mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-23 08:31:04 +00:00
Merge remote-tracking branch 'public/pr/1771' into mbedtls-2.1
This commit is contained in:
commit
e5828ce06c
20
ChangeLog
20
ChangeLog
|
@ -1461,7 +1461,7 @@ Features
|
||||||
issuer_key_identifier, etc)
|
issuer_key_identifier, etc)
|
||||||
* Optional blinding for RSA, DHM and EC
|
* Optional blinding for RSA, DHM and EC
|
||||||
* Support for multiple active certificate / key pairs in SSL servers for
|
* Support for multiple active certificate / key pairs in SSL servers for
|
||||||
the same host (Not to be confused with SNI!)
|
the same host (Not to be confused with SNI!)
|
||||||
|
|
||||||
Changes
|
Changes
|
||||||
* Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2
|
* Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2
|
||||||
|
@ -1692,7 +1692,7 @@ Changes
|
||||||
PKCS#8 private key formats
|
PKCS#8 private key formats
|
||||||
* Added mechanism to provide alternative implementations for all
|
* Added mechanism to provide alternative implementations for all
|
||||||
symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in
|
symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in
|
||||||
config.h)
|
config.h)
|
||||||
* PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated
|
* PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated
|
||||||
old PBKDF2 module
|
old PBKDF2 module
|
||||||
|
|
||||||
|
@ -1704,7 +1704,7 @@ Bugfix
|
||||||
* x509parse_crt() now better handles PEM error situations
|
* x509parse_crt() now better handles PEM error situations
|
||||||
* ssl_parse_certificate() now calls x509parse_crt_der() directly
|
* ssl_parse_certificate() now calls x509parse_crt_der() directly
|
||||||
instead of the x509parse_crt() wrapper that can also parse PEM
|
instead of the x509parse_crt() wrapper that can also parse PEM
|
||||||
certificates
|
certificates
|
||||||
* x509parse_crtpath() is now reentrant and uses more portable stat()
|
* x509parse_crtpath() is now reentrant and uses more portable stat()
|
||||||
* Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler
|
* Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler
|
||||||
* Fixed values for 2-key Triple DES in cipher layer
|
* Fixed values for 2-key Triple DES in cipher layer
|
||||||
|
@ -1862,7 +1862,7 @@ Bugfix
|
||||||
* mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
|
* mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
|
||||||
#52)
|
#52)
|
||||||
* Handle encryption with private key and decryption with public key as per
|
* Handle encryption with private key and decryption with public key as per
|
||||||
RFC 2313
|
RFC 2313
|
||||||
* Handle empty certificate subject names
|
* Handle empty certificate subject names
|
||||||
* Prevent reading over buffer boundaries on X509 certificate parsing
|
* Prevent reading over buffer boundaries on X509 certificate parsing
|
||||||
* mpi_add_abs() now correctly handles adding short numbers to long numbers
|
* mpi_add_abs() now correctly handles adding short numbers to long numbers
|
||||||
|
@ -1893,7 +1893,7 @@ Bugfix
|
||||||
* x509parse_crt() now better handles PEM error situations
|
* x509parse_crt() now better handles PEM error situations
|
||||||
* ssl_parse_certificate() now calls x509parse_crt_der() directly
|
* ssl_parse_certificate() now calls x509parse_crt_der() directly
|
||||||
instead of the x509parse_crt() wrapper that can also parse PEM
|
instead of the x509parse_crt() wrapper that can also parse PEM
|
||||||
certificates
|
certificates
|
||||||
* Fixed values for 2-key Triple DES in cipher layer
|
* Fixed values for 2-key Triple DES in cipher layer
|
||||||
* ssl_write_certificate_request() can handle empty ca_chain
|
* ssl_write_certificate_request() can handle empty ca_chain
|
||||||
|
|
||||||
|
@ -1974,16 +1974,16 @@ Bugfix
|
||||||
Features
|
Features
|
||||||
* Added ssl_session_reset() to allow better multi-connection pools of
|
* Added ssl_session_reset() to allow better multi-connection pools of
|
||||||
SSL contexts without needing to set all non-connection-specific
|
SSL contexts without needing to set all non-connection-specific
|
||||||
data and pointers again. Adapted ssl_server to use this functionality.
