Skip to content

Commit

Permalink
Merge remote-tracking branch 'tls/development' into development
Browse files Browse the repository at this point in the history
Merge Mbed TLS at f790a6c into Mbed Crypto.

Resolve conflicts by performing the following:
    - Reject changes to README.md
    - Don't add crypto as a submodule
    - Remove test/ssl_cert_test from programs/Makefile
    - Add cipher.nist_kw test to tests/CMakeLists.txt
    - Reject removal of crypto-specific all.sh tests
    - Reject update to SSL-specific portion of component_test_valgrind
      in all.sh
    - Reject addition of ssl-opt.sh testing to component_test_m32_o1 in
      all.sh

* tls/development: (87 commits)
  Call mbedtls_cipher_free() to reset a cipher context
  Don't call mbedtls_cipher_setkey twice
  Update crypto submodule
  Minor fixes in get certificate policies oid test
  Add certificate policy oid x509 extension
  cpp_dummy_build: Add missing header psa_util.h
  Clarify comment mangled by an earlier refactoring
  Add an "out-of-box" component
  Run ssl-opt.sh on 32-bit runtime
  Don't use debug level 1 for informational messages
  Skip uncritical unsupported extensions
  Give credit to OSS-Fuzz for Mbed-TLS#2404
  all.sh: remove component_test_new_ecdh_context
  Remove crypto-only related components from all.sh
  Remove ssl_cert_test sample app
  Make CRT callback tests more robust
  Rename constant in client2.c
  Document and test flags in x509_verify
  Fix style issues and a typo
  Fix a rebase error
  ...
  • Loading branch information
Patater committed Apr 17, 2019
2 parents 125a1e9 + f790a6c commit 521dbc6
Show file tree
Hide file tree
Showing 46 changed files with 1,560 additions and 1,191 deletions.
425 changes: 0 additions & 425 deletions .pylint

This file was deleted.

52 changes: 52 additions & 0 deletions .pylintrc
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
[BASIC]
# We're ok with short funtion argument names.
# [invalid-name]
argument-rgx=[a-z_][a-z0-9_]*$

# Allow filter and map.
# [bad-builtin]
bad-functions=input

# We prefer docstrings, but we don't require them on all functions.
# Require them only on long functions (for some value of long).
# [missing-docstring]
docstring-min-length=10

# Allow longer methods than the default.
# [invalid-name]
method-rgx=[a-z_][a-z0-9_]{2,35}$

# Allow module names containing a dash (but no underscore or uppercase letter).
# They are whole programs, not meant to be included by another module.
# [invalid-name]
module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+)|[a-z][-0-9a-z]+)$

# Some functions don't need docstrings.
# [missing-docstring]
no-docstring-rgx=(run_)?main$

# We're ok with short local or global variable names.
# [invalid-name]
variable-rgx=[a-z_][a-z0-9_]*$

[DESIGN]
# Allow more than the default 7 attributes.
# [too-many-instance-attributes]
max-attributes=15

[FORMAT]
# Allow longer modules than the default recommended maximum.
# [too-many-lines]
max-module-lines=2000

[MESSAGES CONTROL]
disable=

[REPORTS]
# Don't diplay statistics. Just the facts.
reports=no

[VARIABLES]
# Allow unused variables if their name starts with an underscore.
# [unused-argument]
dummy-variables-rgx=_.*
3 changes: 2 additions & 1 deletion .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@ script:
- tests/scripts/curves.pl
env:
global:
secure: "barHldniAfXyoWOD/vcO+E6/Xm4fmcaUoC9BeKW+LwsHqlDMLvugaJnmLXkSpkbYhVL61Hzf3bo0KPJn88AFc5Rkf8oYHPjH4adMnVXkf3B9ghHCgznqHsAH3choo6tnPxaFgOwOYmLGb382nQxfE5lUdvnM/W/psQjWt66A1+k="
- SEED=1
- secure: "barHldniAfXyoWOD/vcO+E6/Xm4fmcaUoC9BeKW+LwsHqlDMLvugaJnmLXkSpkbYhVL61Hzf3bo0KPJn88AFc5Rkf8oYHPjH4adMnVXkf3B9ghHCgznqHsAH3choo6tnPxaFgOwOYmLGb382nQxfE5lUdvnM/W/psQjWt66A1+k="

addons:
apt:
Expand Down
17 changes: 17 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,28 @@ mbed TLS ChangeLog (Sorted per branch, date)
Features
* Add the Any Policy certificate policy oid, as defined in
rfc 5280 section 4.2.1.4.
* It is now possible to use NIST key wrap mode via the mbedtls_cipher API.
Contributed by Jack Lloyd and Fortanix Inc.
* Add the Wi-SUN Field Area Network (FAN) device extended key usage.
* Add the oid certificate policy x509 extension.

