From f0565ea5765d7e850ba3ac92aaad448859927773 Mon Sep 17 00:00:00 2001 From: Nathaniel Wesley Filardo Date: Fri, 5 Apr 2019 05:57:02 +0100 Subject: [PATCH] mbedtls bump to 2.7.9 (#2655) No major fixes, but was looking anyway. Specifically, to https://github.com/ARMmbed/mbedtls.git 079e813949251be1e7a9d395abd20b2c63422787 --- app/include/mbedtls/bn_mul.h | 8 ++++++- app/include/mbedtls/check_config.h | 4 ++++ app/include/mbedtls/ctr_drbg.h | 6 +++++ app/include/mbedtls/hmac_drbg.h | 6 +++++ app/include/mbedtls/pkcs12.h | 10 ++++++++ app/include/mbedtls/pkcs5.h | 10 ++++++++ app/include/mbedtls/ssl.h | 8 +++++++ app/include/mbedtls/version.h | 8 +++---- app/mbedtls/library/asn1write.c | 26 ++++++++++++++++++-- app/mbedtls/library/bignum.c | 38 ++++++++++++++++++++---------- app/mbedtls/library/pkcs12.c | 4 ++++ app/mbedtls/library/pkcs5.c | 17 +------------ 12 files changed, 109 insertions(+), 36 deletions(-) diff --git a/app/include/mbedtls/bn_mul.h b/app/include/mbedtls/bn_mul.h index 80e4b380..3a254aae 100644 --- a/app/include/mbedtls/bn_mul.h +++ b/app/include/mbedtls/bn_mul.h @@ -38,6 +38,12 @@ #ifndef MBEDTLS_BN_MUL_H #define MBEDTLS_BN_MUL_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "bignum.h" #if defined(MBEDTLS_HAVE_ASM) @@ -734,7 +740,7 @@ "sw $10, %2 \n\t" \ : "=m" (c), "=m" (d), "=m" (s) \ : "m" (s), "m" (d), "m" (c), "m" (b) \ - : "$9", "$10", "$11", "$12", "$13", "$14", "$15" \ + : "$9", "$10", "$11", "$12", "$13", "$14", "$15", "lo", "hi" \ ); #endif /* MIPS */ diff --git a/app/include/mbedtls/check_config.h b/app/include/mbedtls/check_config.h index be803329..fa7110fe 100644 --- a/app/include/mbedtls/check_config.h +++ b/app/include/mbedtls/check_config.h @@ -122,6 +122,10 @@ #error "MBEDTLS_ECP_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C) +#error "MBEDTLS_PK_PARSE_C defined, but not all prerequesites" +#endif + #if defined(MBEDTLS_ENTROPY_C) && (!defined(MBEDTLS_SHA512_C) && \ !defined(MBEDTLS_SHA256_C)) #error "MBEDTLS_ENTROPY_C defined, but not all prerequisites" diff --git a/app/include/mbedtls/ctr_drbg.h b/app/include/mbedtls/ctr_drbg.h index 2b4dc73d..5a328431 100644 --- a/app/include/mbedtls/ctr_drbg.h +++ b/app/include/mbedtls/ctr_drbg.h @@ -28,6 +28,12 @@ #ifndef MBEDTLS_CTR_DRBG_H #define MBEDTLS_CTR_DRBG_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "aes.h" #if defined(MBEDTLS_THREADING_C) diff --git a/app/include/mbedtls/hmac_drbg.h b/app/include/mbedtls/hmac_drbg.h index dd31fc8f..f58b1e31 100644 --- a/app/include/mbedtls/hmac_drbg.h +++ b/app/include/mbedtls/hmac_drbg.h @@ -24,6 +24,12 @@ #ifndef MBEDTLS_HMAC_DRBG_H #define MBEDTLS_HMAC_DRBG_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "md.h" #if defined(MBEDTLS_THREADING_C) diff --git a/app/include/mbedtls/pkcs12.h b/app/include/mbedtls/pkcs12.h index a621ef5b..d441357b 100644 --- a/app/include/mbedtls/pkcs12.h +++ b/app/include/mbedtls/pkcs12.h @@ -24,6 +24,12 @@ #ifndef MBEDTLS_PKCS12_H #define MBEDTLS_PKCS12_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "md.h" #include "cipher.h" #include "asn1.h" @@ -46,6 +52,8 @@ extern "C" { #endif +#if defined(MBEDTLS_ASN1_PARSE_C) + /** * \brief PKCS12 Password Based function (encryption / decryption) * for pbeWithSHAAnd128BitRC4 @@ -87,6 +95,8 @@ int mbedtls_pkcs12_pbe( mbedtls_asn1_buf *pbe_params, int mode, const unsigned char *input, size_t len, unsigned char *output ); +#endif /* MBEDTLS_ASN1_PARSE_C */ + /** * \brief The PKCS#12 derivation function uses a password and a salt * to produce pseudo-random bits for a particular "purpose". diff --git a/app/include/mbedtls/pkcs5.h b/app/include/mbedtls/pkcs5.h index 9a3c9fdd..f2012500 100644 --- a/app/include/mbedtls/pkcs5.h +++ b/app/include/mbedtls/pkcs5.h @@ -26,6 +26,12 @@ #ifndef MBEDTLS_PKCS5_H #define MBEDTLS_PKCS5_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "asn1.h" #include "md.h" @@ -44,6 +50,8 @@ extern "C" { #endif +#if defined(MBEDTLS_ASN1_PARSE_C) + /** * \brief PKCS#5 PBES2 function * @@ -62,6 +70,8 @@ int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode, const unsigned char *data, size_t datalen, unsigned char *output ); +#endif /* MBEDTLS_ASN1_PARSE_C */ + /** * \brief PKCS#5 PBKDF2 using HMAC * diff --git a/app/include/mbedtls/ssl.h b/app/include/mbedtls/ssl.h index db8b85f6..5593a528 100644 --- a/app/include/mbedtls/ssl.h +++ b/app/include/mbedtls/ssl.h @@ -1618,6 +1618,14 @@ void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf, * whether it matches those preferences - the server can then * decide what it wants to do with it. * + * \note The provided \p pk_key needs to match the public key in the + * first certificate in \p own_cert, or all handshakes using + * that certificate will fail. It is your responsibility + * to ensure that; this function will not perform any check. + * You may use mbedtls_pk_check_pair() in order to perform + * this check yourself, but be aware that this function can + * be computationally expensive on some key types. + * * \param conf SSL configuration * \param own_cert own public certificate chain * \param pk_key own private key diff --git a/app/include/mbedtls/version.h b/app/include/mbedtls/version.h index d54d56f7..36feff0d 100644 --- a/app/include/mbedtls/version.h +++ b/app/include/mbedtls/version.h @@ -40,16 +40,16 @@ */ #define MBEDTLS_VERSION_MAJOR 2 #define MBEDTLS_VERSION_MINOR 7 -#define MBEDTLS_VERSION_PATCH 8 +#define MBEDTLS_VERSION_PATCH 9 /** * The single version number has the following structure: * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x02070800 -#define MBEDTLS_VERSION_STRING "2.7.8" -#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.7.8" +#define MBEDTLS_VERSION_NUMBER 0x02070900 +#define MBEDTLS_VERSION_STRING "2.7.9" +#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.7.9" #if defined(MBEDTLS_VERSION_C) diff --git a/app/mbedtls/library/asn1write.c b/app/mbedtls/library/asn1write.c index c8db8bea..c13e85e5 100644 --- a/app/mbedtls/library/asn1write.c +++ b/app/mbedtls/library/asn1write.c @@ -331,14 +331,36 @@ int mbedtls_asn1_write_octet_string( unsigned char **p, unsigned char *start, return( (int) len ); } -mbedtls_asn1_named_data *mbedtls_asn1_store_named_data( mbedtls_asn1_named_data **head, + +/* This is a copy of the ASN.1 parsing function mbedtls_asn1_find_named_data(), + * which is replicated to avoid a dependency ASN1_WRITE_C on ASN1_PARSE_C. */ +static mbedtls_asn1_named_data *asn1_find_named_data( + mbedtls_asn1_named_data *list, + const char *oid, size_t len ) +{ + while( list != NULL ) + { + if( list->oid.len == len && + memcmp( list->oid.p, oid, len ) == 0 ) + { + break; + } + + list = list->next; + } + + return( list ); +} + +mbedtls_asn1_named_data *mbedtls_asn1_store_named_data( + mbedtls_asn1_named_data **head, const char *oid, size_t oid_len, const unsigned char *val, size_t