Added support for calculating the length of the TLS send message buffer

TLS security protocol now calculates the size for send buffer based on the
length of the own certificate chain. This allows that variable length
own certificate chains can be supported on TLS negotiation.

Author: Mika Leppänen

source/6LoWPAN/ws/ws_pae_controller.c

@@ -776,6 +776,9 @@ int8_t ws_pae_controller_certificate_chain_set(const arm_certificate_chain_entry
                 }
             }
         }
+
+        // Updates the length of own certificates
+        entry->certs.own_cert_chain_len = sec_prot_certs_cert_chain_entry_len_get(&entry->certs.own_cert_chain);
     }
 
     return 0;
@@ -801,6 +804,8 @@ int8_t ws_pae_controller_own_certificate_add(const arm_certificate_entry_s *cert
                 break;
             }
         }
+        // Updates the length of own certificates
+        entry->certs.own_cert_chain_len = sec_prot_certs_cert_chain_entry_len_get(&entry->certs.own_cert_chain);
     }
 
     return ret;
@@ -810,6 +815,7 @@ int8_t ws_pae_controller_own_certificates_remove(void)
 {
     ns_list_foreach(pae_controller_t, entry, &pae_controller_list) {
         sec_prot_certs_chain_entry_init(&entry->certs.own_cert_chain);
+        entry->certs.own_cert_chain_len = 0;
     }
 
     return 0;

source/Security/protocols/eap_tls_sec_prot/eap_tls_sec_prot_lib.c

@@ -59,6 +59,23 @@ int8_t eap_tls_sec_prot_lib_message_allocate(tls_data_t *data, uint8_t head_len,
     return 0;
 }
 
+int8_t eap_tls_sec_prot_lib_message_realloc(tls_data_t *data, uint8_t head_len, uint16_t new_len)
+{
+    tls_data_t new_tls_send;
+
+    eap_tls_sec_prot_lib_message_init(&new_tls_send);
+    if (eap_tls_sec_prot_lib_message_allocate(&new_tls_send, head_len, new_len) < 0) {
+        return -1;
+    }
+    memcpy(new_tls_send.data + head_len, data->data + head_len, data->handled_len);
+    new_tls_send.handled_len = data->handled_len;
+    eap_tls_sec_prot_lib_message_free(data);
+
+    *data = new_tls_send;
+
+    return 0;
+}
+
 void eap_tls_sec_prot_lib_message_free(tls_data_t *data)
 {
     ns_dyn_mem_free(data->data);

source/Security/protocols/eap_tls_sec_prot/eap_tls_sec_prot_lib.h

@@ -72,6 +72,19 @@ extern const uint8_t eap_msg_trace[4][10];
  */
 int8_t eap_tls_sec_prot_lib_message_allocate(tls_data_t *data, uint8_t head_len, uint16_t len);
 
+/**
+ * eap_tls_sec_prot_lib_message_realloc allocates larger message buffer and copies existing data to it
+ *
+ * \param data data buffer which length is increased
+ * \param head_len header length
+ * \param new_len new length for the buffer
+ *
+ * \return < 0 failure
+ * \return >= 0 success
+ *
+ */
+int8_t eap_tls_sec_prot_lib_message_realloc(tls_data_t *data, uint8_t head_len, uint16_t new_len);
+
 /**
  * eap_tls_sec_prot_lib_message_free free message buffer
  *

source/Security/protocols/sec_prot_certs.c

@@ -32,6 +32,10 @@
 
 #define TRACE_GROUP "spce"
 
+// Length for PEM coded certificate's begin and end certificate text strings
+#define SEC_PROT_CERT_PEM_HEADER_FOOTER_LEN                52
+#define SEC_PROT_CERT_PEM_HEADER_STR                       "-----BEGIN CERTIFICATE-----"
+
 int8_t sec_prot_certs_init(sec_prot_certs_t *certs)
 {
     if (!certs) {
@@ -41,6 +45,7 @@ int8_t sec_prot_certs_init(sec_prot_certs_t *certs)
     sec_prot_certs_chain_entry_init(&certs->own_cert_chain);
     ns_list_init(&certs->trusted_cert_chain_list);
     ns_list_init(&certs->cert_revocat_lists);
+    certs->own_cert_chain_len = 0;
     certs->ext_cert_valid_enabled = false;
 
     return 0;
@@ -73,6 +78,11 @@ bool sec_prot_certs_ext_certificate_validation_get(const sec_prot_certs_t *certs
     return certs->ext_cert_valid_enabled;
 }
 
