abb3493fa80a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 7 Feb 2019 12:27:42 +0000 Subject: [PATCH 070/113] Adapt mbedtls_ssl_session_copy() to removal of `peer_cert` field --- library/ssl_tls.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 0afdd61c42..b3e50a64e3 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -286,6 +286,8 @@ int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst, memcpy( dst, src, sizeof( mbedtls_ssl_session ) ); #if defined(MBEDTLS_X509_CRT_PARSE_C) + +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) if( src->peer_cert != NULL ) { int ret; @@ -304,8 +306,7 @@ int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst, return( ret ); } } - -#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ if( src->peer_cert_digest != NULL ) { dst->peer_cert_digest_len = src->peer_cert_digest_len; From 13c327d5003dc6f4e15c175379d4f1d718f7dbf2 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 7 Feb 2019 13:17:53 +0000 Subject: [PATCH 071/113] Adapt ssl_clear_peer_cert() to removal of `peer_cert` field --- library/ssl_tls.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b3e50a64e3..f012fb6a8b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5775,14 +5775,14 @@ static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl, static void ssl_clear_peer_cert( mbedtls_ssl_session *session ) { +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) if( session->peer_cert != NULL ) { mbedtls_x509_crt_free( session->peer_cert ); mbedtls_free( session->peer_cert ); session->peer_cert = NULL; } - -#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +#else if( session->peer_cert_digest != NULL ) { /* Zeroization is not necessary. */ @@ -5791,7 +5791,7 @@ static void ssl_clear_peer_cert( mbedtls_ssl_session *session ) session->peer_cert_digest_type = MBEDTLS_MD_NONE; session->peer_cert_digest_len = 0; } -#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ +#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ } /* From b6c5eca2d51467beec0ae18e66a7b32d593aef00 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 7 Feb 2019 13:18:21 +0000 Subject: [PATCH 072/113] Adapt mbedtls_ssl_parse_certificate() to removal of peer_cert field --- library/ssl_tls.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f012fb6a8b..141c2550d0 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6301,10 +6301,10 @@ crt_verify: goto exit; } } -#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ - +#else ssl->session_negotiate->peer_cert = chain; chain = NULL; +#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); From d0aac143035a153d3c308675bf0dccf8a0fbce55 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 7 Feb 2019 13:44:35 +0000 Subject: [PATCH 073/113] Add dependency to ssl-opt.sh tests which need peer CRT debug info --- tests/ssl-opt.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ff05f64932..f81bddbd63 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2956,6 +2956,7 @@ run_test "Authentication: send CA list in CertificateRequest, client self sig # Tests for certificate selection based on SHA verson +requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "Certificate hash: client TLS 1.2 -> SHA-2" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -2966,6 +2967,7 @@ run_test "Certificate hash: client TLS 1.2 -> SHA-2" \ -c "signed using.*ECDSA with SHA256" \ -C "signed using.*ECDSA with SHA1" +requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "Certificate hash: client TLS 1.1 -> SHA-1" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -2976,6 +2978,7 @@ run_test "Certificate hash: client TLS 1.1 -> SHA-1" \ -C "signed using.*ECDSA with SHA256" \ -c "signed using.*ECDSA with SHA1" +requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "Certificate hash: client TLS 1.0 -> SHA-1" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -2986,6 +2989,7 @@ run_test "Certificate hash: client TLS 1.0 -> SHA-1" \ -C "signed using.*ECDSA with SHA256" \ -c "signed using.*ECDSA with SHA1" +requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -2997,6 +3001,7 @@ run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \ -c "signed using.*ECDSA with SHA256" \ -C "signed using.*ECDSA with SHA1" +requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \ "$P_SRV crt_file=data_files/server6.crt \ key_file=data_files/server6.key \ @@ -3010,6 +3015,7 @@ run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \ # tests for SNI +requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "SNI: no SNI callback" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \ @@ -3019,6 +3025,7 @@ run_test "SNI: no SNI callback" \ -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" +requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "SNI: matching cert 1" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -3029,6 +3036,7 @@ run_test "SNI: matching cert 1" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" +requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "SNI: matching cert 2" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -3146,6 +3154,7 @@ run_test "SNI: CA override with CRL" \ # Tests for SNI and DTLS +requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "SNI: DTLS, no SNI callback" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \ @@ -3155,6 +3164,7 @@ run_test "SNI: DTLS, no SNI callback" \ -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" +requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "SNI: DTLS, matching cert 1" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -3165,6 +3175,7 @@ run_test "SNI: DTLS, matching cert 1" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" +requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "SNI: DTLS, matching cert 2" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ From e68245750ab48a6a834885d2b6e78ea9db5c2a31 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 7 Feb 2019 13:18:46 +0000 Subject: [PATCH 074/113] Guard mbedtls_ssl_get_peer_cert() by new compile-time option --- library/ssl_tls.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 141c2550d0..df5e036490 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8666,7 +8666,11 @@ const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ss if( ssl == NULL || ssl->session == NULL ) return( NULL ); +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) return( ssl->session->peer_cert ); +#else + return( NULL ); +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ } #endif /* MBEDTLS_X509_CRT_PARSE_C */ From e31505d64ed8b9384a85b1d094e22b0d96098a90 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 7 Feb 2019 13:42:45 +0000 Subject: [PATCH 075/113] Adapt ChangeLog --- ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index 2500919d8f..bf58d41bdd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,13 @@ Features API Changes * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`. See the Features section for more information. + * Allow to opt in to the removal the API mbedtls_ssl_get_peer_cert() + for the benefit of saving RAM, by disabling the new compile-time + option MBEDTLS_SSL_KEEP_PEER_CERTIFICATE (enabled by default for + API stability). Disabling this option makes mbedtls_ssl_get_peer_cert() + always return NULL, and removes the peer_cert field from the + mbedtls_ssl_session structure which otherwise stores the peer's + certificate. Bugfix * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined From b9d447908089bce8434766c4ff41144aee7e0865 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 8 Feb 2019 07:19:04 +0000 Subject: [PATCH 076/113] Correct compile-time guards for ssl_clear_peer_cert() It is used in `mbedtls_ssl_session_free()` under `MBEDTLS_X509_CRT_PARSE_C`, but defined only if `MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED`. Issue #2422 tracks the use of `MBEDTLS_KEY_EXCHANGE__WITH_CERT_ENABLED` instead of `MBEDTLS_X509_CRT_PARSE_C` for code and fields related to CRT-based ciphersuites. --- library/ssl_tls.c | 44 +++++++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index df5e036490..b75101b255 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5570,6 +5570,29 @@ int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, return( 0 ); } +#if defined(MBEDTLS_X509_CRT_PARSE_C) +static void ssl_clear_peer_cert( mbedtls_ssl_session *session ) +{ +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + if( session->peer_cert != NULL ) + { + mbedtls_x509_crt_free( session->peer_cert ); + mbedtls_free( session->peer_cert ); + session->peer_cert = NULL; + } +#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + if( session->peer_cert_digest != NULL ) + { + /* Zeroization is not necessary. */ + mbedtls_free( session->peer_cert_digest ); + session->peer_cert_digest = NULL; + session->peer_cert_digest_type = MBEDTLS_MD_NONE; + session->peer_cert_digest_len = 0; + } +#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ +} +#endif /* MBEDTLS_X509_CRT_PARSE_C */ + /* * Handshake functions */ @@ -5773,27 +5796,6 @@ static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ -static void ssl_clear_peer_cert( mbedtls_ssl_session *session ) -{ -#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) - if( session->peer_cert != NULL ) - { - mbedtls_x509_crt_free( session->peer_cert ); - mbedtls_free( session->peer_cert ); - session->peer_cert = NULL; - } -#else - if( session->peer_cert_digest != NULL ) - { - /* Zeroization is not necessary. */ - mbedtls_free( session->peer_cert_digest ); - session->peer_cert_digest = NULL; - session->peer_cert_digest_type = MBEDTLS_MD_NONE; - session->peer_cert_digest_len = 0; - } -#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ -} - /* * Once the certificate message is read, parse it into a cert chain and * perform basic checks, but leave actual verification to the caller From ae553dde3a6aa563722d7667032a43449997d648 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 8 Feb 2019 14:06:00 +0000 Subject: [PATCH 077/113] Free peer's public key as soon as it's no longer needed On constrained devices, this saves a significant amount of RAM that might be needed for subsequent expensive operations like ECDHE. --- library/ssl_cli.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index d4022496d3..1312e011b9 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2331,6 +2331,10 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, } #endif +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + /* We don't need the peer's public key anymore. Free it. */ + mbedtls_pk_free( peer_pk ); +#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ return( 0 ); } #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || @@ -2440,6 +2444,13 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); } +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + /* We don't need the peer's public key anymore. Free it, + * so that more RAM is available for upcoming expensive + * operations like ECDHE. */ + mbedtls_pk_free( peer_pk ); +#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + return( ret ); } #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || @@ -2796,6 +2807,13 @@ start_processing: #endif return( ret ); } + +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + /* We don't need the peer's public key anymore. Free it, + * so that more RAM is available for upcoming expensive + * operations like ECDHE. */ + mbedtls_pk_free( peer_pk ); +#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ } #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ From 0056eab3cd6d3a84015a81d655418e59f036de60 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 8 Feb 2019 14:39:16 +0000 Subject: [PATCH 078/113] Parse peer's CRT chain in-place from the input buffer --- library/ssl_tls.