Commit Graph

6060 Commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
5a9f46e57c x509: CRL: reject unsupported critical extensions 2018-03-14 09:24:12 +01:00
Jaeden Amero
1a6ddb4382 Merge branch 'mbedtls-2.7' into mbedtls-2.7-restricted 2018-03-13 17:28:20 +00:00
Gilles Peskine
6013004fa9 Note in the changelog that this fixes an interoperability issue.
Fixes #1339
2018-03-13 17:27:53 +00:00
Gilles Peskine
427ff4836c Merge remote-tracking branch 'upstream-public/pr/1219' into mbedtls-2.7-proposed 2018-03-12 23:52:24 +01:00
Gilles Peskine
c5671bdcf4 Merge remote-tracking branch 'upstream-public/pr/778' into mbedtls-2.7-proposed 2018-03-12 23:44:56 +01:00
Gilles Peskine
4668d8359c Merge remote-tracking branch 'upstream-public/pr/1241' into mbedtls-2.7-proposed 2018-03-12 23:42:46 +01:00
Gilles Peskine
b21a085bae Show build modes in code font
This clarifies that it's the string to type and not just some
description of it.
2018-03-12 13:12:34 +01:00
Gilles Peskine
8eda5ec8b4 Merge branch 'pr_1408' into mbedtls-2.7-proposed 2018-03-11 00:48:18 +01:00
Gilles Peskine
4848b97bc7 Merge remote-tracking branch 'upstream-public/pr/1249' into mbedtls-2.7-proposed 2018-03-11 00:48:17 +01:00
Gilles Peskine
dd7f5b9a37 Merge remote-tracking branch 'upstream-public/pr/1079' into mbedtls-2.7-proposed 2018-03-11 00:48:17 +01:00
Gilles Peskine
7b7c64424f Merge remote-tracking branch 'upstream-public/pr/1012' into mbedtls-2.7-proposed 2018-03-11 00:48:17 +01:00
Gilles Peskine
158fc33368 Merge remote-tracking branch 'upstream-public/pr/1296' into HEAD 2018-03-11 00:47:54 +01:00
Gilles Peskine
3f1b89d251 This fixes #664 2018-03-11 00:35:39 +01:00
Gilles Peskine
0ee482c82c Fix grammar in ChangeLog entry 2018-03-11 00:18:50 +01:00
Gilles Peskine
c0826f1625 Merge remote-tracking branch 'upstream-public/pr/936' into mbedtls-2.7-proposed 2018-03-10 23:48:10 +01:00
Gilles Peskine
9c4f4038dd Add changelog entry 2018-03-10 23:36:30 +01:00
itayzafrir
33d8e3335f Test suite test_suite_pk test pk_rsa_overflow passes valid parameters for hash and sig.
Test suite test_suite_pk test pk_rsa_overflow passes valid parameters for hash and sig.
2018-03-05 09:46:21 +02:00
Gilles Peskine
f936cb1c1b Add attribution for #1351 report 2018-02-27 10:21:45 +01:00
Jaeden Amero
6a4e22c26c Update version to 2.7.1 2018-02-26 10:53:47 +00:00
Gilles Peskine
3f9cff20d7 Merge branch 'prr_424' into mbedtls-2.7-proposed 2018-02-22 16:07:32 +01:00
Hanno Becker
e80cd463ef Adapt version_features.c 2018-02-22 15:02:47 +00:00
Gilles Peskine
30c3433183 Merge remote-tracking branch 'upstream-public/pr/1393' into mbedtls-2.7-proposed 2018-02-22 15:44:24 +01:00
Gilles Peskine
e2bada976e Merge remote-tracking branch 'upstream-public/pr/1392' into mbedtls-2.7-proposed 2018-02-22 15:44:14 +01:00
Gilles Peskine
04f9bd028f Note incompatibility of truncated HMAC extension in ChangeLog
The change in the truncated HMAC extension aligns Mbed TLS with the
standard, but breaks interoperability with previous versions. Indicate
this in the ChangeLog, as well as how to restore the old behavior.
2018-02-22 15:41:26 +01:00
Jaeden Amero
3a11404fcb Add LinkLibraryDependencies to VS2010 app template
Add mbedTLS.vcxproj to the VS2010 application template so that the next
time we auto-generate the application project files, the
LinkLibraryDependencies for mbedTLS.vcxproj are maintained.