+uint16_t sec_prot_certs_own_cert_chain_len_get(const sec_prot_certs_t *certs)
+{
+    return certs->own_cert_chain_len;
+}
+
 cert_chain_entry_t *sec_prot_certs_chain_entry_create(void)
 {
     cert_chain_entry_t *entry = ns_dyn_mem_alloc(sizeof(cert_chain_entry_t));
@@ -115,6 +125,28 @@ uint8_t *sec_prot_certs_cert_get(const cert_chain_entry_t *entry, uint8_t index,
     return entry->cert[index];
 }
 
+uint16_t sec_prot_certs_cert_chain_entry_len_get(const cert_chain_entry_t *entry)
+{
+    uint16_t chain_length = 0;
+    for (uint8_t index = 0; index < SEC_PROT_CERT_CHAIN_DEPTH; index++) {
+        if (entry->cert[index]) {
+            uint16_t cert_length  = entry->cert_len[index];
+            // Checks if certificate is in PEM base64 format
+            if (cert_length > SEC_PROT_CERT_PEM_HEADER_FOOTER_LEN &&
+                entry->cert[index][cert_length - 1] == '\0' &&
+                strstr((const char *)entry->cert[index], SEC_PROT_CERT_PEM_HEADER_STR) != NULL) {
+                cert_length -= SEC_PROT_CERT_PEM_HEADER_FOOTER_LEN;
+                /* 4 base64 chars encode 3 bytes (ignores line endings and possible paddings in the
+                   calculation i.e they are counted to length) */
+                chain_length += (cert_length / 4) * 3;
+            } else {
+                chain_length += cert_length;
+            }
+        }
+    }
+    return chain_length;
+}
+
 int8_t sec_prot_certs_priv_key_set(cert_chain_entry_t *entry, uint8_t *key, uint8_t key_len)
 {
     if (!entry) {

source/Security/protocols/sec_prot_certs.h

@@ -58,6 +58,7 @@ typedef struct {
     cert_chain_entry_t own_cert_chain;                  /**< Own certificate chain */
     cert_chain_list_t trusted_cert_chain_list;          /**< Trusted certificate chain lists */
     cert_revocat_lists_t cert_revocat_lists;            /**< Certificate Revocation Lists */
+    uint16_t own_cert_chain_len;                        /**< Own certificate chain certificates length */
     bool ext_cert_valid_enabled : 1;                    /**< Extended certificate validation enabled */
 } sec_prot_certs_t;
 
@@ -101,6 +102,15 @@ int8_t sec_prot_certs_ext_certificate_validation_set(sec_prot_certs_t *certs, bo
  */
 bool sec_prot_certs_ext_certificate_validation_get(const sec_prot_certs_t *certs);
 
+/**
+ * sec_prot_certs_own_cert_chain_len_get get length of own certificate chain
+ *
+ * \param certs    certificate information
+ *
+ * \return length of all the certificates in the own certificate chain
+ */
+uint16_t sec_prot_certs_own_cert_chain_len_get(const sec_prot_certs_t *certs);
+
 /**
  * sec_prot_certs_chain_entry_create allocate memory for certificate chain entry
  *
@@ -146,6 +156,15 @@ int8_t sec_prot_certs_cert_set(cert_chain_entry_t *entry, uint8_t index, uint8_t
  */
 uint8_t *sec_prot_certs_cert_get(const cert_chain_entry_t *entry, uint8_t index, uint16_t *cert_len);
 
+/**
+ * sec_prot_certs_cert_chain_entry_len_get get length of certificate chain on cert chain entry
+ *
+ * \param entry certificate chain entry
+ *
+ * \return total length of all the certificates in the entry
+ */
+uint16_t sec_prot_certs_cert_chain_entry_len_get(const cert_chain_entry_t *entry);
+
 /**
  * sec_prot_certs_priv_key_set set certificate (chain) private key
  *

source/Security/protocols/tls_sec_prot/tls_sec_prot.c

@@ -104,6 +104,8 @@ static bool tls_sec_prot_queue_check(sec_prot_t *prot);
 static bool tls_sec_prot_queue_process(sec_prot_t *prot);
 static void tls_sec_prot_queue_remove(sec_prot_t *prot);
 
