From 2823fad6cbbbc53bbaf551e268693c50406bff7f Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 23 Aug 2017 16:04:40 +0300 Subject: [PATCH 01/13] Fix typo in configs/README.txt file Fix typo in Readme file: ajust->adjust --- configs/README.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configs/README.txt b/configs/README.txt index e9867bc15..933fa7f21 100644 --- a/configs/README.txt +++ b/configs/README.txt @@ -8,7 +8,7 @@ These files are complete replacements for the default config.h. To use one of them, you can pick one of the following methods: 1. Replace the default file include/mbedtls/config.h with the chosen one. - (Depending on your compiler, you may need to ajust the line with + (Depending on your compiler, you may need to adjust the line with #include "mbedtls/check_config.h" then.) 2. Define MBEDTLS_CONFIG_FILE and adjust the include path accordingly. From 593b0d33f618f43c5077e425e133925903d2407b Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 7 Apr 2017 13:25:49 +0100 Subject: [PATCH 02/13] Make mbedtls_ssl_set_hostname safe to be called multiple times Zeroize and free previously set hostnames before overwriting them. Also, allow clearance of hostname by providing NULL parameter. --- library/ssl_tls.c | 55 +++++++++++++++++++++++++++++++---------------- 1 file changed, 37 insertions(+), 18 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index bd2c27057..542ca68f2 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5980,7 +5980,7 @@ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, { conf->sig_hashes = hashes; } -#endif +#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ #if defined(MBEDTLS_ECP_C) /* @@ -5991,32 +5991,51 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, { conf->curve_list = curve_list; } -#endif +#endif /* MBEDTLS_ECP_C */ #if defined(MBEDTLS_X509_CRT_PARSE_C) int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ) { - size_t hostname_len; + /* Initialize to suppress unnecessary compiler warning */ + size_t hostname_len = 0; + + /* Check if new hostname is valid before + * making any change to current one */ + + if( hostname != NULL ) + { + hostname_len = strlen( hostname ); + + if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } + + /* Now it's clear that we will overwrite the old hostname, + * so we can free it safely */ + + if( ssl->hostname != NULL ) + { + mbedtls_zeroize( ssl->hostname, strlen( ssl->hostname ) ); + mbedtls_free( ssl->hostname ); + } + + /* Passing NULL as hostname shall clear the old one */ if( hostname == NULL ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + { + ssl->hostname = NULL; + } + else + { + ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 ); - hostname_len = strlen( hostname ); + if( ssl->hostname == NULL ) + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); - if( hostname_len + 1 == 0 ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + memcpy( ssl->hostname, hostname, hostname_len ); - if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - - ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 ); - - if( ssl->hostname == NULL ) - return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); - - memcpy( ssl->hostname, hostname, hostname_len ); - - ssl->hostname[hostname_len] = '\0'; + ssl->hostname[hostname_len] = '\0'; + } return( 0 ); } From b974e98b126476f601acc1e2f8ab55f8aa3164d5 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 5 May 2017 11:24:30 +0100 Subject: [PATCH 03/13] Add test case calling ssl_set_hostname twice Add a test case calling ssl_set_hostname twice to test_suite_ssl. When run in CMake build mode ASan, this catches the current leak, but will hopefully be fine with the new version. --- tests/suites/test_suite_ssl.data | 3 +++ tests/suites/test_suite_ssl.function | 13 +++++++++++++ 2 files changed, 16 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index a39f6f09f..b92c1fe8a 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -54,3 +54,6 @@ ssl_dtls_replay:"abcd12340000,abcd12340100":"abcd12340101":0 SSL DTLS replay: big jump then just delayed ssl_dtls_replay:"abcd12340000,abcd12340100":"abcd123400ff":0 + +SSL SET_HOSTNAME memory leak: call ssl_set_hostname twice +ssl_set_hostname_twice:"server0":"server1" diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 8d3448cbc..60683afee 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -40,3 +40,16 @@ void ssl_dtls_replay( char *prevs, char *new, int ret ) mbedtls_ssl_config_free( &conf ); } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ +void ssl_set_hostname_twice( char *hostname0, char *hostname1 ) +{ + mbedtls_ssl_context ssl; + mbedtls_ssl_init( &ssl ); + + TEST_ASSERT( mbedtls_ssl_set_hostname( &ssl, hostname0 ) == 0 ); + TEST_ASSERT( mbedtls_ssl_set_hostname( &ssl, hostname1 ) == 0 ); + + mbedtls_ssl_free( &ssl ); +} +/* END_CASE */ \ No newline at end of file From 7891da28ea0ab58270fcc584d5dc4c8bc464d4ad Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 7 Apr 2017 12:59:32 +0100 Subject: [PATCH 04/13] Enhance documentation of mbedtls_ssl_set_hostname (1) Add missing error condition (2) Specify allowance and effect of of NULL hostname parameter (3) Describe effect of function