When we are doing PSK, we'd like to set verify_result to
0 to indicate success. Previously this was done in
mbedtls_ssl_set_hs_psk() but this is inadequate since this function may
be called for early data (where certificate verification happens later
in the handshake).
Instead, set this value after writing / processing the encrypted
extensions on the server / client respectively, so that we know whether
we are doing certificate verification or not for sure. This change is
effective only for TLS 1.3 as TLS 1.2 sets verify_result for PSK in
ssl_parse_certificate_coordinate().
Signed-off-by: David Horstmann <david.horstmann@arm.com>
In builds with only a nonvolatile seed but no actual entropy source, the
naive protection against fork() by reseeding in the child doesn't work:
every child forked from the same RNG state gets the same RNG state. To make
the child's RNG state unique in that case, use a public but unique
personalization string.
The personalization string includes the time. Use `mbedtls_ms_time()` if
available. Fall back to the classic (but obsolescent) `gettimeofday()`
otherwise.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
If a process forks with the PSA subsystem active, the PSA RNG state is
duplicated. This led to the parent process and the child process generating
the same sequence of random numbers.
Fix this by forcing a reseed if the value of `getpid()` changes. This is the
same technique used in OpenSSL ≥1.1.1d.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In 3.6 we still have RSA key exchange and the existing preprocessor
guards are insufficient. Use the same macro to guard the definition that
guards the call.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Simplify and improve error reporting and remove unnecessary
initialisation (the caller is responsible for initialising those
values).
Signed-off-by: Janos Follath <janos.follath@arm.com>
The caller is returning MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER if
ssl_parse_signature_algorithm() fails, but
ssl_parse_signature_algorithm() returns
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE upon failure. There is no good reason
for this mismatch and better to be aligned.
Signed-off-by: Janos Follath <janos.follath@arm.com>
After the recent refactoring ssl_parse_signature_algorithm() sends an
alert on failure, but the caller also sends an alert on failure. Sending
two alerts is at least a protocol violation, and might not leave the SSL
context in a good state.
It is simpler to have the caller read the two bytes, and pass them to
this function.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The logic was easier to follow before 693a47a, which removed the
ssl_parse_signature_algorithm function and introduced the bug being
fixed in this PR.
When validating multiple conditions, it's easier to read, easier to
debug and, as we can see, easier to get right if you validate them
separately.
Signed-off-by: Janos Follath <janos.follath@arm.com>
This bug caused the client accepting sig_algs used by the server that
it explicitly wanted to disallow.
Signed-off-by: Janos Follath <janos.follath@arm.com>
In ccm_calculate_first_block_if_ready when using ccm
tag_len==0 is invalid. When it fails, it will now also
assert the CCM_STATE__ERROR in the state machine's
context.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
The check was wrongly removed by the commit
"ssl_tls12_server.c: Move ClientHello message_seq adjustment".
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
When exporting an FFDH public key we were not properly checking the
length of the output buffer and would write the full length of the key
in all cases. Fix this by checking the size of the output buffer before
we write to it.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Move back the digest update just after
the call to mbedtls_ssl_read_record().
It fits well here as we explain in the
comment associated to the call to
mbedtls_ssl_read_record() that we
update it manually.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
- avoid grouping checks, for a better debugging experience (breakpoints)
- use a more logical order, checking the key type first
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Let applications configure prediction resistance at runtime.
Prediction resistance is always considered disabled when there is no actual
entropy source, only a nonvolatile seed.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In some scenarios, application or integration code knows that the random
generator should be reseeded, but the reseed cannot or must not happen
immediately and there is no way to report errors. In such scenarios, users
can call the new function `psa_random_deplete()`, which just marks the DRBG
as needing a reseed.
This change requires DRBG modules to treat `reseed_counter == reseed_interval`
as a condition that requires a reseed. Historically they reseeded when
`reseed_counter > reseed_interval`, but that made it impossible to require
a reseed when `reseed_interval == MAX_INT`. Note that this edge case is not
tested.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Change `reseed_counter` to be the number of requests made since the last
reseed, rather than this number minus 1. Thus, reseed when
`reseed_counter >= reseed_interval` rather than
`reseed_counter > reseed_interval`. The field `reseed_counter` is private so
this is not an API change.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Move the PSA internal RNG functions (i.e. the parts of the PSA random
generator that are used when `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is not
enabled) to a separate source file.
`mbedtls_psa_crypto_configure_entropy_sources` stays where it is, at least
for now, because it accesses global data directly and because I have no
immediate reason to move it.
Refactoring only, no behavior change.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When `MBEDTLS_TEST_PLATFORM_IS_NOT_UNIXLIKE` is defined, do not enable
`MBEDTLS_PLATFORM_IS_UNIXLIKE`. This lets us test baremetal builds as such
even if we happen to be building for Linux or other Unix-like platform.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We were using slightly different guards to decide whether to include
`<unistd.h>` in different places. Unify those.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