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b75101b255..03944b43d9 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5910,7 +5910,13 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ /* Parse the next certificate in the chain. */ +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) ret = mbedtls_x509_crt_parse_der( chain, ssl->in_msg + i, n ); +#else + /* If we don't need to store the CRT chani permanently, parse + * it in-place from the input buffer instead of making a copy. */ + ret = mbedtls_x509_crt_parse_der_nocopy( chain, ssl->in_msg + i, n ); +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ switch( ret ) { case 0: /*ok*/ From 6b8fbab290bd8df8b51c747c86f2f8e68a00517c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 8 Feb 2019 14:59:05 +0000 Subject: [PATCH 079/113] Free peer CRT chain immediately after verifying it If we don't need to store the peer's CRT chain permanently, we may free it immediately after verifying it. Moreover, since we parse the CRT chain in-place from the input buffer in this case, pointers from the CRT structure remain valid after freeing the structure, and we use that to extract the digest and pubkey from the CRT after freeing the structure. --- library/ssl_tls.c | 116 ++++++++++++++++++++++++++++++---------------- 1 file changed, 77 insertions(+), 39 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 03944b43d9..219fe475ea 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6173,6 +6173,58 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl, return( ret ); } +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +static int ssl_remember_peer_crt_digest( mbedtls_ssl_context *ssl, + unsigned char *start, size_t len ) +{ + int ret; + /* Remember digest of the peer's end-CRT. */ + ssl->session_negotiate->peer_cert_digest = + mbedtls_calloc( 1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN ); + if( ssl->session_negotiate->peer_cert_digest == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", + sizeof( MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN ) ) ); + mbedtls_ssl_send_alert_message( ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } + + ret = mbedtls_md( mbedtls_md_info_from_type( + MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE ), + start, len, + ssl->session_negotiate->peer_cert_digest ); + + ssl->session_negotiate->peer_cert_digest_type = + MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE; + ssl->session_negotiate->peer_cert_digest_len = + MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN; + + return( ret ); +} + +static int ssl_remember_peer_pubkey( mbedtls_ssl_context *ssl, + unsigned char *start, size_t len ) +{ + unsigned char *end = start + len; + int ret; + + /* Make a copy of the peer's raw public key. */ + mbedtls_pk_init( &ssl->handshake->peer_pubkey ); + ret = mbedtls_pk_parse_subpubkey( &start, end, + &ssl->handshake->peer_pubkey ); + if( ret != 0 ) + { + /* We should have parsed the public key before. */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + return( 0 ); +} +#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) { int ret = 0; @@ -6265,54 +6317,40 @@ crt_verify: goto exit; #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) - - /* Remember digest of the peer's end-CRT. */ - ssl->session_negotiate->peer_cert_digest = - mbedtls_calloc( 1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN ); - if( ssl->session_negotiate->peer_cert_digest == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", - sizeof( MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN ) ) ); - mbedtls_ssl_send_alert_message( ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + unsigned char *crt_start, *pk_start; + size_t crt_len, pk_len; - ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; - goto exit; - } - ret = mbedtls_md( mbedtls_md_info_from_type( - MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE ), - chain->raw.p, chain->raw.len, - ssl->session_negotiate->peer_cert_digest ); - if( ret != 0 ) - goto exit; + /* We parse the CRT chain without copying, so + * these pointers point into the input buffer, + * and are hence still valid after freeing the + * CRT chain. */ - ssl->session_negotiate->peer_cert_digest_type = - MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE; - ssl->session_negotiate->peer_cert_digest_len = - MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN; -#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + crt_start = chain->raw.p; + crt_len = chain->raw.len; -#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) - /* Make a copy of the peer's raw public key. */ - mbedtls_pk_init( &ssl->handshake->peer_pubkey ); - { - unsigned char *p, *end; - p = chain->pk_raw.p; - end = p + chain->pk_raw.len; - ret = mbedtls_pk_parse_subpubkey( &p, end, - &ssl->handshake->peer_pubkey ); + pk_start = chain->pk_raw.p; + pk_len = chain->pk_raw.len; + + /* Free the CRT structures before computing + * digest and copying the peer's public key. */ + mbedtls_x509_crt_free( chain ); + mbedtls_free( chain ); + chain = NULL; + + ret = ssl_remember_peer_crt_digest( ssl, crt_start, crt_len ); + if( ret != 0 ) + goto exit; + + ret = ssl_remember_peer_pubkey( ssl, pk_start, pk_len ); if( ret != 0 ) - { - /* We should have parsed the public key before. */ - ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; goto exit; - } } -#else +#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + /* Pass ownership to session structure. */ ssl->session_negotiate->peer_cert = chain; chain = NULL; -#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); From 545ced45f7cb8bbdc991911e16f4adf025f405a4 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 19 Feb 2019 11:10:48 +0000 Subject: [PATCH 080/113] Add test for !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE to all.sh --- tests/scripts/all.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 26881595a5..3953f638a3 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -968,6 +968,22 @@ component_test_no_max_fragment_length () { if_build_succeeded tests/ssl-opt.sh -f "Max fragment length" } +component_test_asan_remove_peer_certificate () { + msg "build: default config with MBEDTLS_SSL_KEEP_PEER_CERTIFICATE disabled (ASan build)" + scripts/config.pl unset MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" + make test + + msg "test: ssl-opt.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" + if_build_succeeded tests/ssl-opt.sh + + msg "test: compat.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" + if_build_succeeded tests/compat.sh +} + component_test_no_max_fragment_length_small_ssl_out_content_len () { msg "build: no MFL extension, small SSL_OUT_CONTENT_LEN (ASan build)" scripts/config.pl unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH From 1aed7779ec344b7d37ee2fec7a1b33e38790d270 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 22 Feb 2019 16:27:15 +0000 Subject: [PATCH 081/113] Remove misleading and redundant guard around restartable ECC field `MBEDTLS_SSL__ECP_RESTARTABLE` is only defined if `MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED` is set, which requires `MBEDTLS_X509_PARSE_C` to be set (this is checked in `check_config.`). The additional `MBEDTLS_X509_PARSE_C` guard around the `ecrs_peer_cert` field is therefore not necessary; moreover, it's misleading, because it hasn't been used consistently throughout the code. --- include/mbedtls/ssl_internal.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 5499115728..0d543c19bb 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -331,9 +331,7 @@ struct mbedtls_ssl_handshake_params ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */ ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */ } ecrs_state; /*!< current (or last) operation */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ size_t ecrs_n; /*!< place for saving a length */ #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ From 3acc9b90421b796b2aafac79bdd0113646686bde Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 25 Feb 2019 10:03:26 +0000 Subject: [PATCH 082/113] Remove question in comment about verify flags on cli vs. server --- library/ssl_tls.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 219fe475ea..9eaee9d07b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6015,8 +6015,6 @@ static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl, if( authmode == MBEDTLS_SSL_VERIFY_NONE ) { - /* NOTE: Is it intentional that we set verify_result - * to SKIP_VERIFY on server-side only? */ ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; return( SSL_CERTIFICATE_SKIP ); From accc5998ae38eab3458af9d446359e4c95f0bf8a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 25 Feb 2019 10:06:59 +0000 Subject: [PATCH 083/113] Set peer CRT length only after successful allocation --- library/ssl_tls.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 9eaee9d07b..82ba623e05 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -309,15 +309,15 @@ int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst, #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ if( src->peer_cert_digest != NULL ) { - dst->peer_cert_digest_len = src->peer_cert_digest_len; dst->peer_cert_digest = - mbedtls_calloc( 1, dst->peer_cert_digest_len ); + mbedtls_calloc( 1, src->peer_cert_digest_len ); if( dst->peer_cert_digest == NULL ) return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); memcpy( dst->peer_cert_digest, src->peer_cert_digest, src->peer_cert_digest_len ); dst->peer_cert_digest_type = src->peer_cert_digest_type; + dst->peer_cert_digest_len = src->peer_cert_digest_len; } #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ From 3fd3f5ebe4678f22a9da966198f231492a1db7d5 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 25 Feb 2019 10:08:06 +0000 Subject: [PATCH 084/113] Fix indentation of Doxygen comment in ssl_internal.h --- include/mbedtls/ssl_internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 0d543c19bb..5dde239dff 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -331,7 +331,7 @@ struct mbedtls_ssl_handshake_params ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */ ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */ } ecrs_state; /*!< current (or last) operation */ - mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */ + mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */ size_t ecrs_n; /*!< place for saving a length */ #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ From fd7f298c6a460fa391e769b7d91ee312af592a6b Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 25 Feb 2019 10:13:33 +0000 Subject: [PATCH 085/113] Improve documentation of MBEDTLS_SSL_KEEP_PEER_CERTIFICATE --- include/mbedtls/config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 091ce018f1..484ff725d0 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1357,7 +1357,7 @@ /** * \def MBEDTLS_SSL_KEEP_PEER_CERTIFICATE * - * This option controls the presence of the API mbedtls_ssl_get_peer_cert() + * This option controls the availability of the API mbedtls_ssl_get_peer_cert() * giving access to the peer's certificate after completion of the handshake. * * Unless you need mbedtls_ssl_peer_cert() in your application, it is From 958efeb48161e42942a1cdd6b144488663f894e4 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 25 Feb 2019 10:13:43 +0000 Subject: [PATCH 086/113] Improve documentation of mbedtls_ssl_get_peer_cert() --- include/mbedtls/ssl.h | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index dad8ebd060..6e2337930f 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2998,20 +2998,16 @@ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl ); /** * \brief Return the peer certificate from the current connection. * - * For ciphersuites not using certificate-based peer - * authentication (such as PSK-based ciphersuites), no - * peer certificate is available, and this function returns - * \c NULL. - * * \param ssl The SSL context to use. This must be initialized and setup. * - * \return The current peer certificate, or \c NULL if - * none is available, which might be because the chosen - * ciphersuite does not use peer certificates, or because - * #MBEDTLS_SSL_KEEP_PEER_CERTIFICATE has been disabled. - * If this functions does not return \c NULL, the returned - * certificate is owned by the SSL context and valid only - * until the next call to the SSL API. + * \return The current peer certificate, if available. + * The returned certificate is owned by the SSL context and + * is valid only until the next call to the SSL API. + * \return \c NULL if no peer certificate is available. This might + * be because the chosen ciphersuite doesn't use CRTs + * (PSK-based ciphersuites, for example), or because + * #MBEDTLS_SSL_KEEP_PEER_CERTIFICATE has been disabled, + * allowing the stack to free the peer's CRT to save memory. * * \note For one-time inspection of the peer's certificate during * the handshake, consider registering an X.509 CRT verification From a9766c2c23074fffa70e0783fd9ecfbd4d0c8ca7 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 25 Feb 2019 17:43:18 +0000 Subject: [PATCH 087/113] ssl_client2: Extract peer CRT info from verification callback So far, `ssl_client2` printed the CRT info for the peer's CRT by requesting the latter through `mbedtls_ssl_get_peer_cert()` at the end of the handshake, and printing it via `mbedtls_x509_crt_info()`. When `MBEDTLS_SSL_KEEP_PEER_CERTIFICATE` is disabled, this does no longer work because the peer's CRT isn't stored beyond the handshake. This makes some tests in `ssl-opt.sh` fail which rely on the CRT info output for the peer certificate. This commit modifies `ssl_client2` to extract the peer CRT info from the verification callback, which is always called at a time when the peer's CRT is available. This way, the peer's CRT info is still printed if `MBEDTLS_SSL_KEEP_PEER_CERTIFICATE` is disabled. --- programs/ssl/ssl_client2.