on failure --- include/mbedtls/ssl.h | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 60f59a9d5..6084a5160 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1579,14 +1579,24 @@ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, #if defined(MBEDTLS_X509_CRT_PARSE_C) /** - * \brief Set hostname for ServerName TLS extension - * (client-side only) + * \brief Set or reset the hostname to check against the received + * server certificate. It sets the ServerName TLS extension, + * too, if that extension is enabled. (client-side only) * * * \param ssl SSL context - * \param hostname the server hostname + * \param hostname the server hostname, may be NULL to clear hostname + + * \note Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN. + * + * \return 0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on + * allocation failure, MBEDTLS_ERR_BAD_INPUT_DATA on + * too long input hostname. + * + * \post Hostname set to the one provided on success (cleared + * when NULL). On allocation failure hostname is cleared. + * On too long input failure, old hostname is unchanged. * - * \return 0 if successful or MBEDTLS_ERR_SSL_ALLOC_FAILED */ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ From c7845e51f3b5ab0e93fb2560588849a00b1d35c8 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 7 Apr 2017 13:02:16 +0100 Subject: [PATCH 05/13] Enhance documentation of ssl_write_hostname_ext, adapt ChangeLog. Add a reference to the relevant RFC, adapt ChangeLog. --- ChangeLog | 2 ++ include/mbedtls/ssl.h | 5 ++--- library/ssl_cli.c | 8 ++++++++ library/ssl_tls.c | 2 +- 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1d06476d7..e70aeee2f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -118,6 +118,8 @@ Security team. #569 CVE-2017-2784 Bugfix + * Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times. + Found by jethrogb, #836. * Fix output certificate verification flags set by x509_crt_verify_top() when traversing a chain of trusted CA. The issue would cause both flags, MBEDTLS_X509_BADCERT_NOT_TRUSTED and MBEDTLS_X509_BADCERT_EXPIRED, to be diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 6084a5160..12a98eb6d 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1590,13 +1590,12 @@ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, * \note Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN. * * \return 0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on - * allocation failure, MBEDTLS_ERR_BAD_INPUT_DATA on + * allocation failure, MBEDTLS_ERR_SSL_BAD_INPUT_DATA on * too long input hostname. * - * \post Hostname set to the one provided on success (cleared + * Hostname set to the one provided on success (cleared * when NULL). On allocation failure hostname is cleared. * On too long input failure, old hostname is unchanged. - * */ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 31eb203d8..94c521dd9 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -80,6 +80,13 @@ static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, } /* + * Sect. 3, RFC 6066 (TLS Extensions Definitions) + * + * In order to provide any of the server names, clients MAY include an + * extension of type "server_name" in the (extended) client hello. The + * "extension_data" field of this extension SHALL contain + * "ServerNameList" where: + * * struct { * NameType name_type; * select (name_type) { @@ -96,6 +103,7 @@ static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, * struct { * ServerName server_name_list<1..2^16-1> * } ServerNameList; + * */ *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 542ca68f2..23689d995 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6039,7 +6039,7 @@ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ) return( 0 ); } -#endif +#endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, From 72e9ba2ce305992c8153bc3a06c1b5fc82fc4021 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Sat, 30 Sep 2017 23:51:44 +0100 Subject: [PATCH 06/13] Update ChangeLog for fix to #836 --- ChangeLog | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e70aeee2f..2bd0be9b4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS 2.1.10 branch released 2017-xx-xx + +Bugfix + * Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times. + Found by projectgus and jethrogb, #836. + = mbed TLS 2.1.9 branch released 2017-08-10 Security @@ -118,8 +124,6 @@ Security team. #569 CVE-2017-2784 Bugfix - * Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times. - Found by jethrogb, #836. * Fix output certificate verification flags set by x509_crt_verify_top() when traversing a chain of trusted CA. The issue would cause both flags, MBEDTLS_X509_BADCERT_NOT_TRUSTED and MBEDTLS_X509_BADCERT_EXPIRED, to be From bd25784474c3925a1b722f661f9e3250969163b2 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Tue, 26 Sep 2017 11:29:11 +0300 Subject: [PATCH 07/13] Fix ssl_server2 sample application prompt FIx the type of server_addr parameter from %d to %s. Issue reported by Email by Bei Jin --- programs/ssl/ssl_server2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 728b9bae6..0271a8f4d 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -314,7 +314,7 @@ int main( void ) #define USAGE \ "\n usage: ssl_server2 param=<>...