|
data and pointers again. Adapted ssl_server to use this functionality.
|
||||||
* Added ssl_set_max_version() to allow clients to offer a lower maximum
|
* Added ssl_set_max_version() to allow clients to offer a lower maximum
|
||||||
supported version to a server to help buggy server implementations.
|
supported version to a server to help buggy server implementations.
|
||||||
(Closes ticket #36)
|
(Closes ticket #36)
|
||||||
* Added cipher_get_cipher_mode() and cipher_get_cipher_operation()
|
* Added cipher_get_cipher_mode() and cipher_get_cipher_operation()
|
||||||
introspection functions (Closes ticket #40)
|
introspection functions (Closes ticket #40)
|
||||||
* Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
|
* Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
|
||||||
* Added a generic entropy accumulator that provides support for adding
|
* Added a generic entropy accumulator that provides support for adding
|
||||||
custom entropy sources and added some generic and platform dependent
|
custom entropy sources and added some generic and platform dependent
|
||||||
entropy sources
|
entropy sources
|
||||||
|
|
||||||
Changes
|
Changes
|
||||||
* Documentation for AES and Camellia in modes CTR and CFB128 clarified.
|
* Documentation for AES and Camellia in modes CTR and CFB128 clarified.
|
||||||
|
@ -2116,7 +2116,7 @@ Bugfixes
|
||||||
* Corrected parsing of UTCTime dates before 1990 and
|
* Corrected parsing of UTCTime dates before 1990 and
|
||||||
after 1950
|
after 1950
|
||||||
* Support more exotic OID's when parsing certificates
|
* Support more exotic OID's when parsing certificates
|
||||||
(found by Mads Kiilerich)
|
(found by Mads Kiilerich)
|
||||||
* Support more exotic name representations when parsing
|
* Support more exotic name representations when parsing
|
||||||
certificates (found by Mads Kiilerich)
|
certificates (found by Mads Kiilerich)
|
||||||
* Replaced the expired test certificates
|
* Replaced the expired test certificates
|
||||||
|
@ -2146,7 +2146,7 @@ Note: Most of these features have been donated by Fox-IT
|
||||||
status, objects and configuration
|
status, objects and configuration
|
||||||
+ Added verification callback on certificate chain
|
+ Added verification callback on certificate chain
|
||||||
verification to allow external blacklisting
|
verification to allow external blacklisting
|
||||||
+ Additional example programs to show usage
|
+ Additional example programs to show usage
|
||||||
* Added support for PKCS#11 through the use of the
|
* Added support for PKCS#11 through the use of the
|
||||||
libpkcs11-helper library
|
libpkcs11-helper library
|
||||||
|
|
||||||
|
|
2
include/mbedtls/ssl.h
Executable file → Normal file
2
include/mbedtls/ssl.h
Executable file → Normal file
|
@ -1587,7 +1587,7 @@ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
|
||||||
*
|
*
|
||||||
* \param ssl SSL context
|
* \param ssl SSL context
|
||||||
* \param hostname the server hostname, may be NULL to clear hostname
|
* \param hostname the server hostname, may be NULL to clear hostname
|
||||||
|
*
|
||||||
* \note Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN.
|
* \note Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN.
|
||||||
*
|
*
|
||||||
* \return 0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on
|
* \return 0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on
|
||||||
|
|
|
@ -205,7 +205,6 @@ int mbedtls_asn1_write_int( unsigned char **p, unsigned char *start, int val )
|
||||||
int ret;
|
int ret;
|
||||||
size_t len = 0;
|
size_t len = 0;
|
||||||
|
|
||||||
// TODO negative values and values larger than 128
|
|
||||||
// DER format assumes 2s complement for numbers, so the leftmost bit
|
// DER format assumes 2s complement for numbers, so the leftmost bit
|
||||||
// should be 0 for positive numbers and 1 for negative numbers.