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index c2a8d42d20..3089d8657c 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -478,6 +478,8 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len ) } #if defined(MBEDTLS_X509_CRT_PARSE_C) +static unsigned char peer_crt_info[1024] = { 0 }; + /* * Enabled if debug_level > 1 in code below */ @@ -487,8 +489,14 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, char buf[1024]; ((void) data); - mbedtls_printf( "\nVerify requested for (Depth %d):\n", depth ); mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt ); + if( depth == 0 ) + memcpy( peer_crt_info, buf, sizeof( buf ) ); + + if( opt.debug_level == 0 ) + return( 0 ); + + mbedtls_printf( "\nVerify requested for (Depth %d):\n", depth ); mbedtls_printf( "%s", buf ); if ( ( *flags ) == 0 ) @@ -1503,8 +1511,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_sig_hashes( &conf, ssl_sig_hashes_for_test ); } - if( opt.debug_level > 0 ) - mbedtls_ssl_conf_verify( &conf, my_verify, NULL ); + mbedtls_ssl_conf_verify( &conf, my_verify, NULL ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ if( opt.auth_mode != DFL_AUTH_MODE ) @@ -1833,13 +1840,8 @@ int main( int argc, char *argv[] ) else mbedtls_printf( " ok\n" ); - if( mbedtls_ssl_get_peer_cert( &ssl ) != NULL ) - { - mbedtls_printf( " . Peer certificate information ...\n" ); - mbedtls_x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ", - mbedtls_ssl_get_peer_cert( &ssl ) ); - mbedtls_printf( "%s\n", buf ); - } + mbedtls_printf( " . Peer certificate information ...\n" ); + mbedtls_printf( "%s\n", peer_crt_info ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_RENEGOTIATION) From fe9aec4cb1b594c0a61b40ffe2649f89627a7df1 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 25 Feb 2019 18:01:57 +0000 Subject: [PATCH 088/113] Reintroduce numerous ssl-opt.sh tests if !MBEDTLS_SSL_KEEP_PEER_CERT --- tests/ssl-opt.sh | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index f81bddbd63..ff05f64932 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2956,7 +2956,6 @@ run_test "Authentication: send CA list in CertificateRequest, client self sig # Tests for certificate selection based on SHA verson -requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "Certificate hash: client TLS 1.2 -> SHA-2" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -2967,7 +2966,6 @@ run_test "Certificate hash: client TLS 1.2 -> SHA-2" \ -c "signed using.*ECDSA with SHA256" \ -C "signed using.*ECDSA with SHA1" -requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "Certificate hash: client TLS 1.1 -> SHA-1" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -2978,7 +2976,6 @@ run_test "Certificate hash: client TLS 1.1 -> SHA-1" \ -C "signed using.*ECDSA with SHA256" \ -c "signed using.*ECDSA with SHA1" -requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "Certificate hash: client TLS 1.0 -> SHA-1" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -2989,7 +2986,6 @@ run_test "Certificate hash: client TLS 1.0 -> SHA-1" \ -C "signed using.*ECDSA with SHA256" \ -c "signed using.*ECDSA with SHA1" -requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -3001,7 +2997,6 @@ run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \ -c "signed using.*ECDSA with SHA256" \ -C "signed using.*ECDSA with SHA1" -requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \ "$P_SRV crt_file=data_files/server6.crt \ key_file=data_files/server6.key \ @@ -3015,7 +3010,6 @@ run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \ # tests for SNI -requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "SNI: no SNI callback" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \ @@ -3025,7 +3019,6 @@ run_test "SNI: no SNI callback" \ -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" -requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "SNI: matching cert 1" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -3036,7 +3029,6 @@ run_test "SNI: matching cert 1" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" -requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "SNI: matching cert 2" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -3154,7 +3146,6 @@ run_test "SNI: CA override with CRL" \ # Tests for SNI and DTLS -requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "SNI: DTLS, no SNI callback" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \ @@ -3164,7 +3155,6 @@ run_test "SNI: DTLS, no SNI callback" \ -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" -requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "SNI: DTLS, matching cert 1" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -3175,7 +3165,6 @@ run_test "SNI: DTLS, matching cert 1" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" -requires_config_enabled MBEDTLS_SSL_KEEP_PEER_CERTIFICATE run_test "SNI: DTLS, matching cert 2" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ From a1051b4e9ae55827be7792272dfe59f28f07307a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 26 Feb 2019 11:38:29 +0000 Subject: [PATCH 089/113] ssl_client2: Zeroize peer CRT info buffer when reconnecting --- programs/ssl/ssl_client2.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 3089d8657c..73b707c6a7 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -478,7 +478,7 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len ) } #if defined(MBEDTLS_X509_CRT_PARSE_C) -static unsigned char peer_crt_info[1024] = { 0 }; +static unsigned char peer_crt_info[1024]; /* * Enabled if debug_level > 1 in code below @@ -1512,6 +1512,7 @@ int main( int argc, char *argv[] ) } mbedtls_ssl_conf_verify( &conf, my_verify, NULL ); + memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ if( opt.auth_mode != DFL_AUTH_MODE ) @@ -2217,6 +2218,8 @@ reconnect: mbedtls_printf( " . Reconnecting with saved session..." ); + memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); + if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_session_reset returned -0x%x\n\n", From fe4ef0c1ae20dde1eb5a63b3083576b2e16579cc Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 26 Feb 2019 11:43:09 +0000 Subject: [PATCH 090/113] Add config sanity check for !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE --- include/mbedtls/check_config.h | 8 ++++++++ include/mbedtls/ssl.h | 7 +++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index ea05938eda..962d3db87e 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -280,6 +280,14 @@ #error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites" #endif +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) && \ + !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) && \ + ( !defined(MBEDTLS_SHA256_C) && \ + !defined(MBEDTLS_SHA512_C) && \ + !defined(MBEDTLS_SHA1_C) ) +#error "!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE requires MBEDTLS_SHA512_C, MBEDTLS_SHA256_C or MBEDTLS_SHA1_C" +#endif + #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && \ ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_PLATFORM_MEMORY) ) #error "MBEDTLS_MEMORY_BUFFER_ALLOC_C defined, but not all prerequisites" diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 6e2337930f..b793ac04bc 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -787,7 +787,8 @@ typedef int mbedtls_ssl_async_resume_t( mbedtls_ssl_context *ssl, typedef void mbedtls_ssl_async_cancel_t( mbedtls_ssl_context *ssl ); #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) && \ + !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) #define MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN 48 #if defined(MBEDTLS_SHA256_C) #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA256 @@ -799,9 +800,11 @@ typedef void mbedtls_ssl_async_cancel_t( mbedtls_ssl_context *ssl ); #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA1 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN 20 #else +/* This is already checked in check_config.h, but be sure. */ #error "Bad configuration - need SHA-1, SHA-256 or SHA-512 enabled to compute digest of peer CRT." #endif -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED && + !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ /* * This structure is used for storing current session data. From 68838740136c5b5a3ee2fd3fbcd81bcccefad7fd Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 26 Feb 2019 11:44:20 +0000 Subject: [PATCH 091/113] Fix typo in SSL ticket documentation --- library/ssl_ticket.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index a93a6ba144..ed65bcd639 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -195,7 +195,7 @@ int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx, * * - If MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled: * 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session) - * n . n length of peer certificate digest = k (0 if n digest) + * n . n length of peer certificate digest = k (0 if no digest) * n+1 . n+k peer certificate digest (digest type encoded in session) */ static int ssl_save_session( const mbedtls_ssl_session *session, From 62d58ed97501cd5ce2db5c84c25f3b87a8516274 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 26 Feb 2019 11:51:06 +0000 Subject: [PATCH 092/113] Add debug output in case of assertion failure --- library/ssl_cli.c | 1 + 1 file changed, 1 insertion(+) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 1312e011b9..d309f6d96a 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2297,6 +2297,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, if( ssl->session_negotiate->peer_cert == NULL ) { /* Should never happen */ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } peer_pk = &ssl->session_negotiate->peer_cert->pk; From 353a6f0d50565073c71b55a1ae813a6bcfdae4dd Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 26 Feb 2019 11:51:34 +0000 Subject: [PATCH 093/113] Fix typo in documentation of ssl_parse_certificate_chain() --- library/ssl_tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 82ba623e05..a956bab8f9 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5913,7 +5913,7 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) ret = mbedtls_x509_crt_parse_der( chain, ssl->in_msg + i, n ); #else - /* If we don't need to store the CRT chani permanently, parse + /* If we don't need to store the CRT chain permanently, parse * it in-place from the input buffer instead of making a copy. */ ret = mbedtls_x509_crt_parse_der_nocopy( chain, ssl->in_msg + i, n ); #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ From bd5580abb1792883883895c617d6a935f924c4ed Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 26 Feb 2019 12:36:01 +0000 Subject: [PATCH 094/113] Add further debug statements on assertion failures --- library/ssl_cli.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index d309f6d96a..4e5b3a6024 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2419,6 +2419,7 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) if( ssl->session_negotiate->peer_cert == NULL ) { /* Should never happen */ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } peer_pk = &ssl->session_negotiate->peer_cert->pk; @@ -2772,6 +2773,7 @@ start_processing: if( ssl->session_negotiate->peer_cert == NULL ) { /* Should never happen */ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } peer_pk = &ssl->session_negotiate->peer_cert->pk; From 23699efe78fbdb45e468b2d1dfdd18299dfd3776 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 26 Feb 2019 12:36:53 +0000 Subject: [PATCH 095/113] ssl_client2: Reset peer CRT info string on reconnect --- programs/ssl/ssl_client2.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 73b707c6a7..f370bf0fce 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2147,6 +2147,8 @@ send_request: mbedtls_printf( " . Restarting connection from same port..." ); fflush( stdout ); + memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); + if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_session_reset returned -0x%x\n\n", From 775655eead4606969179f56a65f03242fe60fe45 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 26 Feb 2019 14:38:40 +0000 Subject: [PATCH 096/113] Update programs/ssl/query_config.c --- programs/ssl/query_config.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index 329a5dfee6..0f875115f3 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -1258,6 +1258,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + if( strcmp( "MBEDTLS_SSL_KEEP_PEER_CERTIFICATE", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_KEEP_PEER_CERTIFICATE ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) if( strcmp( "MBEDTLS_SSL_HW_RECORD_ACCEL", config ) == 0 ) { From bdf75eb2434fa6713fac4a00ed61242ab7d351fd Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 27 Feb 2019 08:34:31 +0000 Subject: [PATCH 097/113] Add missing compile time guard in ssl_client2 --- programs/ssl/ssl_client2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index f370bf0fce..f7e24598d2 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2147,7 +2147,9 @@ send_request: mbedtls_printf( " . Restarting connection from same port..." ); fflush( stdout ); +#if defined(MBEDTLS_X509_CRT_PARSE_C) memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); +#endif /* MBEDTLS_X509_CRT_PARSE_C */ if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) { @@ -2220,7 +2222,9 @@ reconnect: mbedtls_printf( " . Reconnecting with saved session..." ); +#if defined(MBEDTLS_X509_CRT_PARSE_C) memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); +#endif /* MBEDTLS_X509_CRT_PARSE_C */ if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) { From 6e95914f0e53184a48bc517d347e01b7071630cf Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 26 Sep 2018 10:48:24 +0100 Subject: [PATCH 098/113] Add new function mbedtls_asn1_write_named_bitstring() Add a new function mbedtls_asn1_write_named_bitstring() that removes trailing 0s at the end of DER encoded bitstrings. The function is implemented according to Hanno Becker's suggestions. This commit also changes the functions x509write_crt_set_ns_cert_type and crt_set_key_usage to call the new function as the use named bitstrings instead of the regular bitstrings. --- include/mbedtls/asn1write.h | 20 +++++++++++ library/asn1write.c | 71 +++++++++++++++++++++++++++++++------ library/x509write_crt.c | 32 ++++++++++++----- library/x509write_csr.c | 10 +++--- 4 files changed, 109 insertions(+), 24 deletions(-) diff --git a/include/mbedtls/asn1write.h b/include/mbedtls/asn1write.h index 360540a002..04a8767c8e 100644 --- a/include/mbedtls/asn1write.h +++ b/include/mbedtls/asn1write.h @@ -282,6 +282,26 @@ int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start, int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start, const unsigned char *buf, size_t bits ); +/** + * \brief Write a named bitstring tag (MBEDTLS_ASN1_BIT_STRING) and + * value in ASN.1 format + * Note: function works backwards in data buffer + * + * As stated in RFC5280 Appending B, trailing zeroes are + * omitted when encoding named bitstrings in DER. + * + * \param p Reference to current position pointer. + * \param start Start of the buffer (for bounds-checking). + * \param buf The bitstring. + * \param bits The total number of bits in the bitstring. + * + * \return The length written or a negative error code. + */ +int mbedtls_asn1_write_named_bitstring( unsigned char **p, + unsigned char *start, + const unsigned char *buf, + size_t bits ); + /** * \brief Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING) * and value in ASN.1 format. diff --git a/library/asn1write.c b/library/asn1write.c index a4d23f6196..b54e26bd8a 100644 --- a/library/asn1write.c +++ b/library/asn1write.c @@ -290,26 +290,75 @@ int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start, return( mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_IA5_STRING, text, text_len) ); } +int mbedtls_asn1_write_named_bitstring( unsigned char **p, + unsigned char *start, + const unsigned char *buf, + size_t bits ) +{ + size_t unused_bits, byte_len; + const unsigned char *cur_byte; + unsigned char cur_byte_shifted; + unsigned char bit; + + byte_len = ( bits + 7 ) / 8; + unused_bits = ( byte_len * 8 ) - bits; + + /* + * Named bitstrings require that trailing 0s are excluded in the encoding + * of the bitstring. Trailing 0s are considered part of the 'unused' bits + * when encoding this value in the first content octet + */ + if( bits != 0 ) + { + cur_byte = buf + byte_len - 1; + cur_byte_shifted = *cur_byte >> unused_bits; + + for( ; ; ) + { + bit = cur_byte_shifted & 0x1; + cur_byte_shifted >>= 1; + + if( bit != 0 ) + break; + + bits--; + if( bits == 0 ) + break; + + if( bits % 8 == 0 ) + cur_byte_shifted = *--cur_byte; + } + } + + return( mbedtls_asn1_write_bitstring( p, start, buf, bits ) ); +} + int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start, const unsigned char *buf, size_t bits ) { int ret; - size_t len = 0, size; + size_t len = 0; + size_t unused_bits, byte_len; - size = ( bits / 8 ) + ( ( bits % 8 ) ? 1 : 0 ); + byte_len = ( bits + 7 ) / 8; + unused_bits = ( byte_len * 8 ) - bits; - // Calculate byte length - // - if( *p < start || (size_t)( *p - start ) < size + 1 ) + if( *p < start || (size_t)( *p - start ) < byte_len + 1 ) return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); - len = size + 1; - (*p) -= size; - memcpy( *p, buf, size ); + len = byte_len + 1; - // Write unused bits - // - *--(*p) = (unsigned char) (size * 8 - bits); + /* Write the bitstring. Ensure the unused bits are zeroed */ + if( byte_len > 0 ) + { + byte_len--; + *--( *p ) = buf[byte_len] & ~( ( 0x1 << unused_bits ) - 1 ); + ( *p ) -= byte_len; + memcpy( *p, buf, byte_len ); + } + + /* Write unused bits */ + *--( *p ) = (unsigned char)unused_bits; MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_BIT_STRING ) ); diff --git a/library/x509write_crt.c b/library/x509write_crt.c index b1ef216c95..b6cb745a33 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -221,23 +221,36 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, unsigned int key_usage ) { - unsigned char buf[4], ku; + unsigned char buf[5], ku[2]; unsigned char *c; int ret; + const unsigned int allowed_bits = MBEDTLS_X509_KU_DIGITAL_SIGNATURE | + MBEDTLS_X509_KU_NON_REPUDIATION | + MBEDTLS_X509_KU_KEY_ENCIPHERMENT | + MBEDTLS_X509_KU_DATA_ENCIPHERMENT | + MBEDTLS_X509_KU_KEY_AGREEMENT | + MBEDTLS_X509_KU_KEY_CERT_SIGN | + MBEDTLS_X509_KU_CRL_SIGN | + MBEDTLS_X509_KU_ENCIPHER_ONLY | + MBEDTLS_X509_KU_DECIPHER_ONLY; - /* We currently only support 7 bits, from 0x80 to 0x02 */ - if( ( key_usage & ~0xfe ) != 0 ) + /* Check that nothing other than the allowed flags is set */ + if( ( key_usage & ~allowed_bits ) != 0 ) return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ); - c = buf + 4; - ku = (unsigned char) key_usage; + c = buf + 5; + ku[0] = (unsigned char)( key_usage ); + ku[1] = (unsigned char)( key_usage >> 8 ); + ret = mbedtls_asn1_write_named_bitstring( &c, buf, ku, 9 ); - if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ku, 7 ) ) != 4 ) + if( ret < 0 ) return( ret ); + else if( ret < 3 || ret > 5 ) + return( MBEDTLS_ERR_X509_INVALID_FORMAT ); ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_KEY_USAGE, MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ), - 1, buf, 4 ); + 1, c, (size_t)ret ); if( ret != 0 ) return( ret ); @@ -253,12 +266,13 @@ int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx, c = buf + 4; - if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 ) + ret = mbedtls_asn1_write_named_bitstring( &c, buf, &ns_cert_type, 8 ); + if( ret < 3 || ret > 4 ) return( ret ); ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE, MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ), - 0, buf, 4 ); + 0, c, (size_t)ret ); if( ret != 0 ) return( ret ); diff --git a/library/x509write_csr.c b/library/x509write_csr.c index 777a6325f7..8dc39e7a5a 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -94,12 +94,13 @@ int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned ch c = buf + 4; - if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &key_usage, 7 ) ) != 4 ) + ret = mbedtls_asn1_write_named_bitstring( &c, buf, &key_usage, 8 ); + if( ret < 3 || ret > 4 ) return( ret ); ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_KEY_USAGE, MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ), - buf, 4 ); + c, (size_t)ret ); if( ret != 0 ) return( ret ); @@ -115,12 +116,13 @@ int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx, c = buf + 4; - if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 ) + ret = mbedtls_asn1_write_named_bitstring( &c, buf, &ns_cert_type, 8 ); + if( ret < 3 || ret > 4 ) return( ret ); ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE, MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ), - buf, 4 ); + c, (size_t)ret ); if( ret != 0 ) return( ret ); From 7067f812f875ab7210316dc4bd1d7e28ecd2eacc Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 26 Sep 2018 10:51:16 +0100 Subject: [PATCH 099/113] Add tests for (named) bitstring to suite_asn1write --- programs/x509/cert_req.c | 32 ++++++++- tests/data_files/Makefile | 8 +++ tests/data_files/server1.cert_type.crt | 12 ++-- .../data_files/server1.cert_type_noauthid.crt | 14 ++-- tests/data_files/server1.key_usage.crt | 14 ++-- .../data_files/server1.key_usage_noauthid.crt | 14 ++-- tests/data_files/server1.req.cert_type | 14 ++-- tests/data_files/server1.req.cert_type_empty | 17 +++++ tests/data_files/server1.req.key_usage | 14 ++-- tests/data_files/server1.req.key_usage_empty | 17 +++++ tests/data_files/server1.req.ku-ct | 14 ++-- tests/data_files/server5.req.ku.sha1 | 6 +- tests/suites/test_suite_asn1write.data | 72 +++++++++++++++++++ tests/suites/test_suite_asn1write.function | 44 ++++++++++++ tests/suites/test_suite_x509write.data | 46 +++++++----- tests/suites/test_suite_x509write.function | 14 ++-- 16 files changed, 274 insertions(+), 78 deletions(-) create mode 100644 tests/data_files/server1.req.cert_type_empty create mode 100644 tests/data_files/server1.req.key_usage_empty diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c index 027050c07f..d25ad4c56b 100644 --- a/programs/x509/cert_req.c +++ b/programs/x509/cert_req.c @@ -65,7 +65,9 @@ int main( void ) #define DFL_OUTPUT_FILENAME "cert.req" #define DFL_SUBJECT_NAME "CN=Cert,O=mbed TLS,C=UK" #define DFL_KEY_USAGE 0 +#define DFL_FORCE_KEY_USAGE 0 #define DFL_NS_CERT_TYPE 0 +#define DFL_FORCE_NS_CERT_TYPE 0 #define DFL_MD_ALG MBEDTLS_MD_SHA256 #define USAGE \ @@ -85,6 +87,8 @@ int main( void ) " key_agreement\n" \ " key_cert_sign\n" \ " crl_sign\n" \ + " force_key_usage=0/1 default: off\n" \ + " Add KeyUsage even if it is empty\n" \ " ns_cert_type=%%s default: (empty)\n" \ " Comma-separated-list of values:\n" \ " ssl_client\n" \ @@ -94,6 +98,8 @@ int main( void ) " ssl_ca\n" \ " email_ca\n" \ " object_signing_ca\n" \ + " force_ns_cert_type=0/1 default: off\n" \ + " Add NsCertType even if it is empty\n" \ " md=%%s default: SHA256\n" \ " possible values:\n" \ " MD4, MD5, SHA1\n" \ @@ -123,7 +129,9 @@ struct options const char *output_file; /* where to store the constructed key file */ const char *subject_name; /* subject name for certificate request */ unsigned char key_usage; /* key usage flags */ + int force_key_usage; /* Force adding the KeyUsage extension */ unsigned char ns_cert_type; /* NS cert type */ + int force_ns_cert_type; /* Force adding NsCertType extension */ mbedtls_md_type_t md_alg; /* Hash algorithm used for signature. */ } opt; @@ -190,7 +198,9 @@ int main( int argc, char *argv[] ) opt.output_file = DFL_OUTPUT_FILENAME; opt.subject_name = DFL_SUBJECT_NAME; opt.key_usage = DFL_KEY_USAGE; + opt.force_key_usage = DFL_FORCE_KEY_USAGE; opt.ns_cert_type = DFL_NS_CERT_TYPE; + opt.force_ns_cert_type = DFL_FORCE_NS_CERT_TYPE; opt.md_alg = DFL_MD_ALG; for( i = 1; i < argc; i++ ) @@ -292,6 +302,15 @@ int main( int argc, char *argv[] ) q = r; } } + else if( strcmp( p, "force_key_usage" ) == 0 ) + { + switch( atoi( q ) ) + { + case 0: opt.force_key_usage = 0; break; + case 1: opt.force_key_usage = 1; break; + default: goto usage; + } + } else if( strcmp( p, "ns_cert_type" ) == 0 ) { while( q != NULL ) @@ -319,16 +338,25 @@ int main( int argc, char *argv[] ) q = r; } } + else if( strcmp( p, "force_ns_cert_type" ) == 0 ) + { + switch( atoi( q ) ) + { + case 0: opt.force_ns_cert_type = 0; break; + case 1: opt.force_ns_cert_type = 1; break; + default: goto usage; + } + } else goto usage; } mbedtls_x509write_csr_set_md_alg( &req, opt.md_alg ); - if( opt.key_usage ) + if( opt.key_usage || opt.force_key_usage == 1 ) mbedtls_x509write_csr_set_key_usage( &req, opt.key_usage ); - if( opt.ns_cert_type ) + if( opt.ns_cert_type || opt.force_ns_cert_type == 1 ) mbedtls_x509write_csr_set_ns_cert_type( &req, opt.ns_cert_type ); /* diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index ff89476866..aa9fc36b4f 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -785,6 +785,14 @@ server1.req.ku-ct: server1.key $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< key_usage=digital_signature,non_repudiation,key_encipherment ns_cert_type=ssl_server subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 all_final += server1.req.ku-ct +server1.req.key_usage_empty: server1.key + $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 force_key_usage=1 +all_final += server1.req.key_usage_empty + +server1.req.cert_type_empty: server1.key + $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 force_ns_cert_type=1 +all_final += server1.req.cert_type_empty + # server2* server2.req.sha256: server2.key diff --git a/tests/data_files/server1.cert_type.crt b/tests/data_files/server1.cert_type.crt index cf384cbaf1..fb59ab8bd6 100644 --- a/tests/data_files/server1.cert_type.crt +++ b/tests/data_files/server1.cert_type.crt @@ -11,10 +11,10 @@ lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB o2AwXjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zARBglghkgBhvhCAQEEBAMC -AEAwDQYJKoZIhvcNAQEFBQADggEBAEQOk5Ejgu/GsxvMo+RknXcta5Qr6MiNo1EM -G5Xrf++aaf4Mi38p5ZxWDxQDyBmutSnuJgzO+Dxe5w/RNojFa4ri4g5Zk8zwfIcQ -8jR6a9DJtxarxDj/UqEzaiBa5MpxsbQqbmou7X7YW9LHDzmCgzbaabyWCuGYxvmh -lDbcISST73G+vJEeExcBHyom/GV9TNcFAGa66YV/FtABg2tiy9znmUeMnZeYkC9S -05m6UstAU6pMdwiTpjZjovsTlAcmC76XmE/GpREhRvtGCKTb2pUi3agqsrapABmF -EGZT9cpwkrl3cxh+jxAMEuhJLdEScDWHVsiNS5y9yxitWC4NqR4= +BkAwDQYJKoZIhvcNAQEFBQADggEBAK1WXZYd6k7/zE2NcszT6rxNaSixPZrDYzRt +Iz5rpH33IHkCdR956/ExCcDMqGNVtKtBdr8kw3+jzyPQhwyHVPNv4C/cgt0C89Pf +qZLQGuEPVp1X4tzEY2Kno9c1tllLVzJdvz1mRhSb9z5CWQKNMT+8MMl3k+0NZ4LT +NEx4gTZxYEsAGEuO/Yij9ctxp4RdSP585FXgiMC00ieMe/aJxlOIgpIhuWdu0KPP +G5guYd4hQ9ZrGVOGdjv2cZbh4DuQOsCwU9in/e1RKFV6eMmyOdvLJ4jkTauwkGJG +lCclZZQwzGawOiMl2OYPUia5bkaEsdE/0QW/lf36lco8CNjpUfY= -----END CERTIFICATE----- diff --git a/tests/data_files/server1.cert_type_noauthid.crt b/tests/data_files/server1.cert_type_noauthid.crt index 7545e0b467..0082b148ca 100644 --- a/tests/data_files/server1.cert_type_noauthid.crt +++ b/tests/data_files/server1.cert_type_noauthid.crt @@ -10,11 +10,11 @@ CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB oz8wPTAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAR -BglghkgBhvhCAQEEBAMCAEAwDQYJKoZIhvcNAQEFBQADggEBAJc3yZUS9X3/lb63 -Nlt8rtXC45wbWZUoOK8N55IzEJC7FrttAStq24kq9QV0qiox8m1WLA+6xVaeZaXu -h2z3WlUlyCNaKqHEpuSYu/XQ0td6j3jCMj3VDSZGHnKgliQ9fkkt+waPVCAZldwj -rHsZibl2Dqzb3KttKqD1VyEVOUJ+saXRDJLFdK1M9nwdWMfOg/XE0WbqfVzw9COs -08dJ6KL7SOvXtiOVQLNv7XN/2j+wF6+IoLDdLCDByj5VtK2q2vyVk5tpDJI1S696 -dP8Zi7VbBTS9OlVC+Gw3CntDKZA8e215MNG6iBuEM2mgi4i0umo7mN8FoA1zusnE -8mCO55Q= +BglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEFBQADggEBAGl6bYCGKvDCvfSU +PTyaiFPNGXV98AnIG0Hu4EJjs1owBU/Yf8UdFbWJtOymR80SbzmeQ6rEIoY1oXDA +o9Y8yRgW8t25Wmq/0DCu/5P0/L6asstLTxLG4qajClVwqDLEqZNixmq8QorAOtK1 +JngFA+A5jzc70Ikl9+Hbx/2SEMrCpo0QLSco7KDK7XpNOHbkRz2AqSm0se4jDMP1 +Cwd2UtcpctIZEbECZo6S9WrVMqIhRF1Y5FeauBA2ORvGIHohaYJ9VzYWYXIp7N8d +QXGv+M7ffpZiERcRr8lxtboPnTXKlv1mLCEX7g+KuiJQUm4OGfTCd5VHzWM7O5Id +b+IvZD0= -----END CERTIFICATE----- diff --git a/tests/data_files/server1.key_usage.crt b/tests/data_files/server1.key_usage.crt index 3a678ff31e..b5a2532c2e 100644 --- a/tests/data_files/server1.key_usage.crt +++ b/tests/data_files/server1.key_usage.crt @@ -10,11 +10,11 @@ CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB o10wWzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf -BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAOBgNVHQ8BAf8EBAMCAeAw -DQYJKoZIhvcNAQEFBQADggEBAE4sz3ghfpolZ0rH6Q3CWIYQ1Q+aGBwQiCCBsApP -8qZd880Kt+BiEdSsaU16S8CIMdOcHGQGB7dXK9wdTWkIqaW9I7fRPgDNDIhJoYDD -67h1P+cEQeXT9900H173nYlM1vL9zLcnmmqEO7j8jXSpsR5mcCMPkR52RqxweLJw -LGPeSlA+DF0WbezJc28FUgXAl8Kxm3Od40exMeicHtfgCnIykH1NEW3gXpc91nFT -RoNRdEAIGHMX5Dd5QDlt2vlaKNXFtcx2xUXXIi71YNQybH3p6KXayPMFQzrBwoXJ -YHevmjUaw7UH31fULa1dtd/dWmp8cCaKB4vBr0DBJPiMJMw= +BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAOBgNVHQ8BAf8EBAMCBeAw +DQYJKoZIhvcNAQEFBQADggEBAE6xegEHvwuQ8I4YCLX7oXmDJiDb7m2nMin+um0v +TMqHAE3B9GvdWGUgMIEMf76ee7OMDzxfzM2vyNGemB0rn1djEv+knJBSdMQKD9X8 +tkT8cPqMHlRMYYbFFkkZEOeqeihZXQdUORao9ZSXrokYwv+Fr+PAmiUJEmkZHbA1 +Gqp6tPfGxJ2ah50Og9oAPwyND6kvE2o++Dth2evjljPCPM2Gw5kjQGw3V9CAUyUo +KtLrtZdOeRHRCWCf3UQ/tYkG70tY/+grftrHqKB2E4qkmDiCPS9sEpa7jOGT6e4k +jGVeZFNZZ10mD2Svr3xl/60++c7yLxrquujo8NOTCVcshfs= -----END CERTIFICATE----- diff --git a/tests/data_files/server1.key_usage_noauthid.crt b/tests/data_files/server1.key_usage_noauthid.crt index 4a72ac1bca..c82a979729 100644 --- a/tests/data_files/server1.key_usage_noauthid.crt +++ b/tests/data_files/server1.key_usage_noauthid.crt @@ -10,11 +10,11 @@ CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB ozwwOjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAO -BgNVHQ8BAf8EBAMCAeAwDQYJKoZIhvcNAQEFBQADggEBALqfFzzWOViKBXoFhtcc -Ulzg1ShK20z3zeD6TL5Ss2+kMIGhvvvUMtcATIFa9LxZ//a0as1CACphxmrsqaju -LDvnXjWLB+e7pJPQ+4XixKmA3QoQI6sduH03/4eRp/Er/+zXD7+uapz+GimiExJt -mjW1Oz5n2Q7L9vQabqz0n9+8rM/chsfgipQSKmV0rXe/K1N4yuggh62r8kn9UaUR -TKm6HaMIFBrZNwMy8TAc3gSq5rqbN8/ONiCBpW/LvwTnd7fFSl7yeetAbj08gpu2 -dkfYp/DK9Hs1KQFCi0u1pr9JIqFxNy6tUTO90ydq6QXj4E5yZhmitLPk5wPCozN+ -rIc= +BgNVHQ8BAf8EBAMCBeAwDQYJKoZIhvcNAQEFBQADggEBAKuveVlnjgJIkiH6HqZk ++oGpLPxpcoMEMskzyFxTfjP4L2Mj798qydBbobyVJdH5p/sIpcHsI0xajM/dcZKS +7b28KVwxOk+87DtwCikFT+jzWPe8fzowqsNAaKtvtDQnLYh8u2tDT1vhABwgTVAy +aHCzs+nm3o36NPSN9K+wmI+r1KFnhjtyOQ++7M8wRRT5jrC+1tYicjsnVMu07yB5 +04C99Fa3MToilg66Jos95U3gBF5GbSfDXYtd3/etNMkUiG8FEZJlkhKbTO+4E03a +X6+z2VojrAroYyO/F5ZlaC3/CsMQ8Zcate64nH/Lu/U78XAo8iKz5DLLOPBqodER +z4A= -----END CERTIFICATE----- diff --git a/tests/data_files/server1.req.cert_type b/tests/data_files/server1.req.cert_type index b9b9f067c7..39ff3fdba3 100644 --- a/tests/data_files/server1.req.cert_type +++ b/tests/data_files/server1.req.cert_type @@ -7,11 +7,11 @@ HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAkMCIGCSqGSIb3DQEJDjEV -MBMwEQYJYIZIAYb4QgEBBAQDAgBAMA0GCSqGSIb3DQEBBQUAA4IBAQCMX3H6BiGP -VRvLu8UHIhsj9WgrGDRogOMVHOrQm+0fnGyxZa2UwftSZf2qLBZ+DmJStHabXibw -QuWA9BMVFDih5yGMhdzQC8iQQCjfYOS0sfhy7p76q89rVO0E9KAtvFH2ApbaDAck -m1WdQvYey2rYnT1ucHGdn017Iu1CaY8qnmh7Fhuov++69eGGG4MjRVT/7Ywufjo5 -Fn+JsMhj4IonP/jwKIUBskK15MkTQhKpyl5rQK/8v+7bWlsuqhiNPSYg6rgIrjmN -QxxzqP5NLPdlS4ksN6zcuwdq21l+li8zakjbeUvyqZb7E6vTHJaNBOp7Y7jv25gG -5/PjwquYbKFr +MBMwEQYJYIZIAYb4QgEBBAQDAgZAMA0GCSqGSIb3DQEBBQUAA4IBAQBErZcEaEEO +hLbRVuB3+N5by0mogdJsatJFSgW2/VztLvQBYu0O+VmTbZwCAWejA8U+cr6uPlyf +b4lDqj3W+XykeK9bSzoSr1yNO2VAcE74Y0ZrSz2yXMfT5R9IyKqQZspaKD8MOmYH +BqUH9o/phnGcaEG5xeSfhM1O/YNZuGnlLDQBGwT5puHOaLfjECvs8eZLopIWEBlD +QkRlhYqZBwhGZ8D/TxqG4teFtnBX5FG7UoSSVuneBrkREQM7ElhtD9jCWjfMnqm1 +59G84OycClwaKU7/Dm6zeMGDyFoMksBud7lyDHMhxvwSbzb1JR5v8iBsmVY2dhHt +Ot3Fx2be0gIr -----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server1.req.cert_type_empty b/tests/data_files/server1.req.cert_type_empty new file mode 100644 index 0000000000..70fd11133c --- /dev/null +++ b/tests/data_files/server1.req.cert_type_empty @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICpDCCAYwCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow +GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ +ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ +HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF +W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs +FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ +DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAjMCEGCSqGSIb3DQEJDjEU +MBIwEAYJYIZIAYb4QgEBBAMDAQAwDQYJKoZIhvcNAQEFBQADggEBACU0LLDBIMgG +B7gyNANHv42RovhQdzmUulqJPHNHx3v9G17F00bEykJb/r3awW6l5fhY/6oPydsY +hnWEM6VVCUkJ6Zqm2/wE49uaNTbFd9JU4OywRBfjHHSTOGnYFg+BYSfwaIkSCkx2 +kVhyklFm7My5wkyDPpFSU2tTfgsgaQMyTm93a2kxM7qJ/X3gFDG8o7R0vyojFVSI +mwsF9QsC6N9cygdFx23zCB0KsJ9KfmBqaTsdbKh8BsocYm5FJCw4WS/CBrCWBj+z +N7yEJj4SR5F+P7sFc5I0HANov5wQe8E3+WxxQt8jcqIje6DlaaGja44cXOzvFQyx +Hg/6H5EtBQc= +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server1.req.key_usage b/tests/data_files/server1.req.key_usage index 4c20eeded8..30e4812437 100644 --- a/tests/data_files/server1.req.key_usage +++ b/tests/data_files/server1.req.key_usage @@ -7,11 +7,11 @@ HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAeMBwGCSqGSIb3DQEJDjEP -MA0wCwYDVR0PBAQDAgHgMA0GCSqGSIb3DQEBBQUAA4IBAQAIDkjGHokLINOSKAij -DuBWyW72udNBwSmRAFYDyNoybWX+KJLFckyReF1S0YRHXWOljwxERF6htUEqIJDI -vIzlXyV0YqHNmWEFpyRxyIllQ7X4NWnVm3zHYORx2utdy3EyNsNb4Rb/JNh6Qpqr -27DB+frWaBYk27RPTdZz/ItZIicX8iHrAHL0aC6raQYvZfM1ybYehAh7Qx3asHKI -XDcrbV50Kzrd0SgC4P6Z6/5C5uUL9AfcKnB2oj5VP2TM0BA6q+XRQFkJ3TO1UTLB -lCKb9B1cIpVsT0YsOg/qptUh90zgd0x7FDa084ccwUJG73VXtHC6eioE4fbfrm5L -9BNK +MA0wCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBBQUAA4IBAQBsJ3v1Ar2X28GJsRSJ +WRQwFQwIbR/D0cHrwTf0ZfZttClytuc18JZlwkH3EG/rNkWaFp6MKIZoRMOBuSPc +MNvvKIo4nPaeouDPruymx0gNenlyRL3D4OZpBO/BmQIQjbUKWFbzEnEqvwvMDUnG +8w7UjPSFcxj2HzENr62HLPKKnVpL3nDXWK1a2A77KF9aMxyoWQ6FXb2xPD9cJjdo +c1jwskQbgosQzKKwwp5yxq0zRD3EAGw4A78mgHMfgFprq9e9azaB0JeyFG2Vn0t0 +L+vfiDEVQ3eJXSCen1kEVyHRju8g53UcSgd+JicWFboFj2/mJBuyW6yM++RGA9B5 +Zd62 -----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server1.req.key_usage_empty b/tests/data_files/server1.req.key_usage_empty new file mode 100644 index 0000000000..47e56bf1ef --- /dev/null +++ b/tests/data_files/server1.req.key_usage_empty @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICnjCCAYYCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow +GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ +ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ +HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF +W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs +FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ +DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAdMBsGCSqGSIb3DQEJDjEO +MAwwCgYDVR0PBAMDAQAwDQYJKoZIhvcNAQEFBQADggEBAAqQ/EU/3oMt7YW4vWgm +0Q7F4v7DrFEoVMWfBzNWhMNIijzoaWKY8jwseZMzu8aCNQlJnM7c9FJF+OCgS7L5 +0ctwzjfCOi5I5cKgqv8WpuMZWHXNtB7YtjUWIZVri/RazCncZEwJGCKQjmQYrGJm +Qmu2+D+DWY+nEW47ZfDH9jOJtatnREjSNsKzc44L9zUaEy3bi+m455XGH+ABmeb7 +Iqmguh10xUyY6rEOFEuqvFyFr5g1eb53Rr5CQxGfw1j+2bbSh+rVb6Ehf9LAijyu +Ygqa91hGab/CjykS6HMrD91ouWtt2Rt3zCKo4Xxe8dlAszKB4W83M9OgDVVpiCfC +t3A= +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server1.req.ku-ct b/tests/data_files/server1.req.ku-ct index 98666d272c..ebd01f5cca 100644 --- a/tests/data_files/server1.req.ku-ct +++ b/tests/data_files/server1.req.ku-ct @@ -7,11 +7,11 @@ HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAxMC8GCSqGSIb3DQEJDjEi -MCAwCwYDVR0PBAQDAgHgMBEGCWCGSAGG+EIBAQQEAwIAQDANBgkqhkiG9w0BAQUF -AAOCAQEAhDH3BQWViy67+9sdlrTvv0cIJ1IbogaM221MUasNIbfLi+KKfw50mzTa -V/BCXPT+EzmOptBl+F2iZVQyr2c0nWbBZBHnykS3f0fgifm6yWVEYwJqxUC5+uxK -bZztsHocTuqODpqYILycYkFXCcY8ZFHmz9XZorpUVTpZULW33EmLee5/BYI7whkA -bVoSNB5tAb8kGZQffDnGkHiRfu8dbbEnkPYqm/cerN+4yCh1v1CGFh2lMn4d5p0L -o9GvMsPM8pxdffZWZI9T0JnlHwtAJDA5G/MFYJdHzLzcHpvDA99MdNO4DMAiUyWb -PCDL5e7mJ0lnBp8RppLBR7GEkznIQQ== +MCAwCwYDVR0PBAQDAgXgMBEGCWCGSAGG+EIBAQQEAwIGQDANBgkqhkiG9w0BAQUF +AAOCAQEAWUMyIXHi4BbIxOeCD/Vtu9LGV8ENMV7dwYVEQcwrt1AHahtYgUtkoGcP +lOPqg1lbg22bu8dLPoY4HAzxCOAGs27otWL5LlE9M5QPH1RedEycmOuYrMl6K988 +hfDBJ+OkgCShcM91+udrc0gpDEI7N01A+fmukQ6EiaQjIf7HME/EKQqhEuEQMXHC +GBvdNuEF5BfV3aAYuT+xfdXDU2ZWwXXWAHGmVh3ntnhtEG6SnXSnBATU2wa4tpBd +KLbEbcsiy2uj0OLJlvG6LqsNggtkD58GCGpLpaVxdW80yw+f/krwLpeyocE1KGcT +7eX+9yhLe9NIZojvevw+53dNE7BUfw== -----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server5.req.ku.sha1 b/tests/data_files/server5.req.ku.sha1 index 39fc346b40..3281c94608 100644 --- a/tests/data_files/server5.req.ku.sha1 +++ b/tests/data_files/server5.req.ku.sha1 @@ -1,8 +1,8 @@ -----BEGIN CERTIFICATE REQUEST----- -MIIBFzCBvAIBADA8MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGjAY +MIIBFjCBvAIBADA8MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGjAY BgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD QgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/6i/SNF1d Fr2KiMJrdw1VzYoqDvoByLTt/6AeMBwGCSqGSIb3DQEJDjEPMA0wCwYDVR0PBAQD -AgHAMAsGByqGSM49BAEFAANJADBGAiEA5MGFTJkpOtCV7bAx+N+t4gP3JDM9RH3W -mIXzSpcBwvACIQDf7f9ytclwouV1DQTFSUKxExIm48H60hk3lh19i3bGOw== +AgbAMAsGByqGSM49BAEFAANIADBFAiEAnIKF+xKk0iEuN4MHd4FZWNvrznLQgkeg +2n8ejjreTzcCIAH34z2TycuMpWQRhpV+YT988pBWR67LAg7REyZnjSAB -----END CERTIFICATE REQUEST----- diff --git a/tests/suites/test_suite_asn1write.data b/tests/suites/test_suite_asn1write.data index c2a78b1afd..9982d03a72 100644 --- a/tests/suites/test_suite_asn1write.data +++ b/tests/suites/test_suite_asn1write.data @@ -90,3 +90,75 @@ mbedtls_asn1_write_len:16909060:"8401020304":5:5 ASN.1 Write / Read Length #12 (Len = 16909060, buffer too small) mbedtls_asn1_write_len:16909060:"8401020304":4:MBEDTLS_ERR_ASN1_BUF_TOO_SMALL + +ASN.1 Write Named Bitstring / Unused bits #0 +test_asn1_write_bitstrings:"FF":8:"030200FF":4:1 + +ASN.1 Write Named Bitstring / Unused bits #1 +test_asn1_write_bitstrings:"FE":8:"030201FE":4:1 + +ASN.1 Write Named Bitstring / Unused bits #2 +test_asn1_write_bitstrings:"FC":7:"030202FC":4:1 + +ASN.1 Write Named Bitstring / Unused bits #3 +test_asn1_write_bitstrings:"F8":8:"030203F8":4:1 + +ASN.1 Write Named Bitstring / Unused bits #4 +test_asn1_write_bitstrings:"F0":6:"030204F0":4:1 + +ASN.1 Write Named Bitstring / Unused bits #5 +test_asn1_write_bitstrings:"E0":6:"030205E0":4:1 + +ASN.1 Write Named Bitstring / Unused bits #6 +test_asn1_write_bitstrings:"C0":8:"030206C0":4:1 + +ASN.1 Write Named Bitstring / Unused bits #7 +test_asn1_write_bitstrings:"80":8:"03020780":4:1 + +ASN.1 Write Named Bitstring / Empty bitstring +test_asn1_write_bitstrings:"00":7:"030100":3:1 + +ASN.1 Write Named Bitstring / Empty bitstring (bits = 16) +test_asn1_write_bitstrings:"0000":16:"030100":3:1 + +ASN.1 Write Named Bitstring / Empty bitstring (bits = 24) +test_asn1_write_bitstrings:"FFFFFF":0:"030100":3:1 + +ASN.1 Write Named Bitstring / 15 trailing bits all unset +test_asn1_write_bitstrings:"F88000":24:"030307F880":5:1 + +ASN.1 Write Named Bitstring / 15 trailing bits all set +test_asn1_write_bitstrings:"F8FFFF":9:"030307F880":5:1 + +ASN.1 Write Bitstring / Unused bits #0 +test_asn1_write_bitstrings:"FF":8:"030200FF":4:0 + +ASN.1 Write Bitstring / Unused bits #1 +test_asn1_write_bitstrings:"FF":7:"030201FE":4:0 + +ASN.1 Write Bitstring / Unused bits #2 +test_asn1_write_bitstrings:"FF":6:"030202FC":4:0 + +ASN.1 Write Bitstring / Unused bits #3 +test_asn1_write_bitstrings:"FF":5:"030203F8":4:0 + +ASN.1 Write Bitstring / Unused bits #4 +test_asn1_write_bitstrings:"FF":4:"030204F0":4:0 + +ASN.1 Write Bitstring / Unused bits #5 +test_asn1_write_bitstrings:"FF":3:"030205E0":4:0 + +ASN.1 Write Bitstring / Unused bits #6 +test_asn1_write_bitstrings:"FF":2:"030206C0":4:0 + +ASN.1 Write Bitstring / Unused bits #7 +test_asn1_write_bitstrings:"FF":1:"03020780":4:0 + +ASN.1 Write Bitstring / 1 trailing bit (bits 15) +test_asn1_write_bitstrings:"0003":15:"0303010002":5:0 + +ASN.1 Write Bitstring / 0 bits +test_asn1_write_bitstrings:"":0:"030100":3:0 + +ASN.1 Write Bitstring / long string all bits unset except trailing bits +test_asn1_write_bitstrings:"000000000007":45:"030703000000000000":9:0 diff --git a/tests/suites/test_suite_asn1write.function b/tests/suites/test_suite_asn1write.function index 57a9741254..e45583cbbd 100644 --- a/tests/suites/test_suite_asn1write.function +++ b/tests/suites/test_suite_asn1write.function @@ -128,3 +128,47 @@ void mbedtls_asn1_write_len( int len, data_t * asn1, int buf_len, } } /* END_CASE */ + +/* BEGIN_CASE */ +void test_asn1_write_bitstrings( data_t *bitstring, int bits, + data_t *expected_asn1, int result, + int is_named ) +{ + int ret; + size_t i; + unsigned char buf[150]; + unsigned char *p; + + memset( buf, GUARD_VAL, sizeof( buf ) ); + + p = buf + GUARD_LEN + expected_asn1->len; + + if ( is_named == 0 ) + { + ret = mbedtls_asn1_write_bitstring( &p, + buf, + (unsigned char *)bitstring->x, + (size_t) bits ); + } + else + { + ret = mbedtls_asn1_write_named_bitstring( &p, + buf, + (unsigned char *)bitstring->x, + (size_t) bits ); + } + TEST_ASSERT( ret == result ); + + /* Check for buffer overwrite on both sides */ + for( i = 0; i < GUARD_LEN; i++ ) + { + TEST_ASSERT( buf[i] == GUARD_VAL ); + TEST_ASSERT( buf[GUARD_LEN + expected_asn1->len + i] == GUARD_VAL ); + } + + if ( result >= 0 ) + { + TEST_ASSERT( memcmp( p, expected_asn1->x, expected_asn1->len ) == 0 ); + } +} +/* END_CASE */ diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 40964258bb..b891ef29de 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -1,46 +1,54 @@ Certificate Request check Server1 SHA1 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha1":MBEDTLS_MD_SHA1:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha1":MBEDTLS_MD_SHA1:0:0:0:0 Certificate Request check Server1 SHA224 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha224":MBEDTLS_MD_SHA224:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha224":MBEDTLS_MD_SHA224:0:0:0:0 Certificate Request check Server1 SHA256 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256":MBEDTLS_MD_SHA256:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256":MBEDTLS_MD_SHA256:0:0:0:0 Certificate Request check Server1 SHA384 depends_on:MBEDTLS_SHA512_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha384":MBEDTLS_MD_SHA384:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha384":MBEDTLS_MD_SHA384:0:0:0:0 Certificate Request check Server1 SHA512 depends_on:MBEDTLS_SHA512_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha512":MBEDTLS_MD_SHA512:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha512":MBEDTLS_MD_SHA512:0:0:0:0 Certificate Request check Server1 MD4 depends_on:MBEDTLS_MD4_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.md4":MBEDTLS_MD_MD4:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.md4":MBEDTLS_MD_MD4:0:0:0:0 Certificate Request check Server1 MD5 depends_on:MBEDTLS_MD5_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.md5":MBEDTLS_MD_MD5:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.md5":MBEDTLS_MD_MD5:0:0:0:0 Certificate Request check Server1 key_usage depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0 + +Certificate Request check Server1 key_usage empty +depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage_empty":MBEDTLS_MD_SHA1:0:1:0:0 Certificate Request check Server1 ns_cert_type depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER +x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1 + +Certificate Request check Server1 ns_cert_type empty +depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type_empty":MBEDTLS_MD_SHA1:0:0:0:1 Certificate Request check Server1 key_usage + ns_cert_type depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER +x509_csr_check:"data_files/server1.key":"data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1 Certificate Request check Server5 ECDSA, key_usage depends_on:MBEDTLS_SHA1_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP256R1_ENABLED -x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:0 +x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0 Certificate Request check opaque Server5 ECDSA, key_usage depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED @@ -48,35 +56,35 @@ x509_csr_check_opaque:"data_files/server5.key":MBEDTLS_MD_SHA256:MBEDTLS_X509_KU Certificate write check Server1 SHA1 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:-1:"data_files/server1.crt":0 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0::0:0:1:-1:"data_files/server1.crt":0 Certificate write check Server1 SHA1, key_usage depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:1:-1:"data_files/server1.key_usage.crt":0 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:1:-1:"data_files/server1.key_usage.crt":0 Certificate write check Server1 SHA1, ns_cert_type depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:-1:"data_files/server1.cert_type.crt":0 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":0 Certificate write check Server1 SHA1, version 1 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0 Certificate write check Server1 SHA1, RSA_ALT depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:-1:"data_files/server1.noauthid.crt":1 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:0:-1:"data_files/server1.noauthid.crt":1 Certificate write check Server1 SHA1, RSA_ALT, key_usage depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1 Certificate write check Server1 SHA1, RSA_ALT, ns_cert_type depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:0:-1:"data_files/server1.cert_type_noauthid.crt":1 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0:-1:"data_files/server1.cert_type_noauthid.crt":1 Certificate write check Server1 SHA1, RSA_ALT, version 1 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1 X509 String to Names #1 mbedtls_x509_string_to_names:"C=NL,O=Offspark\, Inc., OU=PolarSSL":"C=NL, O=Offspark, Inc., OU=PolarSSL":0 diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 268b4bbeb5..e15802ff11 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -70,7 +70,8 @@ static int x509_crt_verifycsr( const unsigned char *buf, size_t buflen ) /* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C */ void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type, - int key_usage, int cert_type ) + int key_usage, int set_key_usage, int cert_type, + int set_cert_type ) { mbedtls_pk_context key; mbedtls_x509write_csr req; @@ -92,9 +93,9 @@ void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type, mbedtls_x509write_csr_set_md_alg( &req, md_type ); mbedtls_x509write_csr_set_key( &req, &key ); TEST_ASSERT( mbedtls_x509write_csr_set_subject_name( &req, subject_name ) == 0 ); - if( key_usage != 0 ) + if( set_key_usage != 0 ) TEST_ASSERT( mbedtls_x509write_csr_set_key_usage( &req, key_usage ) == 0 ); - if( cert_type != 0 ) + if( set_cert_type != 0 ) TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 ); ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ), @@ -180,7 +181,8 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, char *subject_name, char *issuer_key_file, char *issuer_pwd, char *issuer_name, char *serial_str, char *not_before, char *not_after, - int md_type, int key_usage, int cert_type, int auth_ident, + int md_type, int key_usage, int set_key_usage, + int cert_type, int set_cert_type, int auth_ident, int ver, char *cert_check_file, int rsa_alt ) { mbedtls_pk_context subject_key, issuer_key, issuer_key_alt; @@ -248,9 +250,9 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, TEST_ASSERT( mbedtls_x509write_crt_set_subject_key_identifier( &crt ) == 0 ); if( auth_ident ) TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 ); - if( key_usage != 0 ) + if( set_key_usage != 0 ) TEST_ASSERT( mbedtls_x509write_crt_set_key_usage( &crt, key_usage ) == 0 ); - if( cert_type != 0 ) + if( set_cert_type != 0 ) TEST_ASSERT( mbedtls_x509write_crt_set_ns_cert_type( &crt, cert_type ) == 0 ); } From d8233f76db89f04612e3fed5f427329f8d3e4932 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Mon, 8 Oct 2018 19:44:55 +0100 Subject: [PATCH 100/113] Improve docs for named bitstrings and their usage --- include/mbedtls/asn1write.h | 18 ++++++++++-------- include/mbedtls/x509_csr.h | 8 ++++++++ 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/asn1write.h b/include/mbedtls/asn1write.h index 04a8767c8e..dc81782c4f 100644 --- a/include/mbedtls/asn1write.h +++ b/include/mbedtls/asn1write.h @@ -283,19 +283,21 @@ int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start, const unsigned char *buf, size_t bits ); /** - * \brief Write a named bitstring tag (MBEDTLS_ASN1_BIT_STRING) and - * value in ASN.1 