\n" \ "\n acceptable parameters:\n" \ - " server_addr=%%d default: (all interfaces)\n" \ + " server_addr=%%s default: (all interfaces)\n" \ " server_port=%%d default: 4433\n" \ " debug_level=%%d default: 0 (disabled)\n" \ " nbio=%%d default: 0 (blocking I/O)\n" \ From 5d39aceb04577f7238a29137a178c4fdbd090aed Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Mon, 2 Oct 2017 19:12:54 +0100 Subject: [PATCH 08/13] Fix changelog for ssl_server2.c usage fix --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 2bd0be9b4..42cbf6c99 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,7 @@ mbed TLS ChangeLog (Sorted per branch, date) Bugfix * Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times. Found by projectgus and jethrogb, #836. + * Fix usage help in ssl_server2 example. Found and fixed by Bei Lin. = mbed TLS 2.1.9 branch released 2017-08-10 From bac9d4d90fbbe1eedd28e82194131c6494878289 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Tue, 3 Oct 2017 15:58:26 +0300 Subject: [PATCH 09/13] Parse Signature Algorithm ext when renegotiating Signature algorithm extension was skipped when renegotiation was in progress, causing the signature algorithm not to be known when renegotiating, and failing the handshake. Fix removes the renegotiation step check before parsing the extension. --- ChangeLog | 3 +++ library/ssl_srv.c | 7 ++----- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 42cbf6c99..3e74dcea8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,9 @@ Bugfix * Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times. Found by projectgus and jethrogb, #836. * Fix usage help in ssl_server2 example. Found and fixed by Bei Lin. + * Parse signature algorithm extension when renegotiating. Previously, + renegotiated handshakes would only accept signatures using SHA-1 + regardless of the peer's preferences, or fail if SHA-1 was disabled. = mbed TLS 2.1.9 branch released 2017-08-10 diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 01b4ada30..1002adfd5 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1603,11 +1603,8 @@ read_record_header: #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) case MBEDTLS_TLS_EXT_SIG_ALG: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); -#if defined(MBEDTLS_SSL_RENEGOTIATION) - if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) - break; -#endif + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); + ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size ); if( ret != 0 ) return( ret ); From 5f1dd80eaf1f9ad12a3d3d61372a7c6bb5006ea3 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 5 Oct 2017 12:29:42 +0100 Subject: [PATCH 10/13] Renegotiation: Add tests for SigAlg ext parsing This commit adds regression tests for the bug when we didn't parse the Signature Algorithm extension when renegotiating. (By nature, this bug affected only the server) The tests check for the fallback hash (SHA1) in the server log to detect that the Signature Algorithm extension hasn't been parsed at least in one of the handshakes. A more direct way of testing is not possible with the current test framework, since the Signature Algorithm extension is parsed in the first handshake and any corresponding debug message is present in the logs. --- tests/ssl-opt.sh | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 9c9cf4651..d8f0fd720 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1340,6 +1340,40 @@ run_test "Renegotiation: server-initiated" \ -s "=> renegotiate" \ -s "write hello request" +# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that +# the server did not parse the Signature Algorithm extension. This test is valid only if an MD +# algorithm stronger than SHA-1 is enabled in config.h +run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \ + "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \ + "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ + 0 \ + -c "client hello, adding renegotiation extension" \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -s "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -c "found renegotiation extension" \ + -c "=> renegotiate" \ + -s "=> renegotiate" \ + -S "write hello request" \ + -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated? + +# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that +# the server did not parse the Signature Algorithm extension. This test is valid only if an MD +# algorithm stronger than SHA-1 is enabled in config.h +run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \ + "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \ + "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \ + 0 \ + -c "client hello, adding renegotiation extension" \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -s "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -c "found renegotiation extension" \ + -c "=> renegotiate" \ + -s "=> renegotiate" \ + -s "write hello request" \ + -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated? + run_test "Renegotiation: double" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ From bc041130b0365992c25cc5b995c1c56b31e4a212 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Mon, 