Commit Graph

2578 Commits

Author SHA1 Message Date
Gilles Peskine
2a74061198 Merge tag 'mbedtls-2.1.11' into iotssl-1381-x509-verify-refactor-2.1-restricted
Conflict resolution:

* ChangeLog
* tests/data_files/Makefile: concurrent additions, order irrelevant
* tests/data_files/test-ca.opensslconf: concurrent additions, order irrelevant
* tests/scripts/all.sh: one comment change conflicted with a code
  addition. In addition some of the additions in the
  iotssl-1381-x509-verify-refactor-restricted branch need support for
  keep-going mode, this will be added in a subsequent commit.
2018-03-23 02:28:33 +01:00
Jaeden Amero
1c986a9859 Update version to 2.1.11 2018-03-16 16:29:30 +00:00
Jaeden Amero
7f44963f45 Merge remote-tracking branch 'upstream-public/pr/1455' into mbedtls-2.1-restricted-proposed 2018-03-15 15:24:47 +00:00
Ron Eldor
329e4d572b Addres review comments
Resolves comments raised in the review
2018-03-15 15:09:28 +00:00
Ron Eldor
f71ce5229e Add log and fix stle issues
Address Andres comments of PR
2018-03-15 15:09:28 +00:00
Ron Eldor
82712a9c97 Write correct number of ciphersuites in log
Change location of log, to fit the correct number of used ciphersuites
2018-03-15 15:09:28 +00:00
Jaeden Amero
23f503f12d Merge remote-tracking branch 'upstream-restricted/pr/465' into mbedtls-2.1-restricted-proposed 2018-03-14 18:32:21 +00:00
Jaeden Amero
5e50ff8f44 Merge remote-tracking branch 'upstream-restricted/pr/395' into mbedtls-2.1-restricted-proposed 2018-03-14 18:16:29 +00:00
Jaeden Amero
10a1a60966 Merge branch 'mbedtls-2.1-proposed' into mbedtls-2.1-restricted-proposed 2018-03-14 18:03:41 +00:00
Jaeden Amero
0980d9a3ae Merge remote-tracking branch 'upstream-public/pr/1450' into mbedtls-2.1-proposed 2018-03-14 17:53:27 +00:00
Jaeden Amero
4e3629590f Merge remote-tracking branch 'upstream-public/pr/1452' into mbedtls-2.1-proposed 2018-03-14 17:38:21 +00:00
Krzysztof Stachowiak
c86b880411 Prevent arithmetic overflow on bounds check 2018-03-14 14:39:01 +01:00
Krzysztof Stachowiak
ce0d3ca128 Add bounds check before signature length read 2018-03-14 14:39:01 +01:00
Krzysztof Stachowiak
0e0afacbc5 Prevent arithmetic overflow on bounds check 2018-03-14 14:35:12 +01:00
Krzysztof Stachowiak
7040553a02 Add bounds check before length read 2018-03-14 14:35:12 +01:00
Manuel Pégourié-Gonnard
b0661769ab x509: CRL: reject unsupported critical extensions 2018-03-14 09:28:24 +01:00
Gilles Peskine
df6f3dd9b0 Merge remote-tracking branch 'upstream-restricted/pr/430' into mbedtls-2.1-restricted-proposed 2018-03-13 17:28:42 +01:00
Gilles Peskine
8c1217984b Merge remote-tracking branch 'upstream-restricted/pr/360' into mbedtls-2.1-restricted-proposed
Conflicts:
* scripts/config.pl: reconciled parallel edits in a comment.
2018-03-13 17:26:49 +01:00
Manuel Pégourié-Gonnard
503047f824 Fix 2.1-specific remaining MD/PK depend issues
For library/certs.c the issue is resolved by aligning it with the version in
the 2.7 branch (which is currently the same as the version in the development
branch)
2018-03-13 11:53:48 +01:00
Hanno Becker
b81fcd00e6 Correct memory leak in RSA self test
The RSA self test didn't free the RSA context on failure.
2018-03-13 10:31:02 +00:00
Gilles Peskine
5e533f43ee Merge remote-tracking branch 'upstream-public/pr/1373' into mbedtls-2.1-proposed 2018-03-12 23:51:50 +01:00
Gilles Peskine
889de8eedb Merge branch 'pr_1276' into mbedtls-2.1-proposed 2018-03-12 23:51:01 +01:00
Gilles Peskine
8da4f864a5 Merge remote-tracking branch 'upstream-public/pr/1009' into mbedtls-2.1-proposed 2018-03-12 23:44:48 +01:00
Gilles Peskine
d38464698e Merge remote-tracking branch 'upstream-public/pr/1295' into mbedtls-2.1-proposed 2018-03-11 00:52:35 +01:00
Gilles Peskine
0aacc9a96d Merge remote-tracking branch 'upstream-public/pr/1297' into mbedtls-2.1-proposed 2018-03-11 00:52:35 +01:00
Gilles Peskine
9a00ef3cf1 Merge branch 'pr_953' into HEAD 2018-03-11 00:52:24 +01:00
Manuel Pégourié-Gonnard
ac54cea7f9 x509: fix remaining unchecked call to mbedtls_md()
The other two calls have been fixed already, fix that one too for consistency.
2018-03-07 09:44:31 +01:00
Manuel Pégourié-Gonnard
19d77b6aa6 Clarify mutual references in comments 2018-03-07 09:44:28 +01:00
Manuel Pégourié-Gonnard
b6d3e6d102 Fix some issues in comments 2018-03-06 10:35:15 +01:00
Hanno Becker
dc8751d31e Fix bug in X.509 CRT verification code 2018-03-05 13:46:10 +01:00
Manuel Pégourié-Gonnard
78df7fcc8c Fix some comment typos 2018-03-05 13:46:08 +01:00
Manuel Pégourié-Gonnard
afbbcf849c Add comments on chain verification cases
This is the beginning of a series of commits refactoring the chain
building/verification functions in order to:
- make it simpler to understand and work with
- prepare integration of restartable ECC
2018-03-05 13:44:22 +01:00
Manuel Pégourié-Gonnard
081ed0650c Improve handling of md errors in X.509
md() already checks for md_info == NULL. Also, in the future it might also
return other errors (eg hardware errors if acceleration is used), so it make
more sense to check its return value than to check for NULL ourselves and then
assume no other error can occur.