|
// should be 0 for positive numbers and 1 for negative numbers.
|
||||||
//
|
//
|
||||||
|
|
|
@ -1890,8 +1890,6 @@ static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
|
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: Retrieve PSK identity hint and callback to app
|
|
||||||
//
|
|
||||||
*p += len;
|
*p += len;
|
||||||
ret = 0;
|
ret = 0;
|
||||||
|
|
||||||
|
@ -2464,9 +2462,6 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: handshake_failure alert for an anonymous server to request
|
|
||||||
// client authentication
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* struct {
|
* struct {
|
||||||
* ClientCertificateType certificate_types<1..2^8-1>;
|
* ClientCertificateType certificate_types<1..2^8-1>;
|
||||||
|
@ -2538,7 +2533,6 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
/* Ignored, see comments about hash in write_certificate_verify */
|
/* Ignored, see comments about hash in write_certificate_verify */
|
||||||
// TODO: should check the signature part against our pk_key though
|
|
||||||
size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
|
size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
|
||||||
| ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
|
| ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
|
||||||
#if defined(MBEDTLS_DEBUG_C)
|
#if defined(MBEDTLS_DEBUG_C)
|
||||||
|
@ -2580,7 +2574,6 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
|
||||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||||
|
|
||||||
/* Ignore certificate_authorities, we only have one cert anyway */
|
/* Ignore certificate_authorities, we only have one cert anyway */
|
||||||
// TODO: should not send cert if no CA matches
|
|
||||||
dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
|
dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
|
||||||
| ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
|
| ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
|
||||||
|
|
||||||
|
|
|
@ -3744,7 +3744,6 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: what's the purpose of these lines? is in_len used?
|
|
||||||
ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 );
|
ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 );
|
||||||
ssl->in_len[1] = (unsigned char)( ssl->in_msglen );
|
ssl->in_len[1] = (unsigned char)( ssl->in_msglen );
|
||||||
}
|
}
|
||||||
|
@ -5170,7 +5169,6 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
|
||||||
|
|
||||||
ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
|
ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
|
||||||
|
|
||||||
// TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
|
|
||||||
hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
|
hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
||||||
|
|
|
@ -522,9 +522,6 @@ static int x509_get_subject_alt_name( unsigned char **p,
|
||||||
/*
|
/*
|
||||||
* X.509 v3 extensions
|
* X.509 v3 extensions
|
||||||
*
|
*
|
||||||
* TODO: Perform all of the basic constraints tests required by the RFC
|
|
||||||
* TODO: Set values for undetected extensions to a sane default?
|
|
||||||
*
|
|
||||||
*/
|
*/
|
||||||
static int x509_get_crt_ext( unsigned char **p,
|
static int x509_get_crt_ext( unsigned char **p,
|
||||||
const unsigned char *end,
|
const unsigned char *end,
|
||||||
|
@ -1638,12 +1635,6 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
|
||||||
if( ca == NULL )
|
if( ca == NULL )
|
||||||
return( flags );
|
return( flags );
|
||||||
|
|
||||||
/*
|
|
||||||
* TODO: What happens if no CRL is present?
|
|
||||||
* Suggestion: Revocation state should be unknown if no CRL is present.
|
|
||||||
* For backwards compatibility this is not yet implemented.
