From b194a283a96727f50e74fec50efd2497b995b8ce Mon Sep 17 00:00:00 2001 From: Martijn de Milliano Date: Thu, 6 Jul 2017 23:55:59 +0200 Subject: [PATCH 01/12] dh_server: Fixed expected number of bytes received from client when receiving public value. --- programs/pkey/dh_server.c | 1 + 1 file changed, 1 insertion(+) diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c index 8bf2b1b29..7906ac1b8 100644 --- a/programs/pkey/dh_server.c +++ b/programs/pkey/dh_server.c @@ -234,6 +234,7 @@ int main( void ) memset( buf, 0, sizeof( buf ) ); + n = dhm.len; if( ( ret = mbedtls_net_recv( &client_fd, buf, n ) ) != (int) n ) { mbedtls_printf( " failed\n ! mbedtls_net_recv returned %d\n\n", ret ); From 27b34d5bad4766ab8b4d6b81d4571b946b70f55a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 20 Oct 2017 14:24:51 +0100 Subject: [PATCH 02/12] Wrong identifier used to check Encrypt-then-MAC flag This commit fixes a comparison of ssl_session->encrypt_then_mac against the ETM-unrelated constant MBEDTLS_SSL_EXTENDED_MS_DISABLED. Instead, MBEDTLS_SSL_ETM_DISABLED should be used. The typo is has no functional effect since both constants have the same value 0. --- library/ssl_srv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 37f415dd1..f98e9e8a9 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2042,7 +2042,7 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, const mbedtls_ssl_ciphersuite_t *suite = NULL; const mbedtls_cipher_info_t *cipher = NULL; - if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_EXTENDED_MS_DISABLED || + if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) { *olen = 0; From 9a51c032ee2c414e814317d4011b549ece778af2 Mon Sep 17 00:00:00 2001 From: Chris Xue Date: Sun, 5 Nov 2017 19:10:51 +0000 Subject: [PATCH 03/12] Fix copy paste error in the error message of mbedtls_ecp_gen_key in gen_key.c --- programs/pkey/gen_key.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c index 48126948d..547426813 100644 --- a/programs/pkey/gen_key.c +++ b/programs/pkey/gen_key.c @@ -339,7 +339,7 @@ int main( int argc, char *argv[] ) mbedtls_ctr_drbg_random, &ctr_drbg ); if( ret != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_rsa_gen_key returned -0x%04x", -ret ); + mbedtls_printf( " failed\n ! mbedtls_ecp_gen_key returned -0x%04x", -ret ); goto exit; } } From c81fcb9d36158091d83cc48038bdee964fdbf2ff Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 14 Nov 2017 21:40:02 +0000 Subject: [PATCH 04/12] Fix typos in documentation for mbedtls_x509_crt_check_extended_key_usage() --- include/mbedtls/x509_crt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 06166d8b1..f4773b4dc 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -373,7 +373,7 @@ int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) /** - * \brief Check usage of certificate against extentedJeyUsage. + * \brief Check usage of certificate against extendedKeyUsage. * * \param crt Leaf certificate used. * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH). @@ -387,7 +387,7 @@ int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len ); -#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) */ +#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ #if defined(MBEDTLS_X509_CRL_PARSE_C) /** From 5a6da63138cf589077f54f49934ca928cf6c73a6 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 14 Nov 2017 21:40:51 +0000 Subject: [PATCH 05/12] Fix indentation for mbedtls_x509_crt_check_key_usage() --- include/mbedtls/x509_crt.h | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index f4773b4dc..b7a509831 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -373,20 +373,21 @@ int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) /** - * \brief Check usage of certificate against extendedKeyUsage. + * \brief Check usage of certificate against extendedKeyUsage. * - * \param crt Leaf certificate used. - * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH). + * \param crt Leaf certificate used. + * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or + * MBEDTLS_OID_CLIENT_AUTH). * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()). * - * \return 0 if this use of the certificate is allowed, - * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not. + * \return 