+static uint16_t tls_sec_prot_send_buffer_size_get(sec_prot_t *prot);
+
 #define tls_sec_prot_get(prot) (tls_sec_prot_int_t *) &prot->data
 
 static NS_LIST_DEFINE(tls_sec_prot_queue, tls_sec_prot_queue_t, link);
@@ -498,12 +500,23 @@ static int16_t tls_sec_prot_tls_send(void *handle, const void *buf, size_t len)
     tls_sec_prot_int_t *data = tls_sec_prot_get(prot);
 
     if (!data->tls_send.data) {
-        eap_tls_sec_prot_lib_message_allocate(&data->tls_send, prot->header_size, TLS_SEC_PROT_BUFFER_SIZE);
+        uint16_t buffer_len = tls_sec_prot_send_buffer_size_get(prot);
+        eap_tls_sec_prot_lib_message_allocate(&data->tls_send, prot->header_size, buffer_len);
     }
     if (!data->tls_send.data) {
         return -1;
     }
 
+    /* If send buffer is too small for the TLS payload, re-allocates */
+    uint16_t new_len = prot->header_size + data->tls_send.handled_len + len;
+    if (new_len > data->tls_send.total_len) {
+        tr_error("TLS send buffer size too small: %i < %i, allocating new: %i", data->tls_send.total_len, new_len, data->tls_send.total_len + TLS_SEC_PROT_SEND_BUFFER_SIZE_INCREMENT);
+        if (eap_tls_sec_prot_lib_message_realloc(&data->tls_send, prot->header_size,
+                                                 data->tls_send.total_len + TLS_SEC_PROT_SEND_BUFFER_SIZE_INCREMENT) < 0) {
+            return -1;
+        }
+    }
+
     memcpy(data->tls_send.data + prot->header_size + data->tls_send.handled_len, buf, len);
     data->tls_send.handled_len += len;
 
@@ -689,4 +702,9 @@ static void tls_sec_prot_queue_remove(sec_prot_t *prot)
     }
 }
 
+static uint16_t tls_sec_prot_send_buffer_size_get(sec_prot_t *prot)
+{
+    return TLS_SEC_PROT_SEND_BUFFER_SIZE + sec_prot_certs_own_cert_chain_len_get(prot->sec_keys->certs);
+}
+
 #endif /* HAVE_WS */

source/Security/protocols/tls_sec_prot/tls_sec_prot.h

@@ -23,7 +23,13 @@
  *
  */
 
-#define TLS_SEC_PROT_BUFFER_SIZE       1200   // Send buffer size (maximum size for a TLS data for a flight)
+/* TLS send buffer size not including certificates. This should include e.g. on
+ * server: server hello, server key exchange, certificate request and server
+ * hello done. */
+#define TLS_SEC_PROT_SEND_BUFFER_SIZE             500
+
+/* TLS send buffer size increment if it is detected that buffer is too small */
+#define TLS_SEC_PROT_SEND_BUFFER_SIZE_INCREMENT   1000
 
 /**
  * client_tls_sec_prot_register register client TLS protocol to KMP service

source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c

@@ -75,7 +75,7 @@ struct tls_security_s {
     mbedtls_pk_context             pkey;                 /**< Private key for own certificate */
     void                           *handle;              /**< Handle provided in callbacks (defined by library user) */
     bool                           ext_cert_valid : 1;   /**< Extended certificate validation enabled */
-    tls_sec_prot_lib_crt_verify_cb *crt_verify;          /**< Verify function for top certificate */
+    tls_sec_prot_lib_crt_verify_cb *crt_verify;          /**< Verify function for client/server certificate */
     tls_sec_prot_lib_send          *send;                /**< Send callback */
     tls_sec_prot_lib_receive       *receive;             /**< Receive callback */
     tls_sec_prot_lib_export_keys   *export_keys;         /**< Export keys callback */
@@ -488,7 +488,7 @@ static int tls_sec_prot_lib_x509_crt_verify(void *ctx, mbedtls_x509_crt *crt, in
         tr_error("Invalid signature pk algorithm");
     }
 
-    // Verify top certificate of the chain
+    // Verify client/server certificate of the chain
     if (certificate_depth == 0) {
         return sec->crt_verify(sec, crt, flags);
     }