yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-23 23:35:40 +01:00
Code Issues Packages Projects Releases Wiki Activity
4,147 Commits 88 Branches 205 Tags 69 MiB
fe0e8d2331
Commit Graph

4147 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Manuel Pégourié-Gonnard
d847f1f46a Fix ChangeLog 2015-11-19 12:17:17 +01:00
Manuel Pégourié-Gonnard
b030c33e57 Fix bug checking pathlen on first intermediate 
Remove check on the pathLenConstraint value when looking for a parent to the
EE cert, as the constraint is on the number of intermediate certs below the
parent, and that number is always 0 at that point, so the constraint is always
satisfied.

The check was actually off-by-one, which caused valid chains to be rejected
under the following conditions:
- the parent certificate is not a trusted root, and
- it has pathLenConstraint == 0 (max_pathlen == 1 in our representation)

fixes #280
 2015-11-19 11:26:52 +01:00
Manuel Pégourié-Gonnard
3cb2074a82 Add test case for root with max_pathlen=0 
This was already working but not tested so far

(Test case from previous commit still failing.)

Test certificates generated with:

programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert91.key
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert92.key

programs/x509/cert_write serial=91 output_file=cert91.crt is_ca=1 \
    issuer_key=cert91.key issuer_name="CN=Root 9,O=mbed TLS,C=UK" \
    selfsign=1 max_pathlen=0
programs/x509/cert_write serial=92 output_file=cert92.crt \
    issuer_key=cert91.key issuer_name="CN=Root 9,O=mbed TLS,C=UK" \
    subject_key=cert92.key subject_name="CN=EE 92,O=mbed TLS,C=UK"

mv cert9?.crt tests/data_files/dir4
rm cert9?.key
 2015-11-19 11:25:30 +01:00
Manuel Pégourié-Gonnard
922cd9ba36 Add test case for first intermediate max_pathlen=0 
!!! This test case is currently failing !!!
(See fix in next-next commit.)

Test certificates generated with the following script:

programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert81.key
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert82.key
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert83.key

programs/x509/cert_write serial=81 output_file=cert81.crt is_ca=1 \
    issuer_key=cert81.key issuer_name="CN=Root 8,O=mbed TLS,C=UK" \
    selfsign=1
programs/x509/cert_write serial=82 output_file=cert82.crt is_ca=1 \
    issuer_key=cert81.key issuer_name="CN=Root 8,O=mbed TLS,C=UK" \
    subject_key=cert82.key subject_name="CN=Int 82,O=mbed TLS,C=UK" \
    max_pathlen=0
programs/x509/cert_write serial=83 output_file=cert83.crt \
    issuer_key=cert82.key issuer_name="CN=Int 82,O=mbed TLS,C=UK" \
    subject_key=cert83.key subject_name="CN=EE 83,O=mbed TLS,C=UK"

mv cert8?.crt tests/data_files/dir4
rm cert8?.key
 2015-11-19 11:25:27 +01:00
Simon Butcher
ef43d41f67 Changed version number to 2.1.3 
Changed for library
 2015-11-04 22:08:33 +00:00
Simon Butcher
5b289208cb Remove debugging code left in test case 
Removed debug code from tests/suites/test_suite_x509parse.function
 2015-11-04 21:50:54 +00:00
Simon Butcher
73156357ed Disable Yotta tests from 'all tests' script 
Yotta tests not supported in 2.1 branch
 2015-11-04 00:36:30 +00:00
Simon Butcher
b2d2fec5a4 Corrected typo in ChangeLog 2015-11-03 23:12:36 +00:00
Manuel Pégourié-Gonnard
c28240596a Fix other int casts in bounds checking 
Not a security issue as here we know the buffer is large enough (unless
something else if badly wrong in the code), and the value cast to int is less
than 2^16 (again, unless issues elsewhere).

Still changing to a more correct check as a matter of principle
 2015-11-02 10:43:03 +09:00
Manuel Pégourié-Gonnard
5784dd5ac8 Fix other occurrences of same bounds check issue 
Security impact is the same: not triggerrable remotely except in very specific
use cases
 2015-11-02 10:43:03 +09:00
Manuel Pégourié-Gonnard
0d66bb959f Fix potential buffer overflow in asn1write 2015-11-02 10:42:44 +09:00
Manuel Pégourié-Gonnard
9dc66f4b2f Fix potential heap corruption on Windows 
If len is large enough, when cast to an int it will be negative and then the
test if( len > MAX_PATH - 3 ) will not behave as expected.
 2015-11-02 10:41:13 +09:00
Manuel Pégourié-Gonnard
ffb8180733 Fix potential double-free in ssl_conf_psk() 2015-11-02 10:40:14 +09:00
Manuel Pégourié-Gonnard
e34dcd7ec5 Use own implementation of strsep() 
Not available on windows, and strtok() is not a good option
 2015-11-02 06:48:40 +09:00
Manuel Pégourié-Gonnard
1cf8851a77 Add ChangeLog entry for ASN.1 DER boolean fix 2015-11-02 06:00:38 +09:00
Jonathan Leroy
e03fa7c16a Test certificate "Server1 SHA1, key_usage" reissued. 2015-11-02 05:58:58 +09:00
Jonathan Leroy
00c6b3c35a Fix boolean values according to DER specs 
In BER encoding, any boolean with a non-zero value is considered as
TRUE. However, DER encoding require a value of 255 (0xFF) for TRUE.

This commit makes `mbedtls_asn1_write_bool` function uses `255` instead
of `1` for BOOLEAN values.

With this fix, boolean values are now reconized by OS X keychain (tested
on OS X 10.11).

Fixes #318.
 2015-11-02 05:58:43 +09:00
Jonathan Leroy
3dd85ddfdf cert_write : fix "Destination buffer is too small" error 
This commit fixes the `Destination buffer is too small` error returned
by `mbedtls_cert_write` command when the values of `subject_name` or
`issuer_name` parameters exceed 128 characters.

I have increased the size of these varaibles from 128 to 256 characters,
but I don't know if it's the best way to solve this issue...

Fixes #315.
 2015-11-02 05:58:30 +09:00
Manuel Pégourié-Gonnard
621f83e5c5 Fix typo in an OID name 
fixes #314
 2015-11-02 05:58:10 +09:00
Manuel Pégourié-Gonnard
7a40dc686f Disable reportedly broken assembly of Sparc(64) 
fixes #292
 2015-11-02 05:57:49 +09:00
Manuel Pégourié-Gonnard
e55448a50f Add Changelog entries for max_pathlen fixes 2015-11-02 05:56:57 +09:00
Manuel Pégourié-Gonnard
1d9348a06f Fix a style issue 2015-11-02 05:56:08 +09:00
Manuel Pégourié-Gonnard
fd1f9e735e Fix whitespace at EOL issues 2015-11-02 05:55:58 +09:00
Manuel Pégourié-Gonnard
841caf1b74 Use symbolic constants in test data 2015-11-02 05:55:39 +09:00
Janos Follath
860f239eb9 Fixed pathlen contraint enforcement. 2015-11-02 05:55:28 +09:00
Janos Follath
36f1234d96 Additional corner cases for testing pathlen constrains. Just in case. 2015-11-02 05:55:15 +09:00
Janos Follath
c7bea3158a Added test case for pathlen constrains in intermediate certificates 2015-11-02 05:55:02 +09:00
Jonathan Leroy
1f8c20ac9a Fix help message for cert_req/cert_write programs 
In cert_req and cert_write programs, "key_certificate_sign" is not an
allowed velue for "key_usage" parameter. The correct value is
"key_cert_sign".

See https://github.com/ARMmbed/mbedtls/blob/development/programs/x509/cert_req.c#L208
and https://github.com/ARMmbed/mbedtls/blob/development/programs/x509/cert_write.c#L323.
 2015-10-30 16:56:44 +01:00
Manuel Pégourié-Gonnard
d13585f1b3 Small improvement to test script 2015-10-30 16:56:30 +01:00
Manuel Pégourié-Gonnard
9f44a80ea3 Try to prevent some misuse of RSA functions 
fixes #331
 2015-10-30 10:57:43 +01:00
Manuel Pégourié-Gonnard
8f115968da Pick up ChangeLog fixes from development 2015-10-28 13:55:28 +01:00
Manuel Pégourié-Gonnard
a7f0a42101 Mention new test script in Readme 2015-10-28 13:42:14 +01:00
Manuel Pégourié-Gonnard
93080dfacf Fix missing check for RSA key length on EE certs 
- also adapt tests to use lesser requirement for compatibility with old
  testing material
 2015-10-28 13:22:32 +01:00
Simon Butcher
94c5e3c654 Fixed typo in comment 2015-10-28 13:21:12 +01:00
Manuel Pégourié-Gonnard
722da74cfc Fix attribution in ChangeLog 2015-10-28 13:20:16 +01:00
Manuel Pégourié-Gonnard
a314076486 Fix handling of non-fatal alerts 
fixes #308
 2015-10-28 13:19:55 +01:00
Manuel Pégourié-Gonnard
134ca18fbc Add key-exchanges.pl to test list 2015-10-28 13:17:18 +01:00
Manuel Pégourié-Gonnard
fe3affdad2 Add -Werror to reduced configs test scripts 2015-10-28 13:17:08 +01:00
Manuel Pégourié-Gonnard
5baec9050e Fix warning in some reduced configs 2015-10-28 13:16:56 +01:00
Manuel Pégourié-Gonnard
f9945bc283 Fix #ifdef inconsistency 
fixes #310

Actually all key exchanges that use a certificate use signatures too, and
there is no key exchange that uses signatures but no cert, so merge those two
flags.

Conflicts:
	ChangeLog
 2015-10-28 13:16:33 +01:00
Manuel Pégourié-Gonnard
4b56e755af Add script to test configs with single key exchanges 2015-10-28 13:15:23 +01:00
Manuel Pégourié-Gonnard
1cb668cf0f ECHDE-PSK does not use a certificate 
fixes #270
 2015-10-28 13:15:12 +01:00
Manuel Pégourié-Gonnard
d113b8e89d Move all KEY_EXCHANGE__ definitions in one place 2015-10-28 13:15:01 +01:00
Manuel Pégourié-Gonnard
5ce77da2b3 Mention performance fix in ChangeLog 2015-10-27 10:35:02 +01:00
Manuel Pégourié-Gonnard
00992d45c0 Optimize more common cases in ecp_muladd() 2015-10-27 10:30:36 +01:00
Manuel Pégourié-Gonnard
241bf6717a Optimize some case of mbedtls_ecp_muladd() 
Those are used by EC-JPAKE
 2015-10-27 10:30:03 +01:00
Manuel Pégourié-Gonnard
770f453547 Remove useless code 
closes #321
 2015-10-27 10:29:26 +01:00
Manuel Pégourié-Gonnard
c4cbc94d44 Small fix to 'make test' script 
When the tests fail they don't display the number of skipped and run test
 2015-10-27 10:29:26 +01:00
Manuel Pégourié-Gonnard
a6925c502d Fix typo in documentation 2015-10-27 10:28:49 +01:00
Simon Butcher
759b6d9df6 Corrected misleading fn description in ssl_cache.h 
Mistake in comments spotted by Andris Mednis
 2015-10-27 10:28:24 +01:00