Manuel Pégourié-Gonnard
fdbdd72b8b
Skip to trusted certs early in the chain
...
This helps in the case where an intermediate certificate is directly trusted.
In that case we want to ignore what comes after it in the chain, not only for
performance but also to avoid false negatives (eg an old root being no longer
trusted while the newer intermediate is directly trusted).
closes #220
2015-09-01 17:24:42 +02:00
Manuel Pégourié-Gonnard
6fb8187279
Update date in copyright line
2015-07-28 17:11:58 +02:00
Manuel Pégourié-Gonnard
fa67ebaebb
Fix X.509 keysize check with multiple CAs
...
Assume we have two trusted CAs with the same name, the first uses ECDSA 256
bits, the second RSA 2048; cert is signed by the second. If we do the keysize
check before we checked the key types match, we'll raise the badkey flags when
checking the EC-256 CA and it will remain up even when we finally find the
correct CA. So, move the check for the key size after signature verification,
which implicitly checks the key type.
2015-06-27 14:41:38 +02:00
Manuel Pégourié-Gonnard
79c4e3ee59
Rm obsolete comments
2015-06-23 18:44:10 +02:00
Manuel Pégourié-Gonnard
655a964539
Adapt check_key_usage to new weird bits
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
9a702255f4
Add parsing/printing for new X.509 keyUsage flags
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
b80d16d171
Fix return convention of x509_wildcard_verify()
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
f9b85d96a9
Fix potential resource leak in X.509 parse dir
...
Found with fbinfer.
2015-06-22 18:39:57 +02:00
Manuel Pégourié-Gonnard
1685368408
Rationalize snprintf() usage in X.509 modules
2015-06-22 14:42:04 +02:00
Manuel Pégourié-Gonnard
097c7bb05b
Rename relevant global symbols from size to bitlen
...
Just applying rename.pl with this file:
mbedtls_cipher_get_key_size mbedtls_cipher_get_key_bitlen
mbedtls_pk_get_size mbedtls_pk_get_bitlen
MBEDTLS_BLOWFISH_MIN_KEY MBEDTLS_BLOWFISH_MIN_KEY_BITS
MBEDTLS_BLOWFISH_MAX_KEY MBEDTLS_BLOWFISH_MAX_KEY_BITS
2015-06-18 16:43:38 +02:00
Manuel Pégourié-Gonnard
a83e4e2bf5
Extra check in verify_with_profile()
...
This could happen if someone doesn't set the SSL configuration properly. In
that case we don't want to segfault...
2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard
cbb1f6e5cb
Implement cert profile checking
2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard
f8ea856296
Change data structure of profiles to bitfields
...
- allows to express 'none' or 'all' more easily than lists
- more compact and easier to declare statically
- easier to check too
Only drawback: if we ever have more than 32 curves, we'll need an ABI change to
make that field a uint64_t.
2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard
88db5da117
Add pre-defined profiles for cert verification
2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard
9505164ef4
Create cert profile API (unimplemented yet)
2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard
c730ed3f2d
Rename boolean functions to be clearer
2015-06-02 10:38:50 +01:00
Manuel Pégourié-Gonnard
0574bb0bdb
Merge branch 'mbedtls-1.3' into development
...
* mbedtls-1.3:
Mark unused constant as such
Update ChangeLog for recent external bugfix
Serious bug fix in entropy.c
Fix memleak with repeated [gc]cm_setkey()
fix minor bug in path_cnt checks
Conflicts:
include/mbedtls/cipher.h
library/ccm.c
library/entropy.c
library/gcm.c
library/x509_crt.c
2015-06-02 09:59:29 +01:00
Manuel Pégourié-Gonnard
6a8ca33fa5
Rename ERR_xxx_MALLOC_FAILED to ..._ALLOC_FAILED
2015-05-28 16:25:05 +02:00
Manuel Pégourié-Gonnard
944cfe8899
Allow use of global mutexes with threading_alt
2015-05-27 20:12:05 +02:00
Manuel Pégourié-Gonnard
1b8de57827
Remove a few redundant memset after calloc.
...
Using the following semantic patch provided by Mansour Moufid:
@@
expression x;
@@
x = mbedtls_calloc(...)
...