format - * Note: function works backwards in data buffer + * \brief This function writes a named bitstring tag + * (#MBEDTLS_ASN1_BIT_STRING) and value in ASN.1 format. * - * As stated in RFC5280 Appending B, trailing zeroes are + * As stated in RFC 5280 Appendix B, trailing zeroes are * omitted when encoding named bitstrings in DER. * - * \param p Reference to current position pointer. - * \param start Start of the buffer (for bounds-checking). - * \param buf The bitstring. + * \note This function works backwards within the data buffer. + * + * \param p The reference to the current position pointer. + * \param start The start of the buffer which is used for bounds-checking. + * \param buf The bitstring to write. * \param bits The total number of bits in the bitstring. * - * \return The length written or a negative error code. + * \return The number of bytes written to \p p on success. + * \return A negative error code on failure. */ int mbedtls_asn1_write_named_bitstring( unsigned char **p, unsigned char *start, diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h index 0c6ccad78d..a3c28048e0 100644 --- a/include/mbedtls/x509_csr.h +++ b/include/mbedtls/x509_csr.h @@ -205,6 +205,14 @@ void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_ty * \param key_usage key usage flags to set * * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * + * \note The decipherOnly flag from the Key Usage + * extension is represented by bit 8 (i.e. + * 0x8000), which cannot typically be represented + * in an unsigned char. Therefore, the flag + * decipherOnly (i.e. + * #MBEDTLS_X509_KU_DECIPHER_ONLY) cannot be set using this + * function. */ int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage ); From d588ff7156f0030e0e6ded4454d6afbfe918c167 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 26 Sep 2018 10:59:20 +0100 Subject: [PATCH 101/113] Add ChangeLog entry for unused bits in bitstrings --- ChangeLog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ChangeLog b/ChangeLog index 2500919d8f..3fab199958 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,12 @@ Bugfix Fixes #2190. * Fix false failure in all.sh when backup files exist in include/mbedtls (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407. + * Ensure that unused bits are zero when writing ASN.1 bitstrings when using + mbedtls_asn1_write_bitstring(). + * Fix issue when writing the named bitstrings in KeyUsage and NsCertType + extensions in CSRs and CRTs that caused these bitstrings to not be encoded + correctly as trailing zeroes were not accounted for as unused bits in the + leading content octet. Fixes #1610. Changes * Reduce RAM consumption during session renegotiation by not storing @@ -65,6 +71,8 @@ Features function to see for which parameter values it is defined. This feature is disabled by default. See its API documentation in config.h for additional steps you have to take when enabling it. + * Add a new function mbedtls_asn1_write_named_bitstring() to write ASN.1 + named bitstring in DER as required by RFC 5280 Appendix B. API Changes * The following functions in the random generator modules have been From 412ddf3812580bab47e12fd8e5bd44c0f3df94c0 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Mon, 11 Feb 2019 21:33:10 +0000 Subject: [PATCH 102/113] Fix typo in x509write test data --- tests/suites/test_suite_x509write.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index b891ef29de..54d72701e7 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -56,7 +56,7 @@ x509_csr_check_opaque:"data_files/server5.key":MBEDTLS_MD_SHA256:MBEDTLS_X509_KU Certificate write check Server1 SHA1 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0::0:0:1:-1:"data_files/server1.crt":0 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:1:-1:"data_files/server1.crt":0 Certificate write check Server1 SHA1, key_usage depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C From ce04951a6cb4b8e1c5bf105c42f28100bd5e3284 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 20 Feb 2019 10:00:03 +0000 Subject: [PATCH 103/113] Fix ChangeLog entry to correct release version --- ChangeLog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3fab199958..1d25ed6115 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,8 @@ Features which allows copy-less parsing of DER encoded X.509 CRTs, at the cost of additional lifetime constraints on the input buffer, but at the benefit of reduced RAM consumption. + * Add a new function mbedtls_asn1_write_named_bitstring() to write ASN.1 + named bitstring in DER as required by RFC 5280 Appendix B. API Changes * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`. @@ -71,8 +73,6 @@ Features function to see for which parameter values it is defined. This feature is disabled by default. See its API documentation in config.h for additional steps you have to take when enabling it. - * Add a new function mbedtls_asn1_write_named_bitstring() to write ASN.1 - named bitstring in DER as required by RFC 5280 Appendix B. API Changes * The following functions in the random generator modules have been From 1e198f5a98db868a96b0c5469009c94dbd57d94f Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Thu, 28 Feb 2019 09:54:01 +0000 Subject: [PATCH 104/113] Update the crypto submodule to a78c958 Update the crypto submodule to commit a78c958b17d75ddf63d8dd17255b6379dcbf259f to include the equivalent changes in this PR within the submodule. --- crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto b/crypto index bf61ca7a04..a78c958b17 160000 --- a/crypto +++ b/crypto @@ -1 +1 @@ -Subproject commit bf61ca7a0429ae81adfa82d1bbee4e58e3f6ecef +Subproject commit a78c958b17d75ddf63d8dd17255b6379dcbf259f From 84d9d2734f2e40205943e21b44e3b20023ccebeb Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 1 Mar 2019 08:10:46 +0000 Subject: [PATCH 105/113] Fix unused variable warning in ssl_parse_certificate_coordinate() This was triggered in client-only builds. --- library/ssl_tls.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index a956bab8f9..660d548e45 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6020,6 +6020,8 @@ static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl, return( SSL_CERTIFICATE_SKIP ); } } +#else + ((void) authmode); #endif /* MBEDTLS_SSL_SRV_C */ return( SSL_CERTIFICATE_EXPECTED ); From 4a512281eccdac959f1a62a3047111120768c198 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 30 Oct 2018 18:21:41 +0000 Subject: [PATCH 106/113] Reduce priority of 3DES ciphersuites --- ChangeLog | 11 +++++--- include/mbedtls/config.h | 13 +++++++++ library/ssl_ciphersuites.c | 57 +++++++++++++++++++++++--------------- library/version_features.c | 3 ++ scripts/config.pl | 2 ++ 5 files changed, 60 insertions(+), 26 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2500919d8f..abd12d5b57 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,10 +7,8 @@ Features which allows copy-less parsing of DER encoded X.509 CRTs, at the cost of additional lifetime constraints on the input buffer, but at the benefit of reduced RAM consumption. - -API Changes - * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`. - See the Features section for more information. + * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites + from the default list (inactive by default). Bugfix * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined @@ -53,6 +51,11 @@ Changes underlying OS actually guarantees. * Fix configuration queries in ssl-opt.h. #2030 * Ensure that ssl-opt.h can be run in OS X. #2029 + * Ciphersuites based on 3DES now have the lowest priority by default. + +API Changes + * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`. + See the Features section for more information. = mbed TLS 2.16.0 branch released 2018-12-21 diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index e6abf24d52..131ef232ba 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -687,6 +687,19 @@ */ #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES +/** + * \def MBEDTLS_REMOVE_3DES_CIPHERSUITES + * + * Remove 3DES ciphersuites by default in SSL / TLS. + * This flag removes the ciphersuites based on 3DES from the default list as + * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible + * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including + * them explicitly. + * + * Comment this macro to keep 3DES in the default ciphersuite list. + */ +#define MBEDTLS_REMOVE_3DES_CIPHERSUITES + /** * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED * diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index 745474effe..518f7dde00 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -43,11 +43,11 @@ /* * Ordered from most preferred to least preferred in terms of security. * - * Current rule (except rc4, weak and null which come last): + * Current rule (except RC4 and 3DES, weak and null which come last): * 1. By key exchange: * Forward-secure non-PSK > forward-secure PSK > ECJPAKE > other non-PSK > other PSK * 2. By key length and cipher: - * ChaCha > AES-256 > Camellia-256 > ARIA-256 > AES-128 > Camellia-128 > ARIA-128 > 3DES + * ChaCha > AES-256 > Camellia-256 > ARIA-256 > AES-128 > Camellia-128 > ARIA-128 * 3. By cipher mode when relevant GCM > CCM > CBC > CCM_8 * 4. By hash function used when relevant * 5. By key exchange/auth again: EC > non-EC @@ -126,11 +126,6 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256, MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256, - /* All remaining >= 128-bit ephemeral suites */ - MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, - MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, - /* The PSK ephemeral suites */ MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256, @@ -162,9 +157,6 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256, MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256, - MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, - MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, - /* The ECJPAKE suite */ MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8, @@ -228,11 +220,6 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256, MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256, - /* All remaining >= 128-bit suites */ - MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, - MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, - MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, - /* The RSA PSK suites */ MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256, MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, @@ -251,8 +238,6 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256, MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256, - MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, - /* The PSK suites */ MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256, MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384, @@ -275,6 +260,16 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256, MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256, + /* 3DES suites */ + MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA, /* RC4 suites */ @@ -2187,6 +2182,26 @@ const int *mbedtls_ssl_list_ciphersuites( void ) static int supported_ciphersuites[MAX_CIPHERSUITES]; static int supported_init = 0; +static int ciphersuite_is_removed( const mbedtls_ssl_ciphersuite_t *cs_info ) +{ + (void)cs_info; + +#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES) + if( cs_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) + return( 1 ); +#endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */ + +#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES) + if( cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_ECB || + cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_CBC ) + { + return( 1 ); + } +#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */ + + return( 0 ); +} + const int *mbedtls_ssl_list_ciphersuites( void ) { /* @@ -2202,14 +2217,12 @@ const int *mbedtls_ssl_list_ciphersuites( void ) *p != 0 && q < supported_ciphersuites + MAX_CIPHERSUITES - 1; p++ ) { -#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES) const mbedtls_ssl_ciphersuite_t *cs_info; if( ( cs_info = mbedtls_ssl_ciphersuite_from_id( *p ) ) != NULL && - cs_info->cipher != MBEDTLS_CIPHER_ARC4_128 ) -#else - if( mbedtls_ssl_ciphersuite_from_id( *p ) != NULL ) -#endif + !ciphersuite_is_removed( cs_info ) ) + { *(q++) = *p; + } } *q = 0; diff --git a/library/version_features.c b/library/version_features.c index 61094d4ed7..57be0f345d 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -303,6 +303,9 @@ static const char *features[] = { #if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES) "MBEDTLS_REMOVE_ARC4_CIPHERSUITES", #endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */ +#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES) + "MBEDTLS_REMOVE_3DES_CIPHERSUITES", +#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */ #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) "MBEDTLS_ECP_DP_SECP192R1_ENABLED", #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ diff --git a/scripts/config.pl b/scripts/config.pl index 18e1dc8be8..84069d2316 100755 --- a/scripts/config.pl +++ b/scripts/config.pl @@ -30,6 +30,7 @@ # MBEDTLS_NO_PLATFORM_ENTROPY # MBEDTLS_PSA_CRYPTO_C # MBEDTLS_REMOVE_ARC4_CIPHERSUITES +# MBEDTLS_REMOVE_3DES_CIPHERSUITES # MBEDTLS_SSL_HW_RECORD_ACCEL # MBEDTLS_RSA_NO_CRT # MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 @@ -98,6 +99,7 @@ MBEDTLS_NO_PLATFORM_ENTROPY MBEDTLS_PSA_CRYPTO_C MBEDTLS_RSA_NO_CRT MBEDTLS_REMOVE_ARC4_CIPHERSUITES +MBEDTLS_REMOVE_3DES_CIPHERSUITES MBEDTLS_SSL_HW_RECORD_ACCEL MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION From 22a8905686836b79db01363fc29c462c9dcd8cd2 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Mon, 26 Nov 2018 20:57:49 +0000 Subject: [PATCH 107/113] Fix wording of ChangeLog and 3DES_REMOVE docs --- ChangeLog | 11 ++++++----- include/mbedtls/config.h | 7 +++++++ 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index abd12d5b57..ee500131c4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,7 +8,12 @@ Features at the cost of additional lifetime constraints on the input buffer, but at the benefit of reduced RAM consumption. * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites - from the default list (inactive by default). + from the default list (enabled by default). See + https://sweet32.info/SWEET32_CCS16.pdf. + +API Changes + * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`. + See the Features section for more information. Bugfix * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined @@ -53,10 +58,6 @@ Changes * Ensure that ssl-opt.h can be run in OS X. #2029 * Ciphersuites based on 3DES now have the lowest priority by default. -API Changes - * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`. - See the Features section for more information. - = mbed TLS 2.16.0 branch released 2018-12-21 Features diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 131ef232ba..7f38ab9e0e 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -696,6 +696,13 @@ * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including * them explicitly. * + * A man-in-the browser attacker can recover authentication tokens sent through + * a TLS connection using a 3DES based cipher suite (see "On the Practical + * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan + * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls + * in your threat model or you are unsure, then you should keep this option + * enabled to remove 3DES based cipher suites. + * * Comment this macro to keep 3DES in the default ciphersuite list. */ #define MBEDTLS_REMOVE_3DES_CIPHERSUITES From 2dadab7d3fc1364b558a3f0136941d6d39a9a294 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 8 Jan 2019 21:42:27 +0000 Subject: [PATCH 108/113] Exclude 3DES tests in test scripts --- tests/compat.sh | 2 +- tests/scripts/all.sh | 4 ++-- tests/scripts/basic-build-test.sh | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index 1814528032..cadc5780b3 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -62,7 +62,7 @@ FILTER="" # avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL) # - ARIA: not in default config.h + requires OpenSSL >= 1.1.1 # - ChachaPoly: requires OpenSSL >= 1.1.0 -EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR\|ARIA\|CHACHA20-POLY1305' +EXCLUDE='NULL\|DES-CBC-\|RC4\|3DES\|ARCFOUR\|ARIA\|CHACHA20-POLY1305' VERBOSE="" MEMCHECK=0 PEERS="OpenSSL$PEER_GNUTLS mbedTLS" diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 26881595a5..f1c0a27056 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -730,8 +730,8 @@ component_test_full_cmake_clang () { msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s if_build_succeeded tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private' - msg "test: compat.sh RC4, DES & NULL (full config)" # ~ 2 min - if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR' + msg "test: compat.sh RC4, DES, 3DES & NULL (full config)" # ~ 2 min + if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e 'DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR' msg "test: compat.sh ARIA + ChachaPoly" if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh index 28fc687476..003ebda25e 100755 --- a/tests/scripts/basic-build-test.sh +++ b/tests/scripts/basic-build-test.sh @@ -91,7 +91,7 @@ OPENSSL_CMD="$OPENSSL_LEGACY" \ OPENSSL_CMD="$OPENSSL_LEGACY" \ GNUTLS_CLI="$GNUTLS_LEGACY_CLI" \ GNUTLS_SERV="$GNUTLS_LEGACY_SERV" \ - sh compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR' | \ + sh compat.sh -e 'DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR' | \ tee -a compat-test-$TEST_OUTPUT OPENSSL_CMD="$OPENSSL_NEXT" \ sh compat.sh -e '^$' -f 'ARIA\|CHACHA' | \ From bdfba79f0dd78e8ec1bcaebb8acb0e24709ce9c7 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Mon, 11 Feb 2019 21:47:30 +0000 Subject: [PATCH 109/113] Fix documentation for 3DES removal --- include/mbedtls/config.h | 2 +- tests/compat.sh | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 7f38ab9e0e..c8a0d99a2e 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -696,7 +696,7 @@ * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including * them explicitly. * - * A man-in-the browser attacker can recover authentication tokens sent through + * A man-in-the-browser attacker can recover authentication tokens sent through * a TLS connection using a 3DES based cipher suite (see "On the Practical * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls diff --git a/tests/compat.sh b/tests/compat.sh index cadc5780b3..c3939b884c 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -62,6 +62,7 @@ FILTER="" # avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL) # - ARIA: not in default config.h + requires OpenSSL >= 1.1.1 # - ChachaPoly: requires OpenSSL >= 1.1.0 +# - 3DES: not in default config EXCLUDE='NULL\|DES-CBC-\|RC4\|3DES\|ARCFOUR\|ARIA\|CHACHA20-POLY1305' VERBOSE="" MEMCHECK=0 From f8dffb3f34a9df0b1d5c710d132da56b14dda32d Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 19 Feb 2019 20:14:00 +0000 Subject: [PATCH 110/113] Clarify 3DES changes in ChangeLog --- ChangeLog | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index ee500131c4..0db29b15e3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -56,7 +56,8 @@ Changes underlying OS actually guarantees. * Fix configuration queries in ssl-opt.h. #2030 * Ensure that ssl-opt.h can be run in OS X. #2029 - * Ciphersuites based on 3DES now have the lowest priority by default. + * Ciphersuites based on 3DES now have the lowest priority by default when + they are enabled. = mbed TLS 2.16.0 branch released 2018-12-21 From 419bd0011f1aa474ea2b73cb38e5a2d93c35caa2 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 19 Feb 2019 20:20:57 +0000 Subject: [PATCH 111/113] Adjust DES exclude lists in test scripts --- tests/compat.sh | 2 +- tests/scripts/all.sh | 2 +- tests/scripts/basic-build-test.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index c3939b884c..0eae1eab36 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -63,7 +63,7 @@ FILTER="" # - ARIA: not in default config.h + requires OpenSSL >= 1.1.1 # - ChachaPoly: requires OpenSSL >= 1.1.0 # - 3DES: not in default config -EXCLUDE='NULL\|DES-CBC-\|RC4\|3DES\|ARCFOUR\|ARIA\|CHACHA20-POLY1305' +EXCLUDE='NULL\|DES\|RC4\|ARCFOUR\|ARIA\|CHACHA20-POLY1305' VERBOSE="" MEMCHECK=0 PEERS="OpenSSL$PEER_GNUTLS mbedTLS" diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index f1c0a27056..734af65c41 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -731,7 +731,7 @@ component_test_full_cmake_clang () { if_build_succeeded tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private' msg "test: compat.sh RC4, DES, 3DES & NULL (full config)" # ~ 2 min - if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e 'DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR' + if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR' msg "test: compat.sh ARIA + ChachaPoly" if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh index 003ebda25e..ab95e2290a 100755 --- a/tests/scripts/basic-build-test.sh +++ b/tests/scripts/basic-build-test.sh @@ -91,7 +91,7 @@ OPENSSL_CMD="$OPENSSL_LEGACY" \ OPENSSL_CMD="$OPENSSL_LEGACY" \ GNUTLS_CLI="$GNUTLS_LEGACY_CLI" \ GNUTLS_SERV="$GNUTLS_LEGACY_SERV" \ - sh compat.sh -e 'DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR' | \ + sh compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR' | \ tee -a compat-test-$TEST_OUTPUT OPENSSL_CMD="$OPENSSL_NEXT" \ sh compat.sh -e '^$' -f 'ARIA\|CHACHA' | \ From aa946b2d49969e47698a95cd6e77808426b2842d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 1 Mar 2019 10:14:58 +0100 Subject: [PATCH 112/113] Fix failure in SSLv3 per-version suites test The test used 3DES as the suite for SSLv3, which now makes the handshake fails with "no ciphersuite in common", failing the test as well. Use Camellia instead (as there are not enough AES ciphersuites before TLS 1.2 to distinguish between the 3 versions). Document some dependencies, but not all. Just trying to avoid introducing new issues by using a new cipher here, not trying to make it perfect, which is a much larger task out of scope of this commit. --- tests/ssl-opt.sh | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ff05f64932..f3e12d81d8 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -4341,26 +4341,37 @@ run_test "ECJPAKE: working, DTLS, nolog" \ # Tests for ciphersuites per version requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 +requires_config_enabled MBEDTLS_CAMELLIA_C +requires_config_enabled MBEDTLS_AES_C run_test "Per-version suites: SSL3" \ - "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ + "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ "$P_CLI force_version=ssl3" \ 0 \ - -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA" + -c "Ciphersuite is TLS-RSA-WITH-CAMELLIA-128-CBC-SHA" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1 +requires_config_enabled MBEDTLS_CAMELLIA_C +requires_config_enabled MBEDTLS_AES_C run_test "Per-version suites: TLS 1.0" \ - "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ + "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ "$P_CLI force_version=tls1 arc4=1" \ 0 \ -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 +requires_config_enabled MBEDTLS_CAMELLIA_C +requires_config_enabled MBEDTLS_AES_C run_test "Per-version suites: TLS 1.1" \ - "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ + "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ "$P_CLI force_version=tls1_1" \ 0 \ -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_CAMELLIA_C +requires_config_enabled MBEDTLS_AES_C run_test "Per-version suites: TLS 1.2" \ - "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ + "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ "$P_CLI force_version=tls1_2" \ 0 \ -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256" From 56b9a939a01b8655109d92a9024c5cc9827b423e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 1 Mar 2019 10:23:46 +0100 Subject: [PATCH 113/113] Update query_config.c --- programs/ssl/query_config.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index 329a5dfee6..1c3da54e5e 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -850,6 +850,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */ +#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES) + if( strcmp( "MBEDTLS_REMOVE_3DES_CIPHERSUITES", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_REMOVE_3DES_CIPHERSUITES ); + return( 0 ); + } +#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */ + #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) if( strcmp( "MBEDTLS_ECP_DP_SECP192R1_ENABLED", config ) == 0 ) {