AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'origin/development' into development-restricted

Browse Source 
* origin/development:
  Update the crypto submodule
  Use multipart PSA key derivation API
  platform: Include stdarg.h where needed
  Update Mbed Crypto to contain mbed-crypto#152
  CMake: Add a subdirectory build regression test
  README: Enable builds as a CMake subproject
  ChangeLog: Enable builds as a CMake subproject
  Remove use of CMAKE_SOURCE_DIR
  Update library version to 2.18.0
This commit is contained in:
Jaeden Amero 2019-08-29 14:14:05 +01:00
commit 64f264332f
9 changed files with 158 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

155
ChangeLog
View File

@ -9,6 +9,93 @@ Security
about 1 bit of information on average and could cause the value to be
1 byte too large for the output buffer.
Features
* Add new API functions mbedtls_ssl_session_save() and
mbedtls_ssl_session_load() to allow serializing a session, for example to
store it in non-volatile storage, and later using it for TLS session
resumption.
* Add a new API function mbedtls_ssl_check_record() to allow checking that
an incoming record is valid, authentic and has not been seen before. This
feature can be used alongside Connection ID and SSL context serialisation.
The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
option.
API Changes
* Add DER-encoded test CRTs to library/certs.c, allowing
the example programs ssl_server2 and ssl_client2 to be run
if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254.
* The HAVEGE state type now uses uint32_t elements instead of int.
Bugfix
* Fix missing bounds checks in X.509 parsing functions that could
lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
* Fix multiple X.509 functions previously returning ASN.1 low-level error
codes to always wrap these codes into X.509 high level error codes before
returning. Fixes #2431.
* Fix to allow building test suites with any warning that detects unused
functions. Fixes #1628.
* Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
* Remove redundant include file in timing.c. Fixes #2640 reported by irwir.
* Fix build failure when building with mingw on Windows by including
stdarg.h where needed. Fixes #2656.
* Fix Visual Studio Release x64 build configuration by inheriting
PlatformToolset from the project configuration. Fixes #1430 reported by
irwir.
* Enable Suite B with subset of ECP curves. Make sure the code compiles even
if some curves are not defined. Fixes #1591 reported by dbedev.
* Fix misuse of signed arithmetic in the HAVEGE module. #2598
* Avoid use of statically sized stack buffers for certificate writing.
This previously limited the maximum size of DER encoded certificates
in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631.
* Fix partial zeroing in x509_get_other_name. Found and fixed by ekse, #2716.
* Update test certificates that were about to expire. Reported by
Bernhard M. Wiedemann in #2357.
* Fix the build on ARMv5TE in ARM mode to not use assembly instructions
that are only available in Thumb mode. Fix contributed by Aurelien Jarno
in #2169.
* Fix propagation of restart contexts in restartable EC operations.
This could previously lead to segmentation faults in builds using an
address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
Changes
* Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
* Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h
suggests). #2671
* Make `make clean` clean all programs always. Fixes #1862.
* Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
docker-env.sh) to simplify running test suites on a Linux host. Contributed
by Peter Kolbus (Garmin).
* Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by
Ashley Duncan in #2609.
* Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable
test runs without variability. Contributed by Philippe Antoine (Catena
cyber) in #2681.
* Extended .gitignore to ignore Visual Studio artifacts. Fixed by ConfusedSushi.
* Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by
Ashley Duncan in #2609.
* Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable
test runs without variability. Contributed by Philippe Antoine (Catena
cyber) in #2681.
* Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by
Ashley Duncan in #2609.
* Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable
test runs without variability. Contributed by Philippe Antoine (Catena
cyber) in #2681.
* Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
Contributed by Philippe Antoine (Catena cyber).
= mbed TLS 2.18.1 branch released 2019-07-12
Bugfix
* Fix build failure when building with mingw on Windows by including
stdarg.h where needed. Fixes #2656.
Changes
* Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by
Ashley Duncan in #2609.
= mbed TLS 2.18.0 branch released 2019-06-11
Features
* Add the Any Policy certificate policy oid, as defined in
rfc 5280 section 4.2.1.4.
@ -38,24 +125,11 @@ Features
changed its IP or port. The feature is enabled at compile-time by setting
MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
through the new APIs mbedtls_ssl_conf_cid() and mbedtls_ssl_set_cid().
* Add new API functions mbedtls_ssl_session_save() and
mbedtls_ssl_session_load() to allow serializing a session, for example to
store it in non-volatile storage, and later using it for TLS session
resumption.
* Add a new API function mbedtls_ssl_check_record() to allow checking that
an incoming record is valid, authentic and has not been seen before. This
feature can be used alongside Connection ID and SSL context serialisation.
The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
option.
API Changes
* Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes,
and the used tls-prf.
* Add public API for tls-prf function, according to requested enum.
* Add DER-encoded test CRTs to library/certs.c, allowing
the example programs ssl_server2 and ssl_client2 to be run
if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254.
* The HAVEGE state type now uses uint32_t elements instead of int.
Bugfix
* Fix private key DER output in the key_app_writer example. File contents
@ -83,35 +157,7 @@ Bugfix
* Set the next sequence of the subject_alt_name to NULL when deleting
sequence on failure. Found and fix suggested by Philippe Antoine.
Credit to OSS-Fuzz.
* Fix missing bounds checks in X.509 parsing functions that could
lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
* Fix multiple X.509 functions previously returning ASN.1 low-level error
codes to always wrap these codes into X.509 high level error codes before
returning. Fixes #2431.
* Fix to allow building test suites with any warning that detects unused
functions. Fixes #1628.
* Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
* Remove redundant include file in timing.c. Fixes #2640 reported by irwir.
* Fix build failure when building with mingw on Windows by including
stdarg.h where needed. Fixes #2656.
* Fix Visual Studio Release x64 build configuration by inheriting
PlatformToolset from the project configuration. Fixes #1430 reported by
irwir.
* Enable Suite B with subset of ECP curves. Make sure the code compiles even
if some curves are not defined. Fixes #1591 reported by dbedev.
* Fix misuse of signed arithmetic in the HAVEGE module. #2598
* Avoid use of statically sized stack buffers for certificate writing.
This previously limited the maximum size of DER encoded certificates
in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631.
* Fix partial zeroing in x509_get_other_name. Found and fixed by ekse, #2716.
* Update test certificates that were about to expire. Reported by
Bernhard M. Wiedemann in #2357.
* Fix the build on ARMv5TE in ARM mode to not use assembly instructions
that are only available in Thumb mode. Fix contributed by Aurelien Jarno
in #2169.
* Fix propagation of restart contexts in restartable EC operations.
This could previously lead to segmentation faults in builds using an
address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
Changes
* Server's RSA certificate in certs.c was SHA-1 signed. In the default
mbedTLS configuration only SHA-2 signed certificates are accepted.
@ -128,31 +174,6 @@ Changes
Contributed by Peter Kolbus (Garmin).
* Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to
improve clarity. Fixes #2258.
* Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
* Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h
suggests). #2671
* Make `make clean` clean all programs always. Fixes #1862.
* Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
docker-env.sh) to simplify running test suites on a Linux host. Contributed
by Peter Kolbus (Garmin).
* Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by
Ashley Duncan in #2609.
* Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable
test runs without variability. Contributed by Philippe Antoine (Catena
cyber) in #2681.
* Extended .gitignore to ignore Visual Studio artifacts. Fixed by ConfusedSushi.
* Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by
Ashley Duncan in #2609.
* Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable
test runs without variability. Contributed by Philippe Antoine (Catena
cyber) in #2681.
* Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by
Ashley Duncan in #2609.
* Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable
test runs without variability. Contributed by Philippe Antoine (Catena
cyber) in #2681.
* Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
Contributed by Philippe Antoine (Catena cyber).
= mbed TLS 2.17.0 branch released 2019-03-19

2
crypto

@ -1 +1 @@
Subproject commit 89e76556910c2704313fe23b174f2742702a3a29
Subproject commit 21db2a94a482689e4e4f4e5473d4b5723c5394e4

2
doxygen/input/doc_mainpage.h
View File

@ -24,7 +24,7 @@
*/
/**
* @mainpage mbed TLS v2.17.0 source code documentation
* @mainpage mbed TLS v2.18.0 source code documentation
*
* This documentation describes the internal structure of mbed TLS. It was
* automatically generated from specially formatted comment blocks in

2
doxygen/mbedtls.doxyfile
View File

@ -28,7 +28,7 @@ DOXYFILE_ENCODING = UTF-8
# identify the project. Note that if you do not use Doxywizard you need
# to put quotes around the project name if it contains spaces.
PROJECT_NAME = "mbed TLS v2.17.0"
PROJECT_NAME = "mbed TLS v2.18.0"
# The PROJECT_NUMBER tag can be used to enter a project or revision number.
# This could be handy for archiving the generated documentation or

8
include/mbedtls/version.h
View File

@ -39,7 +39,7 @@
* Major, Minor, Patchlevel
*/
#define MBEDTLS_VERSION_MAJOR 2
#define MBEDTLS_VERSION_MINOR 17
#define MBEDTLS_VERSION_MINOR 18
#define MBEDTLS_VERSION_PATCH 0
/**
@ -47,9 +47,9 @@
* MMNNPP00
* Major version | Minor version | Patch version
*/
#define MBEDTLS_VERSION_NUMBER 0x02110000
#define MBEDTLS_VERSION_STRING "2.17.0"
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.17.0"
#define MBEDTLS_VERSION_NUMBER 0x02120000
#define MBEDTLS_VERSION_STRING "2.18.0"
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.18.0"
#if defined(MBEDTLS_VERSION_C)

4
library/CMakeLists.txt
View File

@ -172,14 +172,14 @@ endif(USE_STATIC_MBEDTLS_LIBRARY)
if(USE_SHARED_MBEDTLS_LIBRARY)
add_library(mbedx509 SHARED ${src_x509})
set_target_properties(mbedx509 PROPERTIES VERSION 2.17.0 SOVERSION 0)
set_target_properties(mbedx509 PROPERTIES VERSION 2.18.0 SOVERSION 1)
target_link_libraries(mbedx509 ${libs} mbedcrypto)
target_include_directories(mbedx509
PUBLIC ${MBEDTLS_DIR}/include/
PUBLIC ${MBEDTLS_DIR}/crypto/include/)
add_library(mbedtls SHARED ${src_tls})
set_target_properties(mbedtls PROPERTIES VERSION 2.17.0 SOVERSION 12)
set_target_properties(mbedtls PROPERTIES VERSION 2.18.0 SOVERSION 13)
target_link_libraries(mbedtls ${libs} mbedx509)
target_include_directories(mbedtls
PUBLIC ${MBEDTLS_DIR}/include/

4
library/Makefile
View File

@ -35,8 +35,8 @@ LOCAL_CFLAGS += -fPIC -fpic
endif
endif
SOEXT_TLS=so.12
SOEXT_X509=so.0
SOEXT_TLS=so.13
SOEXT_X509=so.1
SOEXT_CRYPTO=so.3
# Set AR_DASH= (empty string) to use an ar implementation that does not accept

68
library/ssl_tls.c
View File

@ -689,6 +689,52 @@ exit:
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation,
psa_key_handle_t slot,
psa_algorithm_t alg,
const unsigned char* seed, size_t seed_length,
const unsigned char* label, size_t label_length,
size_t capacity )
{
psa_status_t status;
status = psa_key_derivation_setup( derivation, alg );
if( status != PSA_SUCCESS )
return( status );
if( PSA_ALG_IS_TLS12_PRF( alg ) || PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) )
{
status = psa_key_derivation_input_bytes( derivation,
PSA_KEY_DERIVATION_INPUT_SEED,
seed, seed_length );
if( status != PSA_SUCCESS )
return( status );
status = psa_key_derivation_input_key( derivation,
PSA_KEY_DERIVATION_INPUT_SECRET,
slot );
if( status != PSA_SUCCESS )
return( status );
status = psa_key_derivation_input_bytes( derivation,
PSA_KEY_DERIVATION_INPUT_LABEL,
label, label_length );
if( status != PSA_SUCCESS )
return( status );
}
else
{
return( PSA_ERROR_NOT_SUPPORTED );
}
status = psa_key_derivation_set_capacity( derivation, capacity );
if( status != PSA_SUCCESS )
return( status );
return( PSA_SUCCESS );
}
static int tls_prf_generic( mbedtls_md_type_t md_type,
const unsigned char *secret, size_t slen,
const char *label,
@ -716,12 +762,12 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
status = psa_key_derivation( &derivation,
master_slot, alg,
random, rlen,
(unsigned char const *) label,
(size_t) strlen( label ),
dlen );
status = setup_psa_key_derivation( &derivation,
master_slot, alg,
random, rlen,
(unsigned char const *) label,
(size_t) strlen( label ),
dlen );
if( status != PSA_SUCCESS )
{
psa_key_derivation_abort( &derivation );
@ -1695,11 +1741,11 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
else
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
status = psa_key_derivation( &derivation, psk, alg,
salt, salt_len,
(unsigned char const *) lbl,
(size_t) strlen( lbl ),
master_secret_len );
status = setup_psa_key_derivation( &derivation, psk, alg,
salt, salt_len,
(unsigned char const *) lbl,
(size_t) strlen( lbl ),
master_secret_len );
if( status != PSA_SUCCESS )
{
psa_key_derivation_abort( &derivation );

4
tests/suites/test_suite_version.data
View File

@ -1,8 +1,8 @@
Check compiletime library version
check_compiletime_version:"2.17.0"
check_compiletime_version:"2.18.0"
Check runtime library version
check_runtime_version:"2.17.0"
check_runtime_version:"2.18.0"
Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0