- memset(x, 0, ...);
2015-05-27 16:58:55 +02:00
Manuel Pégourié-Gonnard
7551cb9ee9
Replace malloc with calloc
...
- platform layer currently broken (not adapted yet)
- memmory_buffer_alloc too
2015-05-26 16:04:06 +02:00
Nicholas Wilson
bc07c3a1f0
fix minor bug in path_cnt checks
...
If the top certificate occurs twice in trust_ca (for example) it would
not be good for the second instance to be checked with check_path_cnt
reduced twice!
2015-05-13 10:40:30 +01:00
Manuel Pégourié-Gonnard
0ece0f94f2
Fix checks for nul-termination
2015-05-12 12:43:54 +02:00
Manuel Pégourié-Gonnard
43b37cbc92
Fix use of pem_read_buffer() in PK, DHM and X509
2015-05-12 11:26:43 +02:00
Manuel Pégourié-Gonnard
e6ef16f98c
Change X.509 verify flags to uint32_t
2015-05-11 19:54:43 +02:00
Manuel Pégourié-Gonnard
e36d56419e
Merge branch 'mbedtls-1.3' into development
...
* mbedtls-1.3:
fix bug in ssl_mail_client
Adapt compat.sh to GnuTLS 3.4
Fix undefined behaviour in x509
Conflicts:
programs/ssl/ssl_mail_client.c
tests/compat.sh
2015-04-30 13:52:25 +02:00
Manuel Pégourié-Gonnard
159c524df8
Fix undefined behaviour in x509
2015-04-30 11:21:18 +02:00
Manuel Pégourié-Gonnard
1e2eae02cb
Adapt pthread implementation to recent changes
2015-04-29 02:08:34 +02:00
Manuel Pégourié-Gonnard
e6028c93f5
Fix some X509 macro names
...
For some reason, during the great renaming, some names that should have been
prefixed with MBEDTLS_X509_ have only been prefixed with MBEDTLS_
2015-04-20 12:19:02 +01:00
Manuel Pégourié-Gonnard
b5f48ad82f
manually merge 39a183a
add x509_crt_verify_info()
2015-04-20 11:22:57 +01:00
Manuel Pégourié-Gonnard
39a183a629
Add x509_crt_verify_info()
2015-04-17 17:24:25 +02:00
Manuel Pégourié-Gonnard
8408a94969
Remove MBEDTLS_ from internal macros
2015-04-09 13:52:55 +02:00
Manuel Pégourié-Gonnard
2cf5a7c98e
The Great Renaming
...
A simple execution of tmp/invoke-rename.pl
2015-04-08 13:25:31 +02:00
Manuel Pégourié-Gonnard
1d0ca1a336
Move key_usage to more that 8 bits
2015-03-27 16:50:00 +01:00
Manuel Pégourié-Gonnard
1022fed36e
Remove redundant sig_oid2 in x509 structures
2015-03-27 16:34:42 +01:00
Manuel Pégourié-Gonnard
a252af760f
Minor source simplification
2015-03-27 16:15:55 +01:00
Manuel Pégourié-Gonnard
ca878dbaa5
Make md_info_t an opaque structure
...
- more freedom for us to change it in the future
- enforces hygiene
- performance impact of making accessors no longer inline should really be
negligible
2015-03-25 21:37:15 +01:00
Manuel Pégourié-Gonnard
6e0643762d
Reverse meaning of OID_CMP
2015-03-19 16:54:56 +00:00
Manuel Pégourié-Gonnard
7f8099773e
Rename include directory to mbedtls
2015-03-10 11:23:56 +00:00
Manuel Pégourié-Gonnard
fe44643b0e
Rename website and repository
2015-03-06 13:17:10 +00:00
Mansour Moufid
99b9259f76
Fix whitespace of 369e6c20
.
2015-02-16 10:43:52 +00:00
Mansour Moufid
c531b4af3c
Apply the semantic patch rm-malloc-cast.cocci.