Also, currently, md_info == NULL can never happen except if the MD and OID modules
get out of sync, or if the user messes with members of the x509_crt structure
directly.

This commit does not change the current behaviour, which is to treat MD errors
the same way as a bad signature or no trusted root.
2018-03-05 13:43:45 +01:00
Gilles Peskine
25ec9cc9b3 Merge branch 'prr_428' into mbedtls-2.1-proposed 2018-02-22 16:24:13 +01:00
Hanno Becker
f599026248 Adapt version_features.c 2018-02-22 16:18:07 +01:00
Gilles Peskine
ac33180219 Merge branch 'pr_1354' into mbedtls-2.1 2018-02-20 16:37:17 +01:00
Gilles Peskine
2e50efad44 Merge remote-tracking branch 'upstream-public/pr/1334' into mbedtls-2.1-proposed 2018-02-14 15:13:37 +01:00
Antonio Quartulli
b9e3c6d9c6 pkcs5v2: add support for additional hmacSHA algorithms
Currently only SHA1 is supported as PRF algorithm for PBKDF2
(PKCS#5 v2.0).
This means that keys encrypted and authenticated using
another algorithm of the SHA family cannot be decrypted.

This deficiency has become particularly incumbent now that
PKIs created with OpenSSL1.1 are encrypting keys using
hmacSHA256 by default (OpenSSL1.0 used PKCS#5 v1.0 by default
and even if v2 was forced, it would still use hmacSHA1).

Enable support for all the digest algorithms of the SHA
family for PKCS#5 v2.0.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-14 11:12:58 +01:00
Ron Eldor
3a3b654027 Fix handshake failure in suite B
Fix handshake failure where PK key is translated as `MBEDTLS_ECKEY`
instead of `MBEDTLS_ECDSA`
2018-02-07 12:09:46 +02:00
Jaeden Amero
f885c81f15 Update version to 2.1.10 2018-02-02 18:10:05 +00:00
James Cowgill
a5f8b42056 Fix build errors on x32 by using the generic 'add' instruction
On x32 systems, pointers are 4-bytes wide and are therefore stored in %e?x
registers (instead of %r?x registers). These registers must be accessed using
"addl" instead of "addq", however the GNU assembler will acccept the generic
"add" instruction and determine the correct opcode based on the registers
passed to it.
2018-01-29 21:54:26 +01:00
Jaeden Amero
035f6ea288 Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted 2018-01-29 12:53:07 +00:00
Manuel Pégourié-Gonnard
3e6222dacb Fix alarm(0) failure on mingw32
A new test for mbedtls_timing_alarm(0) was introduced in PR 1136, which also
fixed it on Unix. Apparently test results on MinGW were not checked at that
point, so we missed that this new test was also failing on this platform.
2018-01-29 13:23:40 +01:00
Jaeden Amero
bfafd12789 Merge remote-tracking branch 'upstream-restricted/pr/414' into mbedtls-2.1-restricted 2018-01-26 18:09:14 +00:00
Jaeden Amero
e5b443e2d6 Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted 2018-01-24 15:24:42 +00:00
Jaeden Amero
0295634b21 Merge remote-tracking branch 'upstream-public/pr/1278' into mbedtls-2.1 2018-01-24 10:55:56 +00:00
Andres Amaya Garcia
133ab2c8ee Ensure that mbedtls_pk_parse_key() does not allocate 0 bytes 2018-01-23 21:21:49 +00:00
Andres Amaya Garcia
af77213b72 Change formatting of allocation check in x509_crl 2018-01-23 21:21:00 +00:00
Andres Amaya Garcia
fb023c18da Ensure memcpy is not called with NULL and 0 args in x509 module 2018-01-23 21:21:00 +00:00
Andres Amaya Garcia
5dc2fe7467 Style fixes in pem, x509_crl and buf_alloc 2018-01-23 21:03:49 +00:00