diff --git a/ChangeLog b/ChangeLog index 1808b9fc6..ecbbb7831 100644 --- a/ChangeLog +++ b/ChangeLog @@ -62,6 +62,17 @@ Features with an alternative implementation: mbedtls_ecdh_gen_public() and mbedtls_ecdh_compute_shared(). +API Changes + * Extend RSA interface by multiple functions allowing structure- + independent setup and export of RSA contexts. Most notably, + mbedtls_rsa_import and mbedtls_rsa_complete are introduced for setting + up RSA contexts from partial key material and having them completed to the + needs of the implementation automatically. This allows to setup private RSA + contexts from keys consisting of N,D,E only, even if P,Q are needed for the + purpose or CRT and/or blinding. + * The configuration option MBEDTLS_RSA_ALT can be used to define alternative + implementations of the RSA interface declared in rsa.h. + New deprecations * Deprecate usage of RSA primitives with non-matching key-type (e.g., signing with a public key). @@ -121,6 +132,9 @@ Bugfix RSA test suite where the failure of CTR DRBG initialization lead to freeing an RSA context and several MPI's without proper initialization beforehand. + * Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue. + * Fix programs/pkey/dh_server.c so that it actually works with dh_client.c. + Found and fixed by Martijn de Milliano. Changes * Extend cert_write example program by options to set the CRT version @@ -133,17 +147,7 @@ Changes * Only run AES-192 self-test if AES-192 is available. Fixes #963. * Tighten the RSA PKCS#1 v1.5 signature verification code and remove the undeclared dependency of the RSA module on the ASN.1 module. - -API Changes - * Extend RSA interface by multiple functions allowing structure- - independent setup and export of RSA contexts. Most notably, - mbedtls_rsa_import and mbedtls_rsa_complete are introduced for setting - up RSA contexts from partial key material and having them completed to the - needs of the implementation automatically. This allows to setup private RSA - contexts from keys consisting of N,D,E only, even if P,Q are needed for the - purpose or CRT and/or blinding. - * The configuration option MBEDTLS_RSA_ALT can be used to define alternative - implementations of the RSA interface declared in rsa.h. + * Add mechanism to provide alternative implementation of the DHM module. = mbed TLS 2.6.0 branch released 2017-08-10 diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 493310882..70039897d 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -269,6 +269,7 @@ //#define MBEDTLS_CCM_ALT //#define MBEDTLS_CMAC_ALT //#define MBEDTLS_DES_ALT +//#define MBEDTLS_DHM_ALT //#define MBEDTLS_GCM_ALT //#define MBEDTLS_MD2_ALT //#define MBEDTLS_MD4_ALT diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index d7ab1522e..f9725ab09 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -23,7 +23,13 @@ #ifndef MBEDTLS_DHM_H #define MBEDTLS_DHM_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif #include "bignum.h" +#if !defined(MBEDTLS_DHM_ALT) /* * DHM Error codes @@ -291,6 +297,18 @@ int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path ); #endif /* MBEDTLS_FS_IO */ #endif /* MBEDTLS_ASN1_PARSE_C */ +#ifdef __cplusplus +} +#endif + +#else /* MBEDTLS_DHM_ALT */ +#include "dhm_alt.h" +#endif /* MBEDTLS_DHM_ALT */ + +#ifdef __cplusplus +extern "C" { +#endif + /** * \brief Checkup routine * diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 06166d8b1..b7a509831 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -373,21 +373,22 @@ int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) /** - * \brief Check usage of certificate against extentedJeyUsage. + * \brief Check usage of certificate against extendedKeyUsage. * - * \param crt Leaf certificate used. - * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH). + * \param crt Leaf certificate used. + * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or + * MBEDTLS_OID_CLIENT_AUTH). * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()). * - * \return 0 if this use of the certificate is allowed, - * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not. + * \return 0 if this use of the certificate is allowed, + * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not. * - * \note Usually only makes sense on leaf certificates. + * \note Usually only makes sense on leaf certificates. */ int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, - const char *usage_oid, - size_t usage_len ); -#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) */ + const char *usage_oid, + size_t usage_len ); +#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ #if defined(MBEDTLS_X509_CRL_PARSE_C) /** diff --git a/library/dhm.c b/library/dhm.c index 668d5f753..24c3bf8a8 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -57,6 +57,7 @@ #define mbedtls_free free #endif +#if !defined(MBEDTLS_DHM_ALT) /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; @@ -583,6 +584,7 @@ int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path ) } #endif /* MBEDTLS_FS_IO */ #endif /* MBEDTLS_ASN1_PARSE_C */ +#endif /* MBEDTLS_DHM_ALT */ #if defined(MBEDTLS_SELF_TEST) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index de3ea80e3..d8fbe357a 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2042,7 +2042,7 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, const mbedtls_ssl_ciphersuite_t *suite = NULL; const mbedtls_cipher_info_t *cipher = NULL; - if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_EXTENDED_MS_DISABLED || + if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) { *olen = 0; diff --git a/library/version_features.c b/library/version_features.c index 172cf1275..ede2276a5 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -105,6 +105,9 @@ static const char *features[] = { #if defined(MBEDTLS_DES_ALT) "MBEDTLS_DES_ALT", #endif /* MBEDTLS_DES_ALT */ +#if defined(MBEDTLS_DHM_ALT) + "MBEDTLS_DHM_ALT", +#endif /* MBEDTLS_DHM_ALT */ #if defined(MBEDTLS_GCM_ALT) "MBEDTLS_GCM_ALT", #endif /* MBEDTLS_GCM_ALT */ diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c index a8ee8fd3d..4038c360d 100644 --- a/programs/pkey/dh_server.c +++ b/programs/pkey/dh_server.c @@ -248,6 +248,7 @@ int main( void ) memset( buf, 0, sizeof( buf ) ); + n = dhm.len; if( ( ret = mbedtls_net_recv( &client_fd, buf, n ) ) != (int) n ) { mbedtls_printf( " failed\n ! mbedtls_net_recv returned %d\n\n", ret ); diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c index ed6ed308e..a7f5c90a6 100644 --- a/programs/pkey/gen_key.c +++ b/programs/pkey/gen_key.c @@ -345,7 +345,7 @@ int main( int argc, char *argv[] ) mbedtls_ctr_drbg_random, &ctr_drbg ); if( ret != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_rsa_gen_key returned -0x%04x", -ret ); + mbedtls_printf( " failed\n ! mbedtls_ecp_gen_key returned -0x%04x", -ret ); goto exit; } }