diff --git a/ChangeLog b/ChangeLog index 948e4aa6a..1d7b95a45 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,11 +10,8 @@ API Changes available if POLARSSL_PEM_PARSE_C is defined (it never worked without). * Test certificates in certs.c are no longer guaranteed to be nul-terminated strings; use the new *_len variables instead of strlen(). - * md_init_ctx() is deprecated in favour of md_setup(), that adds a third - argument (allowing memory savings if HMAC is not used) * Removed individual mdX_hmac and shaX_hmac functions (use generic md_hmac functions from md.h) - * Change md_info_t into an opaque structure (use md_get_xxx() accessors). * Some constness fixes * Signature of mpi_mul_mpi() changed to make the last argument unsigned * Remove the PBKDF2 module (use PKCS5). @@ -27,8 +24,16 @@ API Changes * net_connect() and net_bind() have a new 'proto' argument to choose between TCP and UDP, using the macros NET_PROTO_TCP or NET_PROTO_UDP. * ssl_set_bio() now requires that p_send == p_recv. + +New deprecations + * md_init_ctx() is deprecated in favour of md_setup(), that adds a third + argument (allowing memory savings if HMAC is not used) * ssl_set_bio() is deprecated in favor of ssl_set_bio_timeout(). +Semi-API changes (technically public, morally private) + * Change md_info_t into an opaque structure (use md_get_xxx() accessors). + * Remove sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and x509_crl. + Changes * Support for receiving SSLv2 ClientHello is now disabled by default at compile time. diff --git a/include/mbedtls/x509_crl.h b/include/mbedtls/x509_crl.h index 6f4b65d56..28507a5f9 100644 --- a/include/mbedtls/x509_crl.h +++ b/include/mbedtls/x509_crl.h @@ -73,7 +73,7 @@ typedef struct _x509_crl x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */ int version; /**< CRL version (1=v1, 2=v2) */ - x509_buf sig_oid1; + x509_buf sig_oid; /**< CRL signature type identifier */ x509_buf issuer_raw; /**< The raw issuer data (DER). */ diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index fe1d97f65..4da8f84da 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -57,7 +57,7 @@ typedef struct _x509_crt int version; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */ x509_buf serial; /**< Unique id for certificate issued by a specific CA. */ - x509_buf sig_oid1; /**< Signature algorithm, e.g. sha1RSA */ + x509_buf sig_oid; /**< Signature algorithm, e.g. sha1RSA */ x509_buf issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */ x509_buf subject_raw; /**< The raw subject data (DER). Used for quick comparison. */ @@ -85,7 +85,6 @@ typedef struct _x509_crt unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */ - x509_buf sig_oid2; /**< Signature algorithm. Must match sig_oid1. */ x509_buf sig; /**< Signature: hash of the tbs part signed with the private key. */ md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. POLARSSL_MD_SHA256 */ pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. POLARSSL_PK_RSA */ diff --git a/library/x509_crl.c b/library/x509_crl.c index afba7b2e8..7d1693b23 100644 --- a/library/x509_crl.c +++ b/library/x509_crl.c @@ -260,7 +260,7 @@ int x509_crl_parse_der( x509_crl *chain, int ret; size_t len; unsigned char *p, *end; - x509_buf sig_params1, sig_params2; + x509_buf sig_params1, sig_params2, sig_oid2; x509_crl *crl = chain; /* @@ -271,6 +271,7 @@ int x509_crl_parse_der( x509_crl *chain, memset( &sig_params1, 0, sizeof( x509_buf ) ); memset( &sig_params2, 0, sizeof( x509_buf ) ); + memset( &sig_oid2, 0, sizeof( x509_buf ) ); /* * Add new CRL on the end of the chain if needed. @@ -347,7 +348,7 @@ int x509_crl_parse_der( x509_crl *chain, * signature AlgorithmIdentifier */ if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 || - ( ret = x509_get_alg( &p, end, &crl->sig_oid1, &sig_params1 ) ) != 0 ) + ( ret = x509_get_alg( &p, end, &crl->sig_oid, &sig_params1 ) ) != 0 ) { x509_crl_free( crl ); return( ret ); @@ -361,7 +362,7 @@ int x509_crl_parse_der( x509_crl *chain, return( POLARSSL_ERR_X509_UNKNOWN_VERSION ); } - if( ( ret = x509_get_sig_alg( &crl->sig_oid1, &sig_params1, + if( ( ret = x509_get_sig_alg( &crl->sig_oid, &sig_params1, &crl->sig_md, &crl->sig_pk, &crl->sig_opts ) ) != 0 ) { @@ -453,14 +454,14 @@ int x509_crl_parse_der( x509_crl *chain, * signatureAlgorithm AlgorithmIdentifier, * signatureValue BIT STRING */ - if( ( ret = x509_get_alg( &p, end, &crl->sig_oid2, &sig_params2 ) ) != 0 ) + if( ( ret = x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 ) { x509_crl_free( crl ); return( ret ); } - if( crl->sig_oid1.len != crl->sig_oid2.len || - memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 || + if( crl->sig_oid.len != sig_oid2.len || + memcmp( crl->sig_oid.p, sig_oid2.p, crl->sig_oid.len ) != 0 || sig_params1.len != sig_params2.len || memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) { @@ -683,7 +684,7 @@ int x509_crl_info( char *buf, size_t size, const char *prefix, ret = polarssl_snprintf( p, n, "\n%ssigned using : ", prefix ); SAFE_SNPRINTF(); - ret = x509_sig_alg_gets( p, n, &crl->sig_oid1, crl->sig_pk, crl->sig_md, + ret = x509_sig_alg_gets( p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md, crl->sig_opts ); SAFE_SNPRINTF(); diff --git a/library/x509_crt.c b/library/x509_crt.c index 013f07078..03e64886e 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -541,10 +541,11 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf, int ret; size_t len; unsigned char *p, *end, *crt_end; - x509_buf sig_params1, sig_params2; + x509_buf sig_params1, sig_params2, sig_oid2; memset( &sig_params1, 0, sizeof( x509_buf ) ); memset( &sig_params2, 0, sizeof( x509_buf ) ); + memset( &sig_oid2, 0, sizeof( x509_buf ) ); /* * Check for valid input @@ -553,7 +554,6 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf, return( POLARSSL_ERR_X509_BAD_INPUT_DATA ); p = polarssl_malloc( len = buflen ); - if( p == NULL ) return( POLARSSL_ERR_X509_MALLOC_FAILED ); @@ -608,7 +608,7 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf, */ if( ( ret = x509_get_version( &p, end, &crt->version ) ) != 0 || ( ret = x509_get_serial( &p, end, &crt->serial ) ) != 0 || - ( ret = x509_get_alg( &p, end, &crt->sig_oid1, + ( ret = x509_get_alg( &p, end, &crt->sig_oid, &sig_params1 ) ) != 0 ) { x509_crt_free( crt ); @@ -623,7 +623,7 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf, return( POLARSSL_ERR_X509_UNKNOWN_VERSION ); } - if( ( ret = x509_get_sig_alg( &crt->sig_oid1, &sig_params1, + if( ( ret = x509_get_sig_alg( &crt->sig_oid, &sig_params1, &crt->sig_md, &crt->sig_pk, &crt->sig_opts ) ) != 0 ) { @@ -749,14 +749,14 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf, * signatureAlgorithm AlgorithmIdentifier, * signatureValue BIT STRING */ - if( ( ret = x509_get_alg( &p, end, &crt->sig_oid2, &sig_params2 ) ) != 0 ) + if( ( ret = x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 ) { x509_crt_free( crt ); return( ret ); } - if( crt->sig_oid1.len != crt->sig_oid2.len || - memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 || + if( crt->sig_oid.len != sig_oid2.len || + memcmp( crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len ) != 0 || sig_params1.len != sig_params2.len || memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) { @@ -1304,7 +1304,7 @@ int x509_crt_info( char *buf, size_t size, const char *prefix, ret = polarssl_snprintf( p, n, "\n%ssigned using : ", prefix ); SAFE_SNPRINTF(); - ret = x509_sig_alg_gets( p, n, &crt->sig_oid1, crt->sig_pk, + ret = x509_sig_alg_gets( p, n, &crt->sig_oid, crt->sig_pk, crt->sig_md, crt->sig_opts ); SAFE_SNPRINTF();