From 32a7fe3fec4290fba52c73aeebfebb8ac6f3dad3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 3 Apr 2015 17:41:31 +0200 Subject: [PATCH 1/6] Fix bug in POLARSSL_PLATFORM_STD_EXIT support --- library/platform.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/platform.c b/library/platform.c index a161bc3ea..4afe8b74b 100644 --- a/library/platform.c +++ b/library/platform.c @@ -141,7 +141,7 @@ int platform_set_fprintf( int (*fprintf_func)( FILE *, const char *, ... ) ) #endif /* POLARSSL_PLATFORM_FPRINTF_ALT */ #if defined(POLARSSL_PLATFORM_EXIT_ALT) -#if !defined(POLARSSL_STD_EXIT) +#if !defined(POLARSSL_PLATFORM_STD_EXIT) /* * Make dummy function to prevent NULL pointer dereferences */ @@ -151,10 +151,10 @@ static void platform_exit_uninit( int status ) return( 0 ); } -#define POLARSSL_STD_EXIT platform_exit_uninit -#endif /* !POLARSSL_STD_EXIT */ +#define POLARSSL_PLATFORM_STD_EXIT platform_exit_uninit +#endif /* !POLARSSL_PLATFORM_STD_EXIT */ -int (*polarssl_exit)( int status ) = POLARSSL_STD_EXIT; +int (*polarssl_exit)( int status ) = POLARSSL_PLATFORM_STD_EXIT; int platform_set_exit( void (*exit_func)( int status ) ) { From 29f777ef54483c5bc59d0e33f037e5b89aad635e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 3 Apr 2015 17:26:50 +0200 Subject: [PATCH 2/6] Fix bug with ssl_set_curves() check on client --- ChangeLog | 2 ++ library/ssl_cli.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a8758f64a..3341cefde 100644 --- a/ChangeLog +++ b/ChangeLog @@ -39,6 +39,8 @@ Bugfix * Add missing extern "C" guard in aesni.h (reported by amir zamani). * Add missing dependency on SHA-256 in some x509 programs (reported by Gergely Budai). + * Fix bug related to ssl_set_curves(): the client didn't check that the + curve picked by the server was actually allowed. Changes * Adjusting/overriding CFLAGS and LDFLAGS with the make build syste is now diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 37853bc60..caeb6f3f3 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1479,7 +1479,7 @@ static int ssl_check_server_ecdh_params( const ssl_context *ssl ) SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); -#if defined(POLARSSL_SSL_ECP_SET_CURVES) +#if defined(POLARSSL_SSL_SET_CURVES) if( ! ssl_curve_is_acceptable( ssl, ssl->handshake->ecdh_ctx.grp.id ) ) #else if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || From a82135c5cf80eafa55179a9aef5773f6dd6f02e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 3 Apr 2015 16:28:19 +0200 Subject: [PATCH 3/6] Document POLARSSL_CAMELLIA_SMALL_MEMORY --- include/polarssl/config.h | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 63db5ee05..220f74dcc 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -266,10 +266,18 @@ * Store the AES tables in ROM. * * Uncomment this macro to store the AES tables in ROM. - * */ //#define POLARSSL_AES_ROM_TABLES +/** + * \def POLARSSL_CAMELLIA_SMALL_MEMORY + * + * Use less ROM for the Camellia implementation (saves about 768 bytes). + * + * Uncomment this macro to use less memory for Camellia. + */ +//#define POLARSSL_CAMELLIA_SMALL_MEMORY + /** * \def POLARSSL_CIPHER_MODE_CBC * From 8c3f0f4c16993b4eaa2d26aebf672ac52b12778e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 9 Apr 2015 14:10:26 +0200 Subject: [PATCH 4/6] Official deprecate compat-1.2.h and openssl.h --- ChangeLog | 5 +++-- include/polarssl/compat-1.2.h | 10 ++++++++++ include/polarssl/openssl.h | 9 +++++++++ 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3341cefde..8c28c51c7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,9 +19,9 @@ Features speed and RAM (heap only for now) usage. * New script memory.sh helps measuring the ROM and RAM requirements of two reduced configurations (PSK-CCM and NSA suite B). - * Add config flags POLARSSL_DEPRECATED_WARNING (off by default) to produce + * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce warnings on use of deprecated functions (with GCC and Clang only). - * Add config flags POLARSSL_DEPRECATED_REMOVED (off by default) to produce + * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce errors on use of deprecated functions. Bugfix @@ -43,6 +43,7 @@ Bugfix curve picked by the server was actually allowed. Changes + * compat-1.2.h and openssl.h are deprecated. * Adjusting/overriding CFLAGS and LDFLAGS with the make build syste is now more flexible (warning: OFLAGS is not used any more) (see the README) (contributed by Alon Bar-Lev). diff --git a/include/polarssl/compat-1.2.h b/include/polarssl/compat-1.2.h index ca9a8e068..441ced7c5 100644 --- a/include/polarssl/compat-1.2.h +++ b/include/polarssl/compat-1.2.h @@ -23,6 +23,15 @@ * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ +#if ! defined(MBEDTLS_DEPRECATED_REMOVED) + +#if defined(MBEDTLS_DEPRECATED_WARNING) +#warning "Including compat-1.2.h is deprecated" +#endif + +#ifndef MBEDTLS_COMPAT13_H +#define MBEDTLS_COMPAT13_H + #ifndef POLARSSL_COMPAT_1_2_H #define POLARSSL_COMPAT_1_2_H @@ -386,3 +395,4 @@ static inline int x509_write_key_der( unsigned char *buf, size_t len, rsa_contex } #endif /* POLARSSL_PK_WRITE_C && POLARSSL_RSA_C */ #endif /* compat-1.2.h */ +#endif /* MBEDTLS_DEPRECATED_REMOVED */ diff --git a/include/polarssl/openssl.h b/include/polarssl/openssl.h index dc0eba4d2..96435a3e5 100644 --- a/include/polarssl/openssl.h +++ b/include/polarssl/openssl.h @@ -23,9 +23,17 @@ * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ + /* * OpenSSL wrapper contributed by David Barett */ + +#if ! defined(MBEDTLS_DEPRECATED_REMOVED) + +#if defined(MBEDTLS_DEPRECATED_WARNING) +#warning "Including openssl.h is deprecated" +#endif + #ifndef POLARSSL_OPENSSL_H #define POLARSSL_OPENSSL_H @@ -137,3 +145,4 @@ inline int RSA_private_encrypt( int size, unsigned char* input, unsigned char* o #endif #endif /* openssl.h */ +#endif /* MBEDTLS_DEPRECATED_REMOVED */ From a98af5e2b2b68c94b84244f4421ddc6d50bc6746 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 9 Apr 2015 14:40:46 +0200 Subject: [PATCH 5/6] Deprecate using NET_C without HAVE_IPV6 --- ChangeLog | 1 + configs/config-ccm-psk-tls1_2.h | 2 +- configs/config-psk-rc4-tls1_0.h | 2 +- include/polarssl/check_config.h | 9 +++++++++ include/polarssl/config.h | 6 ++++++ 5 files changed, 18 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8c28c51c7..f56b20479 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,7 @@ Bugfix curve picked by the server was actually allowed. Changes + * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated. * compat-1.2.h and openssl.h are deprecated. * Adjusting/overriding CFLAGS and LDFLAGS with the make build syste is now more flexible (warning: OFLAGS is not used any more) (see the README) diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h index 776179d17..4a3ebb100 100644 --- a/configs/config-ccm-psk-tls1_2.h +++ b/configs/config-ccm-psk-tls1_2.h @@ -12,7 +12,7 @@ #define POLARSSL_CONFIG_H /* System support */ -//#define POLARSSL_HAVE_IPV6 /* Optional */ +#define POLARSSL_HAVE_IPV6 /* Now mandatory for NET_C */ //#define POLARSSL_HAVE_TIME /* Optionally used in Hello messages */ /* Other POLARSSL_HAVE_XXX flags irrelevant for this configuration */ diff --git a/configs/config-psk-rc4-tls1_0.h b/configs/config-psk-rc4-tls1_0.h index b8113ea82..2f557c1c4 100644 --- a/configs/config-psk-rc4-tls1_0.h +++ b/configs/config-psk-rc4-tls1_0.h @@ -12,7 +12,7 @@ #define POLARSSL_CONFIG_H /* System support */ -//#define POLARSSL_HAVE_IPV6 /* Optional */ +#define POLARSSL_HAVE_IPV6 /* Now mandatory for NET_C */ //#define POLARSSL_HAVE_TIME /* Optionnaly used in Hello messages */ /* Other POLARSSL_HAVE_XXX flags irrelevant for this configuration */ diff --git a/include/polarssl/check_config.h b/include/polarssl/check_config.h index a255874ee..f0d83c8d9 100644 --- a/include/polarssl/check_config.h +++ b/include/polarssl/check_config.h @@ -35,6 +35,15 @@ #error "POLARSSL_DEPRECATED_WARNING only works with GCC and Clang" #endif +#if defined(POLARSSL_NET_C) && !defined(POLARSSL_HAVE_IPV6) +#if defined(POLARSSL_DEPRECATED_WARNING) +#warning "Using POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated" +#endif +#if defined(POLARSSL_DEPRECATED_REMOVED) +#define POLARSSL_HAVE_IPV6 +#endif +#endif /* POLARSSL_NET_C && !POLARSSL_HAVE_IPV6 */ + #if defined(POLARSSL_AESNI_C) && !defined(POLARSSL_HAVE_ASM) #error "POLARSSL_AESNI_C defined, but not all prerequisites" #endif diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 220f74dcc..76972dd02 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -107,6 +107,9 @@ * * Note: on Windows/MingW, XP or higher is required. * + * \warning As of 1.3.11, *not* using this flag when POLARSSL_NET_C is + * defined, is deprecated. The alternative legacy code will be removed in 2.0. + * * Comment if your system does not support the IPv6 socket interface */ #define POLARSSL_HAVE_IPV6 @@ -1757,6 +1760,9 @@ * * Enable the TCP/IP networking routines. * + * \warning As of 1.3.11, it is deprecated to enable this module without + * POLARSSL_HAVE_IPV6. The alternative legacy code will be removed in 2.0. + * * Module: library/net.c * * This module provides TCP/IP networking routines. From 23ce09b18fa661ee7497169e68ff4fc292e7f0b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 9 Apr 2015 14:51:51 +0200 Subject: [PATCH 6/6] Deprecate HAVE_INT8 and HAVE_INT16 --- ChangeLog | 1 + include/polarssl/config.h | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/ChangeLog b/ChangeLog index f56b20479..3697f5310 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,7 @@ Bugfix curve picked by the server was actually allowed. Changes + * Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated. * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated. * compat-1.2.h and openssl.h are deprecated. * Adjusting/overriding CFLAGS and LDFLAGS with the make build syste is now diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 76972dd02..6bfa705ba 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -44,6 +44,10 @@ * * The system uses 8-bit wide native integers. * + * \deprecated The compiler should be able to generate code for 32-bit + * arithmetic (required by C89). This code is likely to be at least as + * efficient as ours. + * * Uncomment if native integers are 8-bit wide. */ //#define POLARSSL_HAVE_INT8 @@ -53,6 +57,10 @@ * * The system uses 16-bit wide native integers. * + * \deprecated The compiler should be able to generate code for 32-bit + * arithmetic (required by C89). This code is likely to be at least as + * efficient as ours. + * * Uncomment if native integers are 16-bit wide. */ //#define POLARSSL_HAVE_INT16