Merge branch 'development-proposed' into development-restricted

This commit is contained in:
Gilles Peskine 2018-01-23 00:59:17 +01:00
commit aaaa98cd60
9 changed files with 52 additions and 22 deletions

View file

@ -62,6 +62,17 @@ Features
with an alternative implementation: with an alternative implementation:
mbedtls_ecdh_gen_public() and mbedtls_ecdh_compute_shared(). mbedtls_ecdh_gen_public() and mbedtls_ecdh_compute_shared().
API Changes
* Extend RSA interface by multiple functions allowing structure-
independent setup and export of RSA contexts. Most notably,
mbedtls_rsa_import and mbedtls_rsa_complete are introduced for setting
up RSA contexts from partial key material and having them completed to the
needs of the implementation automatically. This allows to setup private RSA
contexts from keys consisting of N,D,E only, even if P,Q are needed for the
purpose or CRT and/or blinding.
* The configuration option MBEDTLS_RSA_ALT can be used to define alternative
implementations of the RSA interface declared in rsa.h.
New deprecations New deprecations
* Deprecate usage of RSA primitives with non-matching key-type * Deprecate usage of RSA primitives with non-matching key-type
(e.g., signing with a public key). (e.g., signing with a public key).
@ -121,6 +132,9 @@ Bugfix
RSA test suite where the failure of CTR DRBG initialization lead to RSA test suite where the failure of CTR DRBG initialization lead to
freeing an RSA context and several MPI's without proper initialization freeing an RSA context and several MPI's without proper initialization
beforehand. beforehand.
* Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue.
* Fix programs/pkey/dh_server.c so that it actually works with dh_client.c.
Found and fixed by Martijn de Milliano.
Changes Changes
* Extend cert_write example program by options to set the CRT version * Extend cert_write example program by options to set the CRT version
@ -133,17 +147,7 @@ Changes
* Only run AES-192 self-test if AES-192 is available. Fixes #963. * Only run AES-192 self-test if AES-192 is available. Fixes #963.
* Tighten the RSA PKCS#1 v1.5 signature verification code and remove the * Tighten the RSA PKCS#1 v1.5 signature verification code and remove the
undeclared dependency of the RSA module on the ASN.1 module. undeclared dependency of the RSA module on the ASN.1 module.
* Add mechanism to provide alternative implementation of the DHM module.
API Changes
* Extend RSA interface by multiple functions allowing structure-
independent setup and export of RSA contexts. Most notably,
mbedtls_rsa_import and mbedtls_rsa_complete are introduced for setting
up RSA contexts from partial key material and having them completed to the
needs of the implementation automatically. This allows to setup private RSA
contexts from keys consisting of N,D,E only, even if P,Q are needed for the
purpose or CRT and/or blinding.
* The configuration option MBEDTLS_RSA_ALT can be used to define alternative
implementations of the RSA interface declared in rsa.h.
= mbed TLS 2.6.0 branch released 2017-08-10 = mbed TLS 2.6.0 branch released 2017-08-10

View file

@ -269,6 +269,7 @@
//#define MBEDTLS_CCM_ALT //#define MBEDTLS_CCM_ALT
//#define MBEDTLS_CMAC_ALT //#define MBEDTLS_CMAC_ALT
//#define MBEDTLS_DES_ALT //#define MBEDTLS_DES_ALT
//#define MBEDTLS_DHM_ALT
//#define MBEDTLS_GCM_ALT //#define MBEDTLS_GCM_ALT
//#define MBEDTLS_MD2_ALT //#define MBEDTLS_MD2_ALT
//#define MBEDTLS_MD4_ALT //#define MBEDTLS_MD4_ALT

View file

@ -23,7 +23,13 @@
#ifndef MBEDTLS_DHM_H #ifndef MBEDTLS_DHM_H
#define MBEDTLS_DHM_H #define MBEDTLS_DHM_H
#if !defined(MBEDTLS_CONFIG_FILE)
#include "config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "bignum.h" #include "bignum.h"
#if !defined(MBEDTLS_DHM_ALT)
/* /*
* DHM Error codes * DHM Error codes
@ -291,6 +297,18 @@ int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path );
#endif /* MBEDTLS_FS_IO */ #endif /* MBEDTLS_FS_IO */
#endif /* MBEDTLS_ASN1_PARSE_C */ #endif /* MBEDTLS_ASN1_PARSE_C */
#ifdef __cplusplus
}
#endif
#else /* MBEDTLS_DHM_ALT */
#include "dhm_alt.h"
#endif /* MBEDTLS_DHM_ALT */
#ifdef __cplusplus
extern "C" {
#endif
/** /**
* \brief Checkup routine * \brief Checkup routine
* *

View file

@ -373,21 +373,22 @@ int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
/** /**
* \brief Check usage of certificate against extentedJeyUsage. * \brief Check usage of certificate against extendedKeyUsage.
* *
* \param crt Leaf certificate used. * \param crt Leaf certificate used.
* \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH). * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or
* MBEDTLS_OID_CLIENT_AUTH).
* \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()). * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()).
* *
* \return 0 if this use of the certificate is allowed, * \return 0 if this use of the certificate is allowed,
* MBEDTLS_ERR_X509_BAD_INPUT_DATA if not. * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not.
* *
* \note Usually only makes sense on leaf certificates. * \note Usually only makes sense on leaf certificates.
*/ */
int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
const char *usage_oid, const char *usage_oid,
size_t usage_len ); size_t usage_len );
#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) */ #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
#if defined(MBEDTLS_X509_CRL_PARSE_C) #if defined(MBEDTLS_X509_CRL_PARSE_C)
/** /**

View file

@ -57,6 +57,7 @@
#define mbedtls_free free #define mbedtls_free free
#endif #endif
#if !defined(MBEDTLS_DHM_ALT)
/* Implementation that should never be optimized out by the compiler */ /* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) { static void mbedtls_zeroize( void *v, size_t n ) {
volatile unsigned char *p = v; while( n-- ) *p++ = 0; volatile unsigned char *p = v; while( n-- ) *p++ = 0;
@ -583,6 +584,7 @@ int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path )
} }
#endif /* MBEDTLS_FS_IO */ #endif /* MBEDTLS_FS_IO */
#endif /* MBEDTLS_ASN1_PARSE_C */ #endif /* MBEDTLS_ASN1_PARSE_C */
#endif /* MBEDTLS_DHM_ALT */
#if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_SELF_TEST)

View file

@ -2042,7 +2042,7 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
const mbedtls_ssl_ciphersuite_t *suite = NULL; const mbedtls_ssl_ciphersuite_t *suite = NULL;
const mbedtls_cipher_info_t *cipher = NULL; const mbedtls_cipher_info_t *cipher = NULL;
if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_EXTENDED_MS_DISABLED || if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
{ {
*olen = 0; *olen = 0;

View file

@ -105,6 +105,9 @@ static const char *features[] = {
#if defined(MBEDTLS_DES_ALT) #if defined(MBEDTLS_DES_ALT)
"MBEDTLS_DES_ALT", "MBEDTLS_DES_ALT",
#endif /* MBEDTLS_DES_ALT */ #endif /* MBEDTLS_DES_ALT */
#if defined(MBEDTLS_DHM_ALT)
"MBEDTLS_DHM_ALT",
#endif /* MBEDTLS_DHM_ALT */
#if defined(MBEDTLS_GCM_ALT) #if defined(MBEDTLS_GCM_ALT)
"MBEDTLS_GCM_ALT", "MBEDTLS_GCM_ALT",
#endif /* MBEDTLS_GCM_ALT */ #endif /* MBEDTLS_GCM_ALT */

View file

@ -248,6 +248,7 @@ int main( void )
memset( buf, 0, sizeof( buf ) ); memset( buf, 0, sizeof( buf ) );
n = dhm.len;
if( ( ret = mbedtls_net_recv( &client_fd, buf, n ) ) != (int) n ) if( ( ret = mbedtls_net_recv( &client_fd, buf, n ) ) != (int) n )
{ {
mbedtls_printf( " failed\n ! mbedtls_net_recv returned %d\n\n", ret ); mbedtls_printf( " failed\n ! mbedtls_net_recv returned %d\n\n", ret );

View file

@ -345,7 +345,7 @@ int main( int argc, char *argv[] )
mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 ) if( ret != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_rsa_gen_key returned -0x%04x", -ret ); mbedtls_printf( " failed\n ! mbedtls_ecp_gen_key returned -0x%04x", -ret );
goto exit; goto exit;
} }
} }