21 Nov 2016 15:38:02 +0000 Subject: [PATCH 11/13] Correctly handle leap year in x509_date_is_valid() This patch ensures that invalid dates on leap years with 100 or 400 years intervals are handled correctly. --- ChangeLog | 3 +++ library/x509.c | 14 ++++++++++---- tests/suites/test_suite_x509parse.data | 15 +++++++++++++++ 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3e74dcea8..da29d7077 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ Bugfix * Parse signature algorithm extension when renegotiating. Previously, renegotiated handshakes would only accept signatures using SHA-1 regardless of the peer's preferences, or fail if SHA-1 was disabled. + * Fix leap year calculation in x509_date_is_valid() to ensure that invalid + dates on leap years with 100 and 400 intervals are handled correctly. Found + by Nicholas Wilson. #694 = mbed TLS 2.1.9 branch released 2017-08-10 diff --git a/library/x509.c b/library/x509.c index e87ba69da..3cfa1d1e9 100644 --- a/library/x509.c +++ b/library/x509.c @@ -491,9 +491,10 @@ static int x509_parse_int( unsigned char **p, size_t n, int *res ) return( 0 ); } -static int x509_date_is_valid(const mbedtls_x509_time *t) +static int x509_date_is_valid(const mbedtls_x509_time *t ) { int ret = MBEDTLS_ERR_X509_INVALID_DATE; + int month_len; CHECK_RANGE( 0, 9999, t->year ); CHECK_RANGE( 0, 23, t->hour ); @@ -503,17 +504,22 @@ static int x509_date_is_valid(const mbedtls_x509_time *t) switch( t->mon ) { case 1: case 3: case 5: case 7: case 8: case 10: case 12: - CHECK_RANGE( 1, 31, t->day ); + month_len = 31; break; case 4: case 6: case 9: case 11: - CHECK_RANGE( 1, 30, t->day ); + month_len = 30; break; case 2: - CHECK_RANGE( 1, 28 + (t->year % 4 == 0), t->day ); + if( ( !( t->year % 4 ) && t->year % 100 ) || + !( t->year % 400 ) ) + month_len = 29; + else + month_len = 28; break; default: return( ret ); } + CHECK_RANGE( 1, month_len, t->day ); return( 0 ); } diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index e337ed7cf..53e8a44da 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -1620,3 +1620,18 @@ X509 Get time (UTC invalid character in sec) depends_on:MBEDTLS_X509_USE_C x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0011302359n0Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 +X509 Get time (Generalized Time invalid leap year multiple of 4 and 100) +depends_on:MBEDTLS_X509_USE_C +x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"19000229000000Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 + +X509 Get time (Generalized Time year multiple of 4 and not multiple of 100) +depends_on:MBEDTLS_X509_USE_C +x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"19920229000000Z":0:1992:2:29:0:0:0 + +X509 Get time (Generalized Time year multiple of 400) +depends_on:MBEDTLS_X509_USE_C +x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"20000229000000Z":0:2000:2:29:0:0:0 + +X509 Get time (Generalized Time invalid leap year not multiple of 4, 100 or 400) +depends_on:MBEDTLS_X509_USE_C +x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"19910229000000Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 From b1d78fcf708568358a7ff7cf1f1032f4eeb0d4c3 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Fri, 6 Oct 2017 17:05:24 +0100 Subject: [PATCH 12/13] Improve leap year test names in x509parse.data --- tests/suites/test_suite_x509parse.data | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 53e8a44da..5731677fe 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -1620,15 +1620,15 @@ X509 Get time (UTC invalid character in sec) depends_on:MBEDTLS_X509_USE_C x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0011302359n0Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 -X509 Get time (Generalized Time invalid leap year multiple of 4 and 100) +X509 Get time (Generalized Time, year multiple of 100 but not 400 is not a leap year) depends_on:MBEDTLS_X509_USE_C x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"19000229000000Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 -X509 Get time (Generalized Time year multiple of 4 and not multiple of 100) +X509 Get time (Generalized Time, year multiple of 4 but not 100 is a leap year) depends_on:MBEDTLS_X509_USE_C x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"19920229000000Z":0:1992:2:29:0:0:0 -X509 Get time (Generalized Time year multiple of 400) +X509 Get time (Generalized Time, year multiple of 400 is a leap year) depends_on:MBEDTLS_X509_USE_C x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"20000229000000Z":0:2000:2:29:0:0:0 From fe7fd6e8dc3c4d9a3a8e56105cb0ee769658f061 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Fri, 25 Aug 2017 17:24:44 +0100 Subject: [PATCH 13/13] Fix typo in asn1.h --- include/mbedtls/asn1.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h index 082832c87..e159e57ea 100644 --- a/include/mbedtls/asn1.h +++ b/include/mbedtls/asn1.h @@ -59,7 +59,7 @@ /** * \name DER constants - * These constants comply with DER encoded the ANS1 type tags. + * These constants comply with the DER encoded ASN.1 type tags. * DER encoding uses hexadecimal representation. * An example DER sequence is:\n * - 0x02 -- tag indicating INTEGER