...
for dir in library programs; do
spatch --sp-file scripts/rm-malloc-cast.cocci --dir $dir \
--in-place;
done
2015-02-16 10:43:52 +00:00
Rich Evans
fac657fd52
modify library/x509*.c to use polarssl_snprintf
2015-02-13 13:50:25 +00:00
Rich Evans
00ab47026b
cleanup library and some basic tests. Includes, add guards to includes
2015-02-10 11:28:46 +00:00
Manuel Pégourié-Gonnard
555fbf8758
Support composite RDNs in X.509 certs parsing
2015-02-04 17:11:55 +00:00
Manuel Pégourié-Gonnard
860b51642d
Fix url again
2015-01-28 17:12:07 +00:00
Manuel Pégourié-Gonnard
7cbe1318d8
Fix more stdio inclusion issues
2015-01-28 15:28:30 +01:00
Manuel Pégourié-Gonnard
acdb9b9525
Fix unchecked error code on Windows
2015-01-23 17:50:34 +00:00
Manuel Pégourié-Gonnard
085ab040aa
Fix website url to use https.
2015-01-23 11:06:27 +00:00
Manuel Pégourié-Gonnard
9698f5852c
Remove maintainer line.
2015-01-23 10:59:00 +00:00
Manuel Pégourié-Gonnard
19f6b5dfaa
Remove redundant "all rights reserved"
2015-01-23 10:54:00 +00:00
Manuel Pégourié-Gonnard
a658a4051b
Update copyright
2015-01-23 09:55:24 +00:00
Manuel Pégourié-Gonnard
b4fe3cb1fa
Rename to mbed TLS in the documentation/comments
2015-01-22 16:11:05 +00:00
Manuel Pégourié-Gonnard
967a2a5f8c
Change name to mbed TLS in the copyright notice
2015-01-22 14:28:16 +00:00
Manuel Pégourié-Gonnard
9439f93ea4
Use pk_load_file() in X509
...
Saves a bit of ROM. X509 depends on PK anyway.
2014-11-27 17:44:46 +01:00
Manuel Pégourié-Gonnard
fd6c85c3eb
Set a compile-time limit to X.509 chain length
2014-11-20 16:37:41 +01:00
Manuel Pégourié-Gonnard
e5b0fc1847
Make malloc-init script a bit happier
2014-11-13 12:42:12 +01:00
Manuel Pégourié-Gonnard
f631bbc1da
Make x509_string_cmp() iterative
2014-11-13 12:42:06 +01:00
Manuel Pégourié-Gonnard
8a5e3d4a40
Forbid repeated X.509 extensions
2014-11-12 18:13:58 +01:00
Manuel Pégourié-Gonnard
b134060f90
Fix memory leak with crafted X.509 certs
2014-11-12 00:01:52 +01:00
Manuel Pégourié-Gonnard
ef9a6aec51
Allow comparing name with mismatched encodings
2014-10-17 12:42:31 +02:00
Manuel Pégourié-Gonnard
88421246d8
Rename a function
2014-10-17 12:42:30 +02:00
Paul Bakker
5a5fa92bfe
x509_crt_parse() did not increase total_failed on PEM error
...
Result was that PEM errors in files with multiple certificates were not
detectable by the user.
2014-10-03 15:47:13 +02:00
Manuel Pégourié-Gonnard
d249b7ab9a
Restore ability to trust non-CA selfsigned EE cert
2014-06-25 11:26:13 +02:00
Manuel Pégourié-Gonnard
c4eff16516
Restore ability to use v1 CA if trusted locally
2014-06-25 11:26:12 +02:00
Manuel Pégourié-Gonnard
1c082f34f3
Update description and references for X.509 files
2014-06-23 11:52:59 +02:00
Paul Bakker
66d5d076f7
Fix formatting in various code to match spacing from coding style
2014-06-17 17:06:47 +02:00
Paul Bakker
d8bb82665e
Fix code styling for return statements
2014-06-17 14:06:49 +02:00
Paul Bakker
3461772559
Introduce polarssl_zeroize() instead of memset() for zeroization
2014-06-14 16:46:03 +02:00
Paul Bakker
c2ff2083ee
Merge parsing and verification of RSASSA-PSS in X.509 modules
2014-06-12 22:02:47 +02:00
Manuel Pégourié-Gonnard
d1539b1e88
Rename RSASSA_PSS_CERTIFICATES to X509_RSASSA_PSS_SUPPORT
2014-06-06 16:42:37 +02:00
Manuel Pégourié-Gonnard
53882023e7
Also verify CRLs signed with RSASSA-PSS
2014-06-05 17:59:55 +02:00
Manuel Pégourié-Gonnard
46db4b070c
Use pk_verify_ext() in x509_crt.c
2014-06-05 17:08:46 +02:00
Manuel Pégourié-Gonnard
bf696d030b
Make sig_opts non-optional in X509 structures
...