Bugfix
* Fix private key DER output in the key_app_writer example. File contents
were shifted by one byte, creating an invalid ASN.1 tag. Fixed by
Christian Walther in #2239.
* Fix potential memory leak in X.509 self test. Found and fixed by
Junhwan Park, #2106.
* Reduce stack usage of hkdf tests. Fixes #2195.
* Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
used with negative inputs. Found by Guido Vranken in #2404. Credit to
OSS-Fuzz.
* Fix bugs in the AEAD test suite which would be exposed by ciphers which
either used both encrypt and decrypt key schedules, or which perform padding.
GCM and CCM were not affected. Fixed by Jack Lloyd.
* Fix incorrect default port number in ssl_mail_client example's usage.
Found and fixed by irwir. #2337
* Add psa_util.h to test/cpp_dummy_build to fix build_default_make_gcc_and_cxx.
Fixed by Peter Kolbus (Garmin). #2579

Changes
* Server's RSA certificate in certs.c was SHA-1 signed. In the default
Expand Down
44 changes: 0 additions & 44 deletions circle.yml

This file was deleted.

8 changes: 8 additions & 0 deletions include/mbedtls/cipher.h
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,12 @@ typedef enum {
MBEDTLS_CIPHER_AES_256_XTS, /**< AES 256-bit cipher in XTS block mode. */
MBEDTLS_CIPHER_CHACHA20, /**< ChaCha20 stream cipher. */
MBEDTLS_CIPHER_CHACHA20_POLY1305, /**< ChaCha20-Poly1305 AEAD cipher. */
MBEDTLS_CIPHER_AES_128_KW, /**< AES cipher with 128-bit NIST KW mode. */
MBEDTLS_CIPHER_AES_192_KW, /**< AES cipher with 192-bit NIST KW mode. */
MBEDTLS_CIPHER_AES_256_KW, /**< AES cipher with 256-bit NIST KW mode. */
MBEDTLS_CIPHER_AES_128_KWP, /**< AES cipher with 128-bit NIST KWP mode. */
MBEDTLS_CIPHER_AES_192_KWP, /**< AES cipher with 192-bit NIST KWP mode. */
MBEDTLS_CIPHER_AES_256_KWP, /**< AES cipher with 256-bit NIST KWP mode. */
} mbedtls_cipher_type_t;

/** Supported cipher modes. */
Expand All @@ -191,6 +197,8 @@ typedef enum {
MBEDTLS_MODE_CCM, /**< The CCM cipher mode. */
MBEDTLS_MODE_XTS, /**< The XTS cipher mode. */
MBEDTLS_MODE_CHACHAPOLY, /**< The ChaCha-Poly cipher mode. */
MBEDTLS_MODE_KW, /**< The SP800-38F KW mode */
MBEDTLS_MODE_KWP, /**< The SP800-38F KWP mode */
} mbedtls_cipher_mode_t;

/** Supported cipher padding types. */
Expand Down
19 changes: 19 additions & 0 deletions include/mbedtls/config.h
Original file line number Diff line number Diff line change
Expand Up @@ -1791,6 +1791,25 @@
*/
//#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION

/**
* \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
*
* If set, this enables the X.509 API `mbedtls_x509_crt_verify_with_ca_cb()`
* and the SSL API `mbedtls_ssl_conf_ca_cb()` which allow users to configure
* the set of trusted certificates through a callback instead of a linked
* list.
*
* This is useful for example in environments where a large number of trusted
* certificates is present and storing them in a linked list isn't efficient
* enough, or when the set of trusted certificates changes frequently.
*
* See the documentation of `mbedtls_x509_crt_verify_with_ca_cb()` and
* `mbedtls_ssl_conf_ca_cb()` for more information.
*
* Uncomment to enable trusted certificate callbacks.
*/
//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK

/**
* \def MBEDTLS_X509_CHECK_KEY_USAGE
*
Expand Down
10 changes: 9 additions & 1 deletion include/mbedtls/oid.h
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,8 @@
* { iso(1) identified-organization(3) dod(6) internet(1)
* security(5) mechanisms(5) pkix(7) }
*/
#define MBEDTLS_OID_PKIX MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ORG_DOD "\x01\x05\x05\x07"
#define MBEDTLS_OID_INTERNET MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ORG_DOD "\x01"
#define MBEDTLS_OID_PKIX MBEDTLS_OID_INTERNET "\x05\x05\x07"

/*
* Arc for standard naming attributes
Expand Down Expand Up @@ -206,6 +207,13 @@
#define MBEDTLS_OID_TIME_STAMPING MBEDTLS_OID_KP "\x08" /**< id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } */
#define MBEDTLS_OID_OCSP_SIGNING MBEDTLS_OID_KP "\x09" /**< id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } */

/**
* Wi-SUN Alliance Field Area Network
* { iso(1) identified-organization(3) dod(6) internet(1)
* private(4) enterprise(1) WiSUN(45605) FieldAreaNetwork(1) }
*/
#define MBEDTLS_OID_WISUN_FAN MBEDTLS_OID_INTERNET "\x04\x01\x82\xe4\x25\x01"

/*
* PKCS definition OIDs
*/
Expand Down
107 changes: 101 additions & 6 deletions include/mbedtls/ssl.h
Original file line number Diff line number Diff line change
Expand Up @@ -928,6 +928,10 @@ struct mbedtls_ssl_config
mbedtls_ssl_key_cert *key_cert; /*!< own certificate/key pair(s) */
mbedtls_x509_crt *ca_chain; /*!< trusted CAs */
mbedtls_x509_crl *ca_crl; /*!< trusted CAs CRLs */
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
mbedtls_x509_crt_ca_cb_t f_ca_cb;
void *p_ca_cb;
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
#endif /* MBEDTLS_X509_CRT_PARSE_C */

#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Expand Down Expand Up @@ -1090,6 +1094,12 @@ struct mbedtls_ssl_context
unsigned badmac_seen; /*!< records with a bad MAC received */
#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */

#if defined(MBEDTLS_X509_CRT_PARSE_C)
/** Callback to customize X.509 certificate chain verification */
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
void *p_vrfy; /*!< context for X.509 verify callback */
#endif

mbedtls_ssl_send_t *f_send; /*!< Callback for network send */
mbedtls_ssl_recv_t *f_recv; /*!< Callback for network receive */
mbedtls_ssl_recv_timeout_t *f_recv_timeout;
Expand Down Expand Up @@ -1366,13 +1376,17 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
/**
* \brief Set the verification callback (Optional).
*
* If set, the verify callback is called for each
* certificate in the chain. For implementation
* information, please see \c mbedtls_x509_crt_verify()
* If set, the provided verify callback is called for each
* certificate in the peer's CRT chain, including the trusted
* root. For more information, please see the documentation of
* \c mbedtls_x509_crt_verify().
*
* \param conf SSL configuration
* \param f_vrfy verification function
* \param p_vrfy verification parameter
* \note For per context callbacks and contexts, please use
* mbedtls_ssl_set_verify() instead.
*
* \param conf The SSL configuration to use.
* \param f_vrfy The verification callback to use during CRT verification.
* \param p_vrfy The opaque context to be passed to the callback.
*/
void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
Expand Down Expand Up @@ -1490,6 +1504,30 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu );
#endif /* MBEDTLS_SSL_PROTO_DTLS */

#if defined(MBEDTLS_X509_CRT_PARSE_C)
/**
* \brief Set a connection-specific verification callback (optional).
*
* If set, the provided verify callback is called for each
* certificate in the peer's CRT chain, including the trusted
* root. For more information, please see the documentation of
* \c mbedtls_x509_crt_verify().
*
* \note This call is analogous to mbedtls_ssl_conf_verify() but
* binds the verification callback and context to an SSL context
* as opposed to an SSL configuration.
* If mbedtls_ssl_conf_verify() and mbedtls_ssl_set_verify()
* are both used, mbedtls_ssl_set_verify() takes precedence.
*
* \param ssl The SSL context to use.
* \param f_vrfy The verification callback to use during CRT verification.
* \param p_vrfy The opaque context to be passed to the callback.
*/
void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy );
#endif /* MBEDTLS_X509_CRT_PARSE_C */

/**
* \brief Set the timeout period for mbedtls_ssl_read()
* (