val_len ) { mbedtls_asn1_named_data *cur; - if( ( cur = mbedtls_asn1_find_named_data( *head, oid, oid_len ) ) == NULL ) + if( ( cur = asn1_find_named_data( *head, oid, oid_len ) ) == NULL ) { // Add new entry if not present yet based on OID // diff --git a/app/mbedtls/library/bignum.c b/app/mbedtls/library/bignum.c index 18daea25..ba817beb 100644 --- a/app/mbedtls/library/bignum.c +++ b/app/mbedtls/library/bignum.c @@ -500,26 +500,38 @@ cleanup: } /* - * Helper to write the digits high-order first + * Helper to write the digits high-order first. */ -static int mpi_write_hlp( mbedtls_mpi *X, int radix, char **p ) +static int mpi_write_hlp( mbedtls_mpi *X, int radix, + char **p, const size_t buflen ) { int ret; mbedtls_mpi_uint r; + size_t length = 0; + char *p_end = *p + buflen; - if( radix < 2 || radix > 16 ) - return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA ); + do + { + if( length >= buflen ) + { + return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL ); + } - MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, radix ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_div_int( X, NULL, X, radix ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, radix ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_div_int( X, NULL, X, radix ) ); + /* + * Write the residue in the current position, as an ASCII character. + */ + if( r < 0xA ) + *(--p_end) = (char)( '0' + r ); + else + *(--p_end) = (char)( 'A' + ( r - 0xA ) ); - if( mbedtls_mpi_cmp_int( X, 0 ) != 0 ) - MBEDTLS_MPI_CHK( mpi_write_hlp( X, radix, p ) ); + length++; + } while( mbedtls_mpi_cmp_int( X, 0 ) != 0 ); - if( r < 10 ) - *(*p)++ = (char)( r + 0x30 ); - else - *(*p)++ = (char)( r + 0x37 ); + memmove( *p, p_end, length ); + *p += length; cleanup: @@ -589,7 +601,7 @@ int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix, if( T.s == -1 ) T.s = 1; - MBEDTLS_MPI_CHK( mpi_write_hlp( &T, radix, &p ) ); + MBEDTLS_MPI_CHK( mpi_write_hlp( &T, radix, &p, buflen ) ); } *p++ = '\0'; diff --git a/app/mbedtls/library/pkcs12.c b/app/mbedtls/library/pkcs12.c index c603a135..5e8b2879 100644 --- a/app/mbedtls/library/pkcs12.c +++ b/app/mbedtls/library/pkcs12.c @@ -52,6 +52,8 @@ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; } +#if defined(MBEDTLS_ASN1_PARSE_C) + static int pkcs12_parse_pbe_params( mbedtls_asn1_buf *params, mbedtls_asn1_buf *salt, int *iterations ) { @@ -230,6 +232,8 @@ exit: return( ret ); } +#endif /* MBEDTLS_ASN1_PARSE_C */ + static void pkcs12_fill_buffer( unsigned char *data, size_t data_len, const unsigned char *filler, size_t fill_len ) { diff --git a/app/mbedtls/library/pkcs5.c b/app/mbedtls/library/pkcs5.c index f04f0ab2..50133435 100644 --- a/app/mbedtls/library/pkcs5.c +++ b/app/mbedtls/library/pkcs5.c @@ -54,22 +54,7 @@ #define mbedtls_printf printf #endif -#if !defined(MBEDTLS_ASN1_PARSE_C) -int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode, - const unsigned char *pwd, size_t pwdlen, - const unsigned char *data, size_t datalen, - unsigned char *output ) -{ - ((void) pbe_params); - ((void) mode); - ((void) pwd); - ((void) pwdlen); - ((void) data); - ((void) datalen); - ((void) output); - return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE ); -} -#else +#if defined(MBEDTLS_ASN1_PARSE_C) static int pkcs5_parse_pbkdf2_params( const mbedtls_asn1_buf *params, mbedtls_asn1_buf *salt, int *iterations, int *keylen, mbedtls_md_type_t *md_type )