Merge branch 'mbedtls-1.3' into development

* mbedtls-1.3:
  Include changes from the 1.2 branch
  Remove unused headers in o_p_test
  Add countermeasure against cache-based lucky 13
  Make results of (ext)KeyUsage accessible
  Fix missing NULL check in MPI
  Fix detection of getrandom()
  Fix "make install" handling of symlinks
  Fix bugs in programs displaying verify flags

Conflicts:
	Makefile
	include/polarssl/ssl.h
	library/entropy_poll.c
	library/ssl_srv.c
	library/ssl_tls.c
	programs/test/o_p_test.c
	programs/test/ssl_cert_test.c
	programs/x509/cert_app.c

ChangeLog

@@ -117,6 +117,11 @@ Features
      errors on use of deprecated functions.
 
 Bugfix
+   * mpi_size() and mpi_msb() would segfault when called on an mpi that is
+     initialized but not set (found by pravic).
+   * Fix detection of support for getrandom() on Linux (reported by syzzer) by
+     doing it at runtime (using uname) rather that compile time.
+   * Fix handling of symlinks by "make install" (found by Gaël PORTAY).
    * Fix potential NULL pointer dereference (not trigerrable remotely) when
      ssl_write() is called before the handshake is finished (introduced in
      1.3.10) (first reported by Martin Blumenstingl).
@@ -663,6 +668,67 @@ Security
    * RSA blinding on CRT operations to counter timing attacks
      (found by Cyril Arnaud and Pierre-Alain Fouque)
 
+
+= Version 1.2.14 released 2015-05-??
+
+Security
+   * Fix potential invalid memory read in the server, that allows a client to
+     crash it remotely (found by Caj Larsson).
+   * Fix potential invalid memory read in certificate parsing, that allows a
+     client to crash the server remotely if client authentication is enabled
+     (found using Codenomicon Defensics).
+   * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
+     https://dl.acm.org/citation.cfm?id=2714625
+
+Bugfix
+   * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
+   * Fix hardclock() (only used in the benchmarking program) with some
+     versions of mingw64 (found by kxjhlele).
+   * Fix warnings from mingw64 in timing.c (found by kxjklele).
+   * Fix potential unintended sign extension in asn1_get_len() on 64-bit
+     platforms (found with Coverity Scan).
+
+= Version 1.2.13 released 2015-02-16
+Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting
+      this will be made in the 1.2 branch at this point.
+
+Security
+   * Fix remotely-triggerable uninitialised pointer dereference caused by
+     crafted X.509 certificate (TLS server is not affected if it doesn't ask
+     for a client certificate) (found using Codenomicon Defensics).
+   * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
+     (TLS server is not affected if it doesn't ask for a client certificate)
+     (found using Codenomicon Defensics).
+   * Fix potential stack overflow while parsing crafted X.509 certificates
+     (TLS server is not affected if it doesn't ask for a client certificate)
+     found using Codenomicon Defensics).
+   * Fix buffer overread of size 1 when parsing crafted X.509 certificates
+     (TLS server is not affected if it doesn't ask for a client certificate).
+
+Bugfix
+   * Fix potential undefined behaviour in Camellia.
+   * Fix memory leaks in PKCS#5 and PKCS#12.
+   * Stack buffer overflow if ctr_drbg_update() is called with too large
+     add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
+   * Fix bug in MPI/bignum on s390/s390x (reported by Dan Horák) (introduced
+     in 1.2.12).
+   * Fix unchecked return code in x509_crt_parse_path() on Windows (found by
+     Peter Vaskovic).
+   * Fix assembly selection for MIPS64 (thanks to James Cowgill).
+   * ssl_get_verify_result() now works even if the handshake was aborted due
+     to a failed verification (found by Fredrik Axelsson).
+   * Skip writing and parsing signature_algorithm extension if none of the
+     key exchanges enabled needs certificates. This fixes a possible interop
+     issue with some servers when a zero-length extension was sent. (Reported
+     by Peter Dettman.)
+   * On a 0-length input, base64_encode() did not correctly set output length
+     (found by Hendrik van den Boogaard).
+
+Changes
+   * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
+   * Forbid repeated extensions in X.509 certificates.
+   * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
+     length of an X.509 verification chain (default = 8).
 = Version 1.2.12 released 2014-10-24
 
 Security

Makefile

@@ -22,7 +22,7 @@ install:
 	cp -r include/mbedtls $(DESTDIR)/include
 	
 	mkdir -p $(DESTDIR)/lib
-	cp library/libmbedtls.* $(DESTDIR)/lib
+	cp -RP library/libmbedtls.* $(DESTDIR)/lib
 	
 	mkdir -p $(DESTDIR)/bin
 	for p in programs/*/* ; do              \

include/mbedtls/bignum.h

@@ -150,7 +150,9 @@ typedef struct
 mbedtls_mpi;
 
 /**
- * \brief           Initialize one MPI
+ * \brief           Initialize one MPI (make internal references valid)
+ *                  This just makes it ready to be set or freed,
+ *                  but does not define a value for the MPI.
  *
  * \param X         One MPI to initialize.
  */

library/bignum.c

@@ -356,6 +356,9 @@ size_t mbedtls_mpi_msb( const mbedtls_mpi *X )
 {
     size_t i, j;
 
+    if( X->n == 0 )
+        return( 0 );
+
     for( i = X->n - 1; i > 0; i-- )
         if( X->p[i] != 0 )
             break;

library/entropy_poll.c

@@ -86,27 +86,46 @@ static int getrandom_wrapper( void *buf, size_t buflen, unsigned int flags )
 {
     return( syscall( SYS_getrandom, buf, buflen, flags ) );
 }
-#endif /* SYS_getrandom */
-#endif /* __linux__ */
 
-#if defined(HAVE_GETRANDOM)
-
-#include <errno.h>
-
-int mbedtls_platform_entropy_poll( void *data,
-                           unsigned char *output, size_t len, size_t *olen )
+#include <sys/utsname.h>
+/* Check if version is at least 3.17.0 */
+static int check_version_3_17_plus( void )
 {
-    int ret;
-    ((void) data);
+    int minor;
+    struct utsname un;
+    const char *ver;
 
-    if( ( ret = getrandom_wrapper( output, len, 0 ) ) < 0 )
-        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+    /* Get version information */
+    uname(&un);
+    ver = un.release;
+
+    /* Check major version; assume a single digit */
+    if( ver[0] < '3' || ver[0] > '9' || ver [1] != '.' )
+        return( -1 );
+
+    if( ver[0] - '0' > 3 )
+        return( 0 );
+
+    /* Ok, so now we know major == 3, check minor.
+     * Assume 1 or 2 digits. */
+    if( ver[2] < '0' || ver[2] > '9' )
+        return( -1 );
+
+    minor = ver[2] - '0';
+
+    if( ver[3] >= '0' && ver[3] <= '9' )
+        minor = 10 * minor + ver[3] - '0';
+    else if( ver [3] != '.' )
+        return( -1 );
+
+    if( minor < 17 )
+        return( -1 );
 
-    *olen = ret;
     return( 0 );
 }
-
-#else /* HAVE_GETRANDOM */
+static int has_getrandom = -1;
+#endif /* SYS_getrandom */
+#endif /* __linux__ */
 
 #include <stdio.h>
 
@@ -117,6 +136,22 @@ int mbedtls_platform_entropy_poll( void *data,
     size_t ret;
     ((void) data);
 
+#if defined(HAVE_GETRANDOM)
+    if( has_getrandom == -1 )
+        has_getrandom = ( check_version_3_17_plus() == 0 );
+
+    if( has_getrandom )
+    {
+        int ret;
+
+        if( ( ret = getrandom_wrapper( output, len, 0 ) ) < 0 )
+            return( POLARSSL_ERR_ENTROPY_SOURCE_FAILED );
+
+        *olen = ret;
+        return( 0 );
+    }
+#endif /* HAVE_GETRANDOM */
+
     *olen = 0;
 
     file = fopen( "/dev/urandom", "rb" );
@@ -135,7 +170,6 @@ int mbedtls_platform_entropy_poll( void *data,
 
     return( 0 );
 }
-#endif /* HAVE_GETRANDOM */
 #endif /* _WIN32 && !EFIX64 && !EFI32 */
 #endif /* !MBEDTLS_NO_PLATFORM_ENTROPY */
 

programs/test/ssl_cert_test.c

@@ -176,12 +176,12 @@ int main( void )
                  char vrfy_buf[512];
 
                  mbedtls_printf( " failed\n" );
-                 mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", ret );
+                 mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );
                  mbedtls_printf( "%s\n", vrfy_buf );
              }
              else
              {
-                mbedtls_printf( " failed\n  !  mbedtls_x509_crt_verify returned %d\n\n", flags );
+                mbedtls_printf( " failed\n  !  mbedtls_x509_crt_verify returned %d\n\n", ret );
                 goto exit;
             }
         }

tests/suites/test_suite_mpi.data

@@ -1,3 +1,6 @@
+Arguments with no value
+mpi_null:
+
 Base test mpi_read_write_string #1
 mpi_read_write_string:10:"128":10:"128":100:0:0
 

tests/suites/test_suite_mpi.function

@@ -7,6 +7,25 @@
  * END_DEPENDENCIES
  */
 
+/* BEGIN_CASE */
+void mpi_null( )
+{
+    mbedtls_mpi X, Y, Z;
+
+    mbedtls_mpi_init( &X );
+    mbedtls_mpi_init( &Y );
+    mbedtls_mpi_init( &Z );
+
+    TEST_ASSERT( mbedtls_mpi_get_bit( &X, 42 ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_lsb( &X ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_msb( &X ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_size( &X ) == 0 );
+
+exit:
+    mbedtls_mpi_free( &X );
+}
+/* END_CASE */
+
 /* BEGIN_CASE */
 void mpi_read_write_string( int radix_X, char *input_X, int radix_A,
                             char *input_A, int output_size, int result_read,