mbedtls

mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-23 19:45:42 +01:00

Author	SHA1	Message	Date
Manuel Pégourié-Gonnard	b39528e2e8	Disable MD5 in handshake signatures by default	2015-12-04 15:13:36 +01:00
Manuel Pégourié-Gonnard	013198f30f	DTLS: avoid dropping too many records When the peer retransmits a flight with many record in the same datagram, and we already saw one of the records in that datagram, we used to drop the whole datagram, resulting in interoperability failure (spurious handshake timeouts, due to ignoring record retransmitted by the peer) with some implementations (issues with Chrome were reported). So in those cases, we want to only drop the current record, and look at the following records (if any) in the same datagram. OTOH, this is not something we always want to do, as sometime the header of the current record is not reliable enough. This commit introduces a new return code for ssl_parse_header() that allows to distinguish if we should drop only the current record or the whole datagram, and uses it in mbedtls_ssl_read_record() fixes #345	2015-12-03 19:22:55 +01:00
Manuel Pégourié-Gonnard	5a8396ed55	Fix two more compiler warnings - declaration after statement - always true comparison due to limited range of operand	2015-12-03 19:09:23 +01:00
Manuel Pégourié-Gonnard	3eab29adc8	Fix potential integer overflow in prev. commit Found by Clang's -Wshift-count-overflow	2015-12-03 19:09:21 +01:00
Simon Butcher	ea303e3ece	Added integer divide by as separate function Added 64bit integer divided by 32bit integer, with remainder	2015-11-26 23:43:34 +00:00
Manuel Pégourié-Gonnard	d847f1f46a	Fix ChangeLog	2015-11-19 12:17:17 +01:00
Manuel Pégourié-Gonnard	b030c33e57	Fix bug checking pathlen on first intermediate Remove check on the pathLenConstraint value when looking for a parent to the EE cert, as the constraint is on the number of intermediate certs below the parent, and that number is always 0 at that point, so the constraint is always satisfied. The check was actually off-by-one, which caused valid chains to be rejected under the following conditions: - the parent certificate is not a trusted root, and - it has pathLenConstraint == 0 (max_pathlen == 1 in our representation) fixes #280	2015-11-19 11:26:52 +01:00
Manuel Pégourié-Gonnard	3cb2074a82	Add test case for root with max_pathlen=0 This was already working but not tested so far (Test case from previous commit still failing.) Test certificates generated with: programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert91.key programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert92.key programs/x509/cert_write serial=91 output_file=cert91.crt is_ca=1 \ issuer_key=cert91.key issuer_name="CN=Root 9,O=mbed TLS,C=UK" \ selfsign=1 max_pathlen=0 programs/x509/cert_write serial=92 output_file=cert92.crt \ issuer_key=cert91.key issuer_name="CN=Root 9,O=mbed TLS,C=UK" \ subject_key=cert92.key subject_name="CN=EE 92,O=mbed TLS,C=UK" mv cert9?.crt tests/data_files/dir4 rm cert9?.key	2015-11-19 11:25:30 +01:00
Manuel Pégourié-Gonnard	922cd9ba36	Add test case for first intermediate max_pathlen=0 !!! This test case is currently failing !!! (See fix in next-next commit.) Test certificates generated with the following script: programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert81.key programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert82.key programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert83.key programs/x509/cert_write serial=81 output_file=cert81.crt is_ca=1 \ issuer_key=cert81.key issuer_name="CN=Root 8,O=mbed TLS,C=UK" \ selfsign=1 programs/x509/cert_write serial=82 output_file=cert82.crt is_ca=1 \ issuer_key=cert81.key issuer_name="CN=Root 8,O=mbed TLS,C=UK" \ subject_key=cert82.key subject_name="CN=Int 82,O=mbed TLS,C=UK" \ max_pathlen=0 programs/x509/cert_write serial=83 output_file=cert83.crt \ issuer_key=cert82.key issuer_name="CN=Int 82,O=mbed TLS,C=UK" \ subject_key=cert83.key subject_name="CN=EE 83,O=mbed TLS,C=UK" mv cert8?.crt tests/data_files/dir4 rm cert8?.key	2015-11-19 11:25:27 +01:00
Simon Butcher	ef43d41f67	Changed version number to 2.1.3 Changed for library	2015-11-04 22:08:33 +00:00
Simon Butcher	5b289208cb	Remove debugging code left in test case Removed debug code from tests/suites/test_suite_x509parse.function	2015-11-04 21:50:54 +00:00
Simon Butcher	73156357ed	Disable Yotta tests from 'all tests' script Yotta tests not supported in 2.1 branch	2015-11-04 00:36:30 +00:00
Simon Butcher	b2d2fec5a4	Corrected typo in ChangeLog	2015-11-03 23:12:36 +00:00
Manuel Pégourié-Gonnard	c28240596a	Fix other int casts in bounds checking Not a security issue as here we know the buffer is large enough (unless something else if badly wrong in the code), and the value cast to int is less than 2^16 (again, unless issues elsewhere). Still changing to a more correct check as a matter of principle	2015-11-02 10:43:03 +09:00
Manuel Pégourié-Gonnard	5784dd5ac8	Fix other occurrences of same bounds check issue Security impact is the same: not triggerrable remotely except in very specific use cases	2015-11-02 10:43:03 +09:00
Manuel Pégourié-Gonnard	0d66bb959f	Fix potential buffer overflow in asn1write	2015-11-02 10:42:44 +09:00
Manuel Pégourié-Gonnard	9dc66f4b2f	Fix potential heap corruption on Windows If len is large enough, when cast to an int it will be negative and then the test if( len > MAX_PATH - 3 ) will not behave as expected.	2015-11-02 10:41:13 +09:00
Manuel Pégourié-Gonnard	ffb8180733	Fix potential double-free in ssl_conf_psk()	2015-11-02 10:40:14 +09:00
Manuel Pégourié-Gonnard	e34dcd7ec5	Use own implementation of strsep() Not available on windows, and strtok() is not a good option	2015-11-02 06:48:40 +09:00
Manuel Pégourié-Gonnard	1cf8851a77	Add ChangeLog entry for ASN.1 DER boolean fix	2015-11-02 06:00:38 +09:00
Jonathan Leroy	e03fa7c16a	Test certificate "Server1 SHA1, key_usage" reissued.	2015-11-02 05:58:58 +09:00
Jonathan Leroy	00c6b3c35a	Fix boolean values according to DER specs In BER encoding, any boolean with a non-zero value is considered as TRUE. However, DER encoding require a value of 255 (0xFF) for TRUE. This commit makes `mbedtls_asn1_write_bool` function uses `255` instead of `1` for BOOLEAN values. With this fix, boolean values are now reconized by OS X keychain (tested on OS X 10.11). Fixes #318.	2015-11-02 05:58:43 +09:00
Jonathan Leroy	3dd85ddfdf	cert_write : fix "Destination buffer is too small" error This commit fixes the `Destination buffer is too small` error returned by `mbedtls_cert_write` command when the values of `subject_name` or `issuer_name` parameters exceed 128 characters. I have increased the size of these varaibles from 128 to 256 characters, but I don't know if it's the best way to solve this issue... Fixes #315.	2015-11-02 05:58:30 +09:00
Manuel Pégourié-Gonnard	621f83e5c5	Fix typo in an OID name fixes #314	2015-11-02 05:58:10 +09:00
Manuel Pégourié-Gonnard	7a40dc686f	Disable reportedly broken assembly of Sparc(64) fixes #292	2015-11-02 05:57:49 +09:00
Manuel Pégourié-Gonnard	e55448a50f	Add Changelog entries for max_pathlen fixes	2015-11-02 05:56:57 +09:00
Manuel Pégourié-Gonnard	1d9348a06f	Fix a style issue	2015-11-02 05:56:08 +09:00
Manuel Pégourié-Gonnard	fd1f9e735e	Fix whitespace at EOL issues	2015-11-02 05:55:58 +09:00
Manuel Pégourié-Gonnard	841caf1b74	Use symbolic constants in test data	2015-11-02 05:55:39 +09:00
Janos Follath	860f239eb9	Fixed pathlen contraint enforcement.	2015-11-02 05:55:28 +09:00
Janos Follath	36f1234d96	Additional corner cases for testing pathlen constrains. Just in case.	2015-11-02 05:55:15 +09:00
Janos Follath	c7bea3158a	Added test case for pathlen constrains in intermediate certificates	2015-11-02 05:55:02 +09:00
Jonathan Leroy	1f8c20ac9a	Fix help message for cert_req/cert_write programs In cert_req and cert_write programs, "key_certificate_sign" is not an allowed velue for "key_usage" parameter. The correct value is "key_cert_sign". See https://github.com/ARMmbed/mbedtls/blob/development/programs/x509/cert_req.c#L208 and https://github.com/ARMmbed/mbedtls/blob/development/programs/x509/cert_write.c#L323.	2015-10-30 16:56:44 +01:00
Manuel Pégourié-Gonnard	d13585f1b3	Small improvement to test script	2015-10-30 16:56:30 +01:00
Manuel Pégourié-Gonnard	9f44a80ea3	Try to prevent some misuse of RSA functions fixes #331	2015-10-30 10:57:43 +01:00
Manuel Pégourié-Gonnard	8f115968da	Pick up ChangeLog fixes from development	2015-10-28 13:55:28 +01:00
Manuel Pégourié-Gonnard	a7f0a42101	Mention new test script in Readme	2015-10-28 13:42:14 +01:00
Manuel Pégourié-Gonnard	93080dfacf	Fix missing check for RSA key length on EE certs - also adapt tests to use lesser requirement for compatibility with old testing material	2015-10-28 13:22:32 +01:00
Simon Butcher	94c5e3c654	Fixed typo in comment	2015-10-28 13:21:12 +01:00
Manuel Pégourié-Gonnard	722da74cfc	Fix attribution in ChangeLog	2015-10-28 13:20:16 +01:00
Manuel Pégourié-Gonnard	a314076486	Fix handling of non-fatal alerts fixes #308	2015-10-28 13:19:55 +01:00
Manuel Pégourié-Gonnard	134ca18fbc	Add key-exchanges.pl to test list	2015-10-28 13:17:18 +01:00
Manuel Pégourié-Gonnard	fe3affdad2	Add -Werror to reduced configs test scripts	2015-10-28 13:17:08 +01:00
Manuel Pégourié-Gonnard	5baec9050e	Fix warning in some reduced configs	2015-10-28 13:16:56 +01:00
Manuel Pégourié-Gonnard	f9945bc283	Fix #ifdef inconsistency fixes #310 Actually all key exchanges that use a certificate use signatures too, and there is no key exchange that uses signatures but no cert, so merge those two flags. Conflicts: ChangeLog	2015-10-28 13:16:33 +01:00
Manuel Pégourié-Gonnard	4b56e755af	Add script to test configs with single key exchanges	2015-10-28 13:15:23 +01:00
Manuel Pégourié-Gonnard	1cb668cf0f	ECHDE-PSK does not use a certificate fixes #270	2015-10-28 13:15:12 +01:00
Manuel Pégourié-Gonnard	d113b8e89d	Move all KEY_EXCHANGE__ definitions in one place	2015-10-28 13:15:01 +01:00
Manuel Pégourié-Gonnard	5ce77da2b3	Mention performance fix in ChangeLog	2015-10-27 10:35:02 +01:00
Manuel Pégourié-Gonnard	00992d45c0	Optimize more common cases in ecp_muladd()	2015-10-27 10:30:36 +01:00

... 4 5 6 7 8 ...

4352 Commits