This simplifies the code.
2014-06-05 17:08:46 +02:00
Manuel Pégourié-Gonnard
dddbb1d1eb
Rm sig_params from various X509 structures
2014-06-05 17:08:46 +02:00
Manuel Pégourié-Gonnard
9113603b6b
Use sig_opts in x509_sig_alg_gets()
2014-06-05 15:41:39 +02:00
Manuel Pégourié-Gonnard
f75f2f7c46
Add sig_opts member to X509 structures
2014-06-05 15:14:59 +02:00
Manuel Pégourié-Gonnard
920e1cd5e2
Add basic PSS cert verification
...
Still todo:
- handle MGF-hash != sign-hash
- check effective salt len == announced salt len
- add support in the PK layer so that we don't have to bypass it here
2014-06-04 12:09:08 +02:00
Manuel Pégourié-Gonnard
cac31eed9e
Factor common code for printing sig_alg
2014-06-02 16:12:46 +02:00
Manuel Pégourié-Gonnard
cf975a3857
Factor out some common code
2014-06-02 16:12:46 +02:00
Manuel Pégourié-Gonnard
9df5c96214
Fix dependencies
2014-06-02 16:10:29 +02:00
Manuel Pégourié-Gonnard
e76b750b69
Finish parsing RSASSA-PSS parameters
2014-06-02 16:10:29 +02:00
Manuel Pégourié-Gonnard
f346bab139
Start parsing RSASSA-PSS parameters
2014-06-02 16:10:29 +02:00
Manuel Pégourié-Gonnard
59a75d5b9d
Basic parsing of certs signed with RSASSA-PSS
2014-06-02 16:10:29 +02:00
Paul Bakker
14b16c62e9
Minor optimizations (original by Peter Vaskovic, modified by Paul Bakker)
...
Move strlen out of for loop.
Remove redundant null checks before free.
2014-05-28 11:34:33 +02:00
Paul Bakker
b9e4e2c97a
Fix formatting: fix some 'easy' > 80 length lines
2014-05-01 14:18:25 +02:00
Paul Bakker
9af723cee7
Fix formatting: remove trailing spaces, #endif with comments (> 10 lines)
2014-05-01 13:03:14 +02:00
Manuel Pégourié-Gonnard
cef4ad2509
Adapt sources to configurable config.h name
2014-04-30 16:40:20 +02:00
Manuel Pégourié-Gonnard
7afb8a0dca
Add x509_crt_check_extended_key_usage()
2014-04-11 11:09:00 +02:00
Manuel Pégourié-Gonnard
490047cc44
Code cosmetics
2014-04-09 15:50:58 +02:00
Manuel Pégourié-Gonnard
312010e6e9
Factor common parent checking code
2014-04-09 15:50:58 +02:00
Manuel Pégourié-Gonnard
f93a3c4335
Check the CA bit on trusted CAs too
2014-04-09 15:50:58 +02:00
Manuel Pégourié-Gonnard
99d4f19111
Add keyUsage checking for CAs
2014-04-09 15:50:58 +02:00
Manuel Pégourié-Gonnard
3fed0b3264
Factor some common code in x509_verify{,_child}
2014-04-09 15:50:57 +02:00
Manuel Pégourié-Gonnard
603116c570
Add x509_crt_check_key_usage()
2014-04-09 15:50:57 +02:00
Manuel Pégourié-Gonnard
8c045ef8e4
Fix embarrassing X.509 bug introduced in 9533765
2014-04-08 11:55:03 +02:00
Paul Bakker
e4205dc50a
Merged printing of X509 extensions
2014-04-04 15:36:10 +02:00
Paul Bakker
5ff3f9134b
Small fix for EFI build under Windows in x509_crt.c
2014-04-04 15:08:20 +02:00
Manuel Pégourié-Gonnard
0db29b05b5
More compact code using macros
2014-04-04 14:01:39 +02:00
Manuel Pégourié-Gonnard
7b30cfc5b0
x509_crt_info() list output cosmectics
2014-04-04 14:01:39 +02:00