Fixes #1347
2018-02-22 12:22:21 +00:00
Gilles Peskine
4945192099 Add ChangeLog entry for PR #1382 2018-02-22 10:23:13 +00:00
Jaeden Amero
a0d60a4dbc Add ChangeLog entry for PR #1384 2018-02-22 08:28:10 +00:00
Krzysztof Stachowiak
31f0a3b827 Have Visual Studio handle linking to mbedTLS.lib internally
Fixes #1347
2018-02-22 08:28:10 +00:00
Jaeden Amero
a53ff8d088 MD: Make deprecated functions not inline
In 2.7.0, we replaced a number of MD functions with deprecated inline
versions. This causes ABI compatibility issues, as the functions are no
longer guaranteed to be callable when built into a shared library.
Instead, deprecate the functions without also inlining them, to help
maintain ABI backwards compatibility.
2018-02-22 08:20:42 +00:00
Gilles Peskine
420386d61d Merge branch 'pr_1352' into mbedtls-2.7-proposed 2018-02-20 16:40:50 +01:00
Gilles Peskine
200b24fdf8 Mention in ChangeLog that this fixes #1351 2018-02-20 16:40:11 +01:00
Gilles Peskine
1e3fd69777 Merge remote-tracking branch 'upstream-public/pr/1333' into development-proposed 2018-02-14 15:12:49 +01:00
Gilles Peskine
49ac5d06ed Merge branch 'pr_1365' into development-proposed 2018-02-14 14:36:44 +01:00
Gilles Peskine
27b0754501 Add ChangeLog entries for PR #1168 and #1362 2018-02-14 14:36:33 +01:00
Gilles Peskine
5daa76537a Add ChangeLog entry for PR #1165 2018-02-14 14:10:24 +01:00
Paul Sokolovsky
8d6d8c84b1 ctr_drbg: Typo fix in the file description comment.
Signed-off-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>
2018-02-10 11:11:41 +02:00
Jaeden Amero
6d6c7982ce Merge remote-tracking branch 'upstream-public/pr/1362' into development 2018-02-08 17:02:31 +00:00
Jaeden Amero
69f3072553 Merge remote-tracking branch 'upstream-public/pr/1168' into development 2018-02-08 15:18:52 +00:00
Jaeden Amero
129f50838b dhm: Fix typo in RFC 5114 constants
We accidentally named the constant MBEDTLS_DHM_RFC5114_MODP_P instead of
MBEDTLS_DHM_RFC5114_MODP_2048_P.

Fixes #1358
2018-02-08 14:29:14 +00:00
Antonio Quartulli
8d7d1ea9f6
tests_suite_pkparse: new PKCS8-v2 keys with PRF != SHA1
Extend the pkparse test suite with the newly created keys
encrypted using PKCS#8 with PKCS#5 v2.0 with PRF being
SHA224, 256, 384 and 512.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-08 17:18:20 +08:00
Antonio Quartulli
f476b9d98c
data_files/pkcs8-v2: add keys generated with PRF != SHA1
We now have support for the entire SHA family to be used as
PRF in PKCS#5 v2.0, therefore we need to add new keys to test
these new functionalities.

This patch adds the new keys in `tests/data_files` and
commands to generate them in `tests/data_files/Makefile`.

Note that the pkcs8 command in OpenSSL 1.0 called with
the -v2 argument generates keys using PKCS#5 v2.0 with SHA1
as PRF by default.

(This behaviour has changed in OpenSSL 1.1, where the exact same
command instead uses PKCS#5 v2.0 with SHA256)

The new keys are generated by specifying different PRFs with
-v2prf.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-08 17:18:19 +08:00
Antonio Quartulli
bfa440e9fb
tests/pkcs5/pbkdf2_hmac: extend array to accommodate longer results
Some unit tests for pbkdf2_hmac() have results longer than
99bytes when represented in hexadecimal form.

For this reason extend the result array to accommodate
longer strings.

At the same time make memset() parametric to avoid
bugs in the future.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-08 17:18:19 +08:00
Antonio Quartulli
e87e885756
tests/pkcs5/pbkdf2_hmac: add unit tests for additional SHA algorithms
Test vectors for SHA224,256,384 and 512 have been
generated using Python's hashlib module by the
following oneliner:

import binascii, hashlib
binascii.hexlify(hashlib.pbkdf2_hmac(ALGO, binascii.unhexlify('PASSWORD'), binascii.unhexlify('SALT'), ITER, KEYLEN)))

where ALGO was 'sha224', 'sha256', 'sha384' and 'sha512'
respectively.

Values for PASSWORD, SALT, ITER and KEYLEN were copied from the
existent test vectors for SHA1.

For SHA256 we also have two test vectors coming from RFC7914 Sec 11.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-08 17:18:19 +08:00
Antonio Quartulli
12ccef2761
pkcs5v2: add support for additional hmacSHA algorithms
Currently only SHA1 is supported as PRF algorithm for PBKDF2
(PKCS#5 v2.0).
This means that keys encrypted and authenticated using
another algorithm of the SHA family cannot be decrypted.

This deficiency has become particularly incumbent now that
PKIs created with OpenSSL1.1 are encrypting keys using
hmacSHA256 by default (OpenSSL1.0 used PKCS#5 v1.0 by default
and even if v2 was forced, it would still use hmacSHA1).

Enable support for all the digest algorithms of the SHA
family for PKCS#5 v2.0.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-08 17:18:15 +08:00
Mathieu Briand
ffb6efd383 Fix doxygen documentation for CCM encryption
Fix valid tag length values for mbedtls_ccm_encrypt_and_tag() function.
Add valid value ranges for mbedtls_ccm_auth_decrypt() parameters.

Signed-off-by: Mathieu Briand <mbriand@witekio.com>
2018-02-07 10:29:27 +01:00
Ron Eldor
c15399843e Add some tests for different available profiles
Add tests for suite b profile and for the next profile
2018-02-06 18:47:17 +02:00
Ron Eldor
099e61df52 Rephrase Changelog
Rephrase Changelog to be more coherent to users
2018-02-06 17:34:27 +02:00
Ron Eldor
85e1dcff6a Fix handshake failure in suite B
Fix handshake failure where PK key is translated as `MBEDTLS_ECKEY`
instead of `MBEDTLS_ECDSA`
2018-02-06 15:59:38 +02:00
Jaeden Amero
32605dc830 Merge remote-tracking branch 'upstream-restricted/pr/451' into development-restricted 2018-02-05 11:36:59 +00:00
Jaeden Amero
d79bce1d4e Merge remote-tracking branch 'upstream-restricted/pr/452' into development-restricted 2018-02-05 08:49:51 +00:00