|
|
||||||
*/
|
|
||||||
|
|
||||||
while( crl_list != NULL )
|
while( crl_list != NULL )
|
||||||
{
|
{
|
||||||
if( crl_list->version == 0 ||
|
if( crl_list->version == 0 ||
|
||||||
|
|
|
@ -214,7 +214,6 @@ int mbedtls_x509_csr_parse_der( mbedtls_x509_csr *csr,
|
||||||
mbedtls_x509_csr_free( csr );
|
mbedtls_x509_csr_free( csr );
|
||||||
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
|
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
|
||||||
}
|
}
|
||||||
// TODO Parse Attributes / extension requests
|
|
||||||
|
|
||||||
p += len;
|
p += len;
|
||||||
|
|
||||||
|
|
0
tests/scripts/run-test-suites.pl
Normal file → Executable file
0
tests/scripts/run-test-suites.pl
Normal file → Executable file
|
@ -53,3 +53,4 @@ void ssl_set_hostname_twice( char *hostname0, char *hostname1 )
|
||||||
mbedtls_ssl_free( &ssl );
|
mbedtls_ssl_free( &ssl );
|
||||||
}
|
}
|
||||||
/* END_CASE */
|
/* END_CASE */
|
||||||
|
|
||||||
|
|
|
@ -38,11 +38,11 @@ To build and run this example you must have:
|
||||||
|
|
||||||
6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F.
|
6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F.
|
||||||
|
|
||||||
Use the following settings:
|
Use the following settings:
|
||||||
|
|
||||||
* 115200 baud (not 9600).
|
* 115200 baud (not 9600).
|
||||||
* 8N1.
|
* 8N1.
|
||||||
* No flow control.
|
* No flow control.
|
||||||
|
|
||||||
7. Press the Reset button on the board.
|
7. Press the Reset button on the board.
|
||||||
|
|
||||||
|
|
|
@ -38,11 +38,11 @@ To build and run this example you must have:
|
||||||
|
|
||||||
6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F.
|
6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F.
|
||||||
|
|
||||||
Use the following settings:
|
Use the following settings:
|
||||||
|
|
||||||
* 115200 baud (not 9600).
|
* 115200 baud (not 9600).
|
||||||
* 8N1.
|
* 8N1.
|
||||||
* No flow control.
|
* No flow control.
|
||||||
|
|
||||||
7. Press the Reset button on the board.
|
7. Press the Reset button on the board.
|
||||||
|
|
||||||
|
|
|
@ -38,11 +38,11 @@ To build and run this example you must have:
|
||||||
|
|
||||||
6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F.
|
6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F.
|
||||||
|
|
||||||
Use the following settings:
|
Use the following settings:
|
||||||
|
|
||||||
* 115200 baud (not 9600).
|
* 115200 baud (not 9600).
|
||||||
* 8N1.
|
* 8N1.
|
||||||
* No flow control.
|
* No flow control.
|
||||||
|
|
||||||
7. Press the Reset button on the board.
|
7. Press the Reset button on the board.
|
||||||
|
|
||||||
|
|
|
@ -38,11 +38,11 @@ To build and run this example you must have:
|
||||||
|
|
||||||
6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F.
|
6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F.
|
||||||
|
|
||||||
Use the following settings:
|
Use the following settings:
|
||||||
|
|
||||||
* 115200 baud (not 9600).
|
* 115200 baud (not 9600).
|
||||||
* 8N1.
|
* 8N1.
|
||||||
* No flow control.
|
* No flow control.
|
||||||
|
|
||||||
7. Press the Reset button on the board.
|
7. Press the Reset button on the board.
|
||||||
|
|
||||||
|
|
|
@ -44,11 +44,11 @@ To build and run this example you must have:
|
||||||
|
|
||||||
7. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F.
|
7. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F.
|
||||||
|
|
||||||
Use the following settings:
|
Use the following settings:
|
||||||
|
|
||||||
* 115200 baud (not 9600).
|
* 115200 baud (not 9600).
|
||||||
* 8N1.
|
* 8N1.
|
||||||
* No flow control.
|
* No flow control.
|
||||||
|
|
||||||
8. Press the Reset button on the board.
|
8. Press the Reset button on the board.
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue