Merge remote-tracking branch 'origin/development' into development-restricted
* origin/development: Update the crypto submodule Use multipart PSA key derivation API platform: Include stdarg.h where needed Update Mbed Crypto to contain mbed-crypto#152 CMake: Add a subdirectory build regression test README: Enable builds as a CMake subproject ChangeLog: Enable builds as a CMake subproject Remove use of CMAKE_SOURCE_DIR Update library version to 2.18.0
This commit is contained in:
commit
64f264332f
9 changed files with 158 additions and 91 deletions
155
ChangeLog
155
ChangeLog
|
@ -9,6 +9,93 @@ Security
|
|||
about 1 bit of information on average and could cause the value to be
|
||||
1 byte too large for the output buffer.
|
||||
|
||||
Features
|
||||
* Add new API functions mbedtls_ssl_session_save() and
|
||||
mbedtls_ssl_session_load() to allow serializing a session, for example to
|
||||
store it in non-volatile storage, and later using it for TLS session
|
||||
resumption.
|
||||
* Add a new API function mbedtls_ssl_check_record() to allow checking that
|
||||
an incoming record is valid, authentic and has not been seen before. This
|
||||
feature can be used alongside Connection ID and SSL context serialisation.
|
||||
The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
|
||||
option.
|
||||
|
||||
API Changes
|
||||
* Add DER-encoded test CRTs to library/certs.c, allowing
|
||||
the example programs ssl_server2 and ssl_client2 to be run
|
||||
if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254.
|
||||
* The HAVEGE state type now uses uint32_t elements instead of int.
|
||||
|
||||
Bugfix
|
||||
* Fix missing bounds checks in X.509 parsing functions that could
|
||||
lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
|
||||
* Fix multiple X.509 functions previously returning ASN.1 low-level error
|
||||
codes to always wrap these codes into X.509 high level error codes before
|
||||
returning. Fixes #2431.
|
||||
* Fix to allow building test suites with any warning that detects unused
|
||||
functions. Fixes #1628.
|
||||
* Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
|
||||
* Remove redundant include file in timing.c. Fixes #2640 reported by irwir.
|
||||
* Fix build failure when building with mingw on Windows by including
|
||||
stdarg.h where needed. Fixes #2656.
|
||||
* Fix Visual Studio Release x64 build configuration by inheriting
|
||||
PlatformToolset from the project configuration. Fixes #1430 reported by
|
||||
irwir.
|
||||
* Enable Suite B with subset of ECP curves. Make sure the code compiles even
|
||||
if some curves are not defined. Fixes #1591 reported by dbedev.
|
||||
* Fix misuse of signed arithmetic in the HAVEGE module. #2598
|
||||
* Avoid use of statically sized stack buffers for certificate writing.
|
||||
This previously limited the maximum size of DER encoded certificates
|
||||
in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631.
|
||||
* Fix partial zeroing in x509_get_other_name. Found and fixed by ekse, #2716.
|
||||
* Update test certificates that were about to expire. Reported by
|
||||
Bernhard M. Wiedemann in #2357.
|
||||
* Fix the build on ARMv5TE in ARM mode to not use assembly instructions
|
||||
that are only available in Thumb mode. Fix contributed by Aurelien Jarno
|
||||
in #2169.
|
||||
* Fix propagation of restart contexts in restartable EC operations.
|
||||
This could previously lead to segmentation faults in builds using an
|
||||
address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
|
||||
|
||||
Changes
|
||||
* Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
|
||||
* Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h
|
||||
suggests). #2671
|
||||
* Make `make clean` clean all programs always. Fixes #1862.
|
||||
* Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
|
||||
docker-env.sh) to simplify running test suites on a Linux host. Contributed
|
||||
by Peter Kolbus (Garmin).
|
||||
* Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by
|
||||
Ashley Duncan in #2609.
|
||||
* Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable
|
||||
test runs without variability. Contributed by Philippe Antoine (Catena
|
||||
cyber) in #2681.
|
||||
* Extended .gitignore to ignore Visual Studio artifacts. Fixed by ConfusedSushi.
|
||||
* Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by
|
||||
Ashley Duncan in #2609.
|
||||
* Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable
|
||||
test runs without variability. Contributed by Philippe Antoine (Catena
|
||||
cyber) in #2681.
|
||||
* Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by
|
||||
Ashley Duncan in #2609.
|
||||
* Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable
|
||||
test runs without variability. Contributed by Philippe Antoine (Catena
|
||||
cyber) in #2681.
|
||||
* Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
|
||||
Contributed by Philippe Antoine (Catena cyber).
|
||||
|
||||
= mbed TLS 2.18.1 branch released 2019-07-12
|
||||
|
||||
Bugfix
|
||||
* Fix build failure when building with mingw on Windows by including
|
||||
stdarg.h where needed. Fixes #2656.
|
||||
|
||||
Changes
|
||||
* Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by
|
||||
Ashley Duncan in #2609.
|
||||
|
||||
= mbed TLS 2.18.0 branch released 2019-06-11
|
||||
|
||||
Features
|
||||
* Add the Any Policy certificate policy oid, as defined in
|
||||
rfc 5280 section 4.2.1.4.
|
||||
|
@ -38,24 +125,11 @@ Features
|
|||
changed its IP or port. The feature is enabled at compile-time by setting
|
||||
MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
|
||||
through the new APIs mbedtls_ssl_conf_cid() and mbedtls_ssl_set_cid().
|
||||
* Add new API functions mbedtls_ssl_session_save() and
|
||||
mbedtls_ssl_session_load() to allow serializing a session, for example to
|
||||
store it in non-volatile storage, and later using it for TLS session
|
||||
resumption.
|
||||
* Add a new API function mbedtls_ssl_check_record() to allow checking that
|
||||
an incoming record is valid, authentic and has not been seen before. This
|
||||
feature can be used alongside Connection ID and SSL context serialisation.
|
||||
The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
|
||||
option.
|
||||
|
||||
API Changes
|
||||
* Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes,
|
||||
and the used tls-prf.
|
||||
* Add public API for tls-prf function, according to requested enum.
|
||||
* Add DER-encoded test CRTs to library/certs.c, allowing
|
||||
the example programs ssl_server2 and ssl_client2 to be run
|
||||
if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254.
|
||||
* The HAVEGE state type now uses uint32_t elements instead of int.
|
||||
|
||||
Bugfix
|
||||
* Fix private key DER output in the key_app_writer example. File contents
|
||||
|
@ -83,35 +157,7 @@ Bugfix
|
|||
* Set the next sequence of the subject_alt_name to NULL when deleting
|
||||
sequence on failure. Found and fix suggested by Philippe Antoine.
|
||||
Credit to OSS-Fuzz.
|
||||
* Fix missing bounds checks in X.509 parsing functions that could
|
||||
lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
|
||||
* Fix multiple X.509 functions previously returning ASN.1 low-level error
|
||||
codes to always wrap these codes into X.509 high level error codes before
|
||||
returning. Fixes #2431.
|
||||
* Fix to allow building test suites with any warning that detects unused
|
||||
functions. Fixes #1628.
|
||||
* Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
|
||||
* Remove redundant include file in timing.c. Fixes #2640 reported by irwir.
|
||||
* Fix build failure when building with mingw on Windows by including
|
||||
stdarg.h where needed. Fixes #2656.
|
||||
* Fix Visual Studio Release x64 build configuration by inheriting
|
||||
PlatformToolset from the project configuration. Fixes #1430 reported by
|
||||
irwir.
|
||||
* Enable Suite B with subset of ECP curves. Make sure the code compiles even
|
||||
if some curves are not defined. Fixes #1591 reported by dbedev.
|
||||
* Fix misuse of signed arithmetic in the HAVEGE module. #2598
|
||||
* Avoid use of statically sized stack buffers for certificate writing.
|
||||
This previously limited the maximum size of DER encoded certificates
|
||||
in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631.
|
||||
* Fix partial zeroing in x509_get_other_name. Found and fixed by ekse, #2716.
|
||||
* Update test certificates that were about to expire. Reported by
|
||||
Bernhard M. Wiedemann in #2357.
|
||||
* Fix the build on ARMv5TE in ARM mode to not use assembly instructions
|
||||
that are only available in Thumb mode. Fix contributed by Aurelien Jarno
|
||||
in #2169.
|
||||
* Fix propagation of restart contexts in restartable EC operations.
|
||||
This could previously lead to segmentation faults in builds using an
|
||||
address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
|
||||
|
||||
Changes
|
||||
* Server's RSA certificate in certs.c was SHA-1 signed. In the default
|
||||
mbedTLS configuration only SHA-2 signed certificates are accepted.
|
||||
|
@ -128,31 +174,6 @@ Changes
|
|||
Contributed by Peter Kolbus (Garmin).
|
||||
* Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to
|
||||
improve clarity. Fixes #2258.
|
||||
* Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
|
||||
* Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h
|
||||
suggests). #2671
|
||||
* Make `make clean` clean all programs always. Fixes #1862.
|
||||
* Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
|
||||
docker-env.sh) to simplify running test suites on a Linux host. Contributed
|
||||
by Peter Kolbus (Garmin).
|
||||
* Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by
|
||||
Ashley Duncan in #2609.
|
||||
* Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable
|
||||
test runs without variability. Contributed by Philippe Antoine (Catena
|
||||
cyber) in #2681.
|
||||
* Extended .gitignore to ignore Visual Studio artifacts. Fixed by ConfusedSushi.
|
||||
* Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by
|
||||
Ashley Duncan in #2609.
|
||||
* Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable
|
||||
test runs without variability. Contributed by Philippe Antoine (Catena
|
||||
cyber) in #2681.
|
||||
* Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by
|
||||
Ashley Duncan in #2609.
|
||||
* Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable
|
||||
test runs without variability. Contributed by Philippe Antoine (Catena
|
||||
cyber) in #2681.
|
||||
* Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
|
||||
Contributed by Philippe Antoine (Catena cyber).
|
||||
|
||||
= mbed TLS 2.17.0 branch released 2019-03-19
|
||||
|
||||
|
|
2
crypto
2
crypto
|
@ -1 +1 @@
|
|||
Subproject commit 89e76556910c2704313fe23b174f2742702a3a29
|
||||
Subproject commit 21db2a94a482689e4e4f4e5473d4b5723c5394e4
|
|
@ -24,7 +24,7 @@
|
|||
*/
|
||||
|
||||
/**
|
||||
* @mainpage mbed TLS v2.17.0 source code documentation
|
||||
* @mainpage mbed TLS v2.18.0 source code documentation
|
||||
*
|
||||
* This documentation describes the internal structure of mbed TLS. It was
|
||||
* automatically generated from specially formatted comment blocks in
|
||||
|
|
|
@ -28,7 +28,7 @@ DOXYFILE_ENCODING = UTF-8
|
|||
# identify the project. Note that if you do not use Doxywizard you need
|
||||
# to put quotes around the project name if it contains spaces.
|
||||
|
||||
PROJECT_NAME = "mbed TLS v2.17.0"
|
||||
PROJECT_NAME = "mbed TLS v2.18.0"
|
||||
|
||||
# The PROJECT_NUMBER tag can be used to enter a project or revision number.
|
||||
# This could be handy for archiving the generated documentation or
|
||||
|
|
|
@ -39,7 +39,7 @@
|
|||
* Major, Minor, Patchlevel
|
||||
*/
|
||||
#define MBEDTLS_VERSION_MAJOR 2
|
||||
#define MBEDTLS_VERSION_MINOR 17
|
||||
#define MBEDTLS_VERSION_MINOR 18
|
||||
#define MBEDTLS_VERSION_PATCH 0
|
||||
|
||||
/**
|
||||
|
@ -47,9 +47,9 @@
|
|||
* MMNNPP00
|
||||
* Major version | Minor version | Patch version
|
||||
*/
|
||||
#define MBEDTLS_VERSION_NUMBER 0x02110000
|
||||
#define MBEDTLS_VERSION_STRING "2.17.0"
|
||||
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.17.0"
|
||||
#define MBEDTLS_VERSION_NUMBER 0x02120000
|
||||
#define MBEDTLS_VERSION_STRING "2.18.0"
|
||||
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.18.0"
|
||||
|
||||
#if defined(MBEDTLS_VERSION_C)
|
||||
|
||||
|
|
|
@ -172,14 +172,14 @@ endif(USE_STATIC_MBEDTLS_LIBRARY)
|
|||
if(USE_SHARED_MBEDTLS_LIBRARY)
|
||||
|
||||
add_library(mbedx509 SHARED ${src_x509})
|
||||
set_target_properties(mbedx509 PROPERTIES VERSION 2.17.0 SOVERSION 0)
|
||||
set_target_properties(mbedx509 PROPERTIES VERSION 2.18.0 SOVERSION 1)
|
||||
target_link_libraries(mbedx509 ${libs} mbedcrypto)
|
||||
target_include_directories(mbedx509
|
||||
PUBLIC ${MBEDTLS_DIR}/include/
|
||||
PUBLIC ${MBEDTLS_DIR}/crypto/include/)
|
||||
|
||||
add_library(mbedtls SHARED ${src_tls})
|
||||
set_target_properties(mbedtls PROPERTIES VERSION 2.17.0 SOVERSION 12)
|
||||
set_target_properties(mbedtls PROPERTIES VERSION 2.18.0 SOVERSION 13)
|
||||
target_link_libraries(mbedtls ${libs} mbedx509)
|
||||
target_include_directories(mbedtls
|
||||
PUBLIC ${MBEDTLS_DIR}/include/
|
||||
|
|
|
@ -35,8 +35,8 @@ LOCAL_CFLAGS += -fPIC -fpic
|
|||
endif
|
||||
endif
|
||||
|
||||
SOEXT_TLS=so.12
|
||||
SOEXT_X509=so.0
|
||||
SOEXT_TLS=so.13
|
||||
SOEXT_X509=so.1
|
||||
SOEXT_CRYPTO=so.3
|
||||
|
||||
# Set AR_DASH= (empty string) to use an ar implementation that does not accept
|
||||
|
|
|
@ -689,6 +689,52 @@ exit:
|
|||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
|
||||
static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation,
|
||||
psa_key_handle_t slot,
|
||||
psa_algorithm_t alg,
|
||||
const unsigned char* seed, size_t seed_length,
|
||||
const unsigned char* label, size_t label_length,
|
||||
size_t capacity )
|
||||
{
|
||||
psa_status_t status;
|
||||
|
||||
status = psa_key_derivation_setup( derivation, alg );
|
||||
if( status != PSA_SUCCESS )
|
||||
return( status );
|
||||
|
||||
if( PSA_ALG_IS_TLS12_PRF( alg ) || PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) )
|
||||
{
|
||||
status = psa_key_derivation_input_bytes( derivation,
|
||||
PSA_KEY_DERIVATION_INPUT_SEED,
|
||||
seed, seed_length );
|
||||
if( status != PSA_SUCCESS )
|
||||
return( status );
|
||||
|
||||
status = psa_key_derivation_input_key( derivation,
|
||||
PSA_KEY_DERIVATION_INPUT_SECRET,
|
||||
slot );
|
||||
if( status != PSA_SUCCESS )
|
||||
return( status );
|
||||
|
||||
status = psa_key_derivation_input_bytes( derivation,
|
||||
PSA_KEY_DERIVATION_INPUT_LABEL,
|
||||
label, label_length );
|
||||
if( status != PSA_SUCCESS )
|
||||
return( status );
|
||||
}
|
||||
else
|
||||
{
|
||||
return( PSA_ERROR_NOT_SUPPORTED );
|
||||
}
|
||||
|
||||
status = psa_key_derivation_set_capacity( derivation, capacity );
|
||||
if( status != PSA_SUCCESS )
|
||||
return( status );
|
||||
|
||||
return( PSA_SUCCESS );
|
||||
}
|
||||
|
||||
static int tls_prf_generic( mbedtls_md_type_t md_type,
|
||||
const unsigned char *secret, size_t slen,
|
||||
const char *label,
|
||||
|
@ -716,12 +762,12 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
|
|||
if( status != PSA_SUCCESS )
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
|
||||
status = psa_key_derivation( &derivation,
|
||||
master_slot, alg,
|
||||
random, rlen,
|
||||
(unsigned char const *) label,
|
||||
(size_t) strlen( label ),
|
||||
dlen );
|
||||
status = setup_psa_key_derivation( &derivation,
|
||||
master_slot, alg,
|
||||
random, rlen,
|
||||
(unsigned char const *) label,
|
||||
(size_t) strlen( label ),
|
||||
dlen );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
psa_key_derivation_abort( &derivation );
|
||||
|
@ -1695,11 +1741,11 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
|
|||
else
|
||||
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
|
||||
|
||||
status = psa_key_derivation( &derivation, psk, alg,
|
||||
salt, salt_len,
|
||||
(unsigned char const *) lbl,
|
||||
(size_t) strlen( lbl ),
|
||||
master_secret_len );
|
||||
status = setup_psa_key_derivation( &derivation, psk, alg,
|
||||
salt, salt_len,
|
||||
(unsigned char const *) lbl,
|
||||
(size_t) strlen( lbl ),
|
||||
master_secret_len );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
psa_key_derivation_abort( &derivation );
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
Check compiletime library version
|
||||
check_compiletime_version:"2.17.0"
|
||||
check_compiletime_version:"2.18.0"
|
||||
|
||||
Check runtime library version
|
||||
check_runtime_version:"2.17.0"
|
||||
check_runtime_version:"2.18.0"
|
||||
|
||||
Check for MBEDTLS_VERSION_C
|
||||
check_feature:"MBEDTLS_VERSION_C":0
|
||||
|
|
Loading…
Reference in a new issue