0 if this use of the certificate is allowed, + * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not. * - * \note Usually only makes sense on leaf certificates. + * \note Usually only makes sense on leaf certificates. */ int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, - const char *usage_oid, - size_t usage_len ); + const char *usage_oid, + size_t usage_len ); #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ #if defined(MBEDTLS_X509_CRL_PARSE_C) From 1f35ca9471617a1478c8fa0e2486a70925580c40 Mon Sep 17 00:00:00 2001 From: Reuven Levin Date: Thu, 7 Dec 2017 10:09:32 +0000 Subject: [PATCH 06/12] Added alternated Diffie-Hellman module. 1. Add modified files dhm.c and dhm.h --- include/mbedtls/dhm.h | 11 +++++++++++ library/dhm.c | 5 ++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index d7ab1522e..6fd74731b 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -23,7 +23,15 @@ #ifndef MBEDTLS_DHM_H #define MBEDTLS_DHM_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif #include "bignum.h" +#if !defined(MBEDTLS_DHM_ALT) + + /* * DHM Error codes @@ -290,6 +298,9 @@ int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin, int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path ); #endif /* MBEDTLS_FS_IO */ #endif /* MBEDTLS_ASN1_PARSE_C */ +#else +#include "dhm_alt.h" +#endif /* MBEDTLS_DHM_ALT */ /** * \brief Checkup routine diff --git a/library/dhm.c b/library/dhm.c index bec52a11d..6f8f021e5 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -57,6 +57,9 @@ #define mbedtls_free free #endif +#if !defined(MBEDTLS_DHM_ALT) + + /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; @@ -577,7 +580,7 @@ int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path ) } #endif /* MBEDTLS_FS_IO */ #endif /* MBEDTLS_ASN1_PARSE_C */ - +#endif/*MBEDTLS_DHM_ALT*/ #if defined(MBEDTLS_SELF_TEST) static const char mbedtls_test_dhm_params[] = From 49762fa21fe4848d78439e812e1b8e8ba6998463 Mon Sep 17 00:00:00 2001 From: nirekh01 Date: Mon, 25 Dec 2017 06:46:48 +0000 Subject: [PATCH 07/12] Add 'MBEDTLS_DHM_ALT' #DEFINE to library/config.h Add 'MBEDTLS_DHM_ALT' #DEFINE to library/config.h to support alternate DHM --- include/mbedtls/config.h | 2 ++ library/dhm.c | 3 ++- library/version_features.c | 3 +++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 69e997f85..f8594b841 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -275,6 +275,8 @@ //#define MBEDTLS_SHA1_ALT //#define MBEDTLS_SHA256_ALT //#define MBEDTLS_SHA512_ALT +//#define MBEDTLS_DHM_ALT + /* * When replacing the elliptic curve module, pleace consider, that it is * implemented with two .c files: diff --git a/library/dhm.c b/library/dhm.c index 6f8f021e5..882b30674 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -580,7 +580,8 @@ int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path ) } #endif /* MBEDTLS_FS_IO */ #endif /* MBEDTLS_ASN1_PARSE_C */ -#endif/*MBEDTLS_DHM_ALT*/ +#endif /* MBEDTLS_DHM_ALT */ + #if defined(MBEDTLS_SELF_TEST) static const char mbedtls_test_dhm_params[] = diff --git a/library/version_features.c b/library/version_features.c index 5cbe8aca3..000246edc 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -123,6 +123,9 @@ static const char *features[] = { #if defined(MBEDTLS_SHA512_ALT) "MBEDTLS_SHA512_ALT", #endif /* MBEDTLS_SHA512_ALT */ +#if defined(MBEDTLS_DHM_ALT) + "MBEDTLS_DHM_ALT", +#endif /* MBEDTLS_DHM_ALT */ #if defined(MBEDTLS_ECP_ALT) "MBEDTLS_ECP_ALT", #endif /* MBEDTLS_ECP_ALT */ From 08ba530bffe976ef5dd2de6c51326bc9ea762b2b Mon Sep 17 00:00:00 2001 From: nirekh01 Date: Thu, 28 Dec 2017 16:21:38 +0000 Subject: [PATCH 08/12] Remove some extra lines Remove some extra lines as was requested in code review --- include/mbedtls/dhm.h | 2 -- library/dhm.c | 2 -- 2 files changed, 4 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 6fd74731b..40916c661 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -31,8 +31,6 @@ #include "bignum.h" #if !defined(MBEDTLS_DHM_ALT) - - /* * DHM Error codes */ diff --git a/library/dhm.c b/library/dhm.c index 882b30674..cff095875 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -58,8 +58,6 @@ #endif #if !defined(MBEDTLS_DHM_ALT) - - /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; From d569ecfc2c7531159548d96c2d964744c2940b91 Mon Sep 17 00:00:00 2001 From: nirekh01 Date: Tue, 9 Jan 2018 16:43:21 +0000 Subject: [PATCH 09/12] Add some corrections based on code review -Add the DHM_ALT in an alphabetical order -Close correctly the 'extern "C" { ...' --- include/mbedtls/config.h | 3 ++- include/mbedtls/dhm.h | 11 ++++++++++- library/version_features.c | 6 +++--- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index f8594b841..2aa4686d9 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -267,6 +267,7 @@ //#define MBEDTLS_BLOWFISH_ALT //#define MBEDTLS_CAMELLIA_ALT //#define MBEDTLS_DES_ALT +//#define MBEDTLS_DHM_ALT //#define MBEDTLS_XTEA_ALT //#define MBEDTLS_MD2_ALT //#define MBEDTLS_MD4_ALT @@ -275,7 +276,7 @@ //#define MBEDTLS_SHA1_ALT //#define MBEDTLS_SHA256_ALT //#define MBEDTLS_SHA512_ALT -//#define MBEDTLS_DHM_ALT + /* * When replacing the elliptic curve module, pleace consider, that it is diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 40916c661..f9725ab09 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -296,10 +296,19 @@ int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin, int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path ); #endif /* MBEDTLS_FS_IO */ #endif /* MBEDTLS_ASN1_PARSE_C */ -#else + +#ifdef __cplusplus +} +#endif + +#else /* MBEDTLS_DHM_ALT */ #include "dhm_alt.h" #endif /* MBEDTLS_DHM_ALT */ +#ifdef __cplusplus +extern "C" { +#endif + /** * \brief Checkup routine * diff --git a/library/version_features.c b/library/version_features.c index 000246edc..48bd42bcd 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -99,6 +99,9 @@ static const char *features[] = { #if defined(MBEDTLS_DES_ALT) "MBEDTLS_DES_ALT", #endif /* MBEDTLS_DES_ALT */ +#if defined(MBEDTLS_DHM_ALT) + "MBEDTLS_DHM_ALT", +#endif /* MBEDTLS_DHM_ALT */ #if defined(MBEDTLS_XTEA_ALT) "MBEDTLS_XTEA_ALT", #endif /* MBEDTLS_XTEA_ALT */ @@ -123,9 +126,6 @@ static const char *features[] = { #if defined(MBEDTLS_SHA512_ALT) "MBEDTLS_SHA512_ALT", #endif /* MBEDTLS_SHA512_ALT */ -#if defined(MBEDTLS_DHM_ALT) - "MBEDTLS_DHM_ALT", -#endif /* MBEDTLS_DHM_ALT */ #if defined(MBEDTLS_ECP_ALT) "MBEDTLS_ECP_ALT", #endif /* MBEDTLS_ECP_ALT */ From 980d203a6bcbe9e7cbc7f0022935f5dba21646f0 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 22 Jan 2018 23:10:53 +0100 Subject: [PATCH 10/12] Add ChangeLog entry --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index e7abd5ce6..38704bc50 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,7 @@ Bugfix * Fix leap year calculation in x509_date_is_valid() to ensure that invalid dates on leap years with 100 and 400 intervals are handled correctly. Found by Nicholas Wilson. #694 + * Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue. = mbed TLS 2.6.0 branch released 2017-08-10 From 26faa116305e675534d60263ec332713889abbeb Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 22 Jan 2018 23:13:22 +0100 Subject: [PATCH 11/12] Add ChangeLog entry --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 2f0116bcf..99fb85dea 100644 --- a/ChangeLog +++ b/ChangeLog @@ -42,6 +42,8 @@ Bugfix Vranken. * Fix a numerical underflow leading to stack overflow in mpi_read_file() that was triggered uppon reading an empty line. Found by Guido Vranken. + * Fix programs/pkey/dh_server.c so that it actually works with dh_client.c. + Found and fixed by Martijn de Milliano. Changes * Send fatal alerts in more cases. The previous behaviour was to skip From 7a0c6b8e954a993386d349817cb055c59520f614 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 22 Jan 2018 23:16:52 +0100 Subject: [PATCH 12/12] Add ChangeLog entry --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index d64f11e4c..24b655cf7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -61,6 +61,7 @@ Changes * Extend cert_write example program by options to set the CRT version and the message digest. Further, allow enabling/disabling of authority identifier, subject identifier and basic constraints extensions. + * Add mechanism to provide alternative implementation of the DHM module. New deprecations * Deprecate usage of RSA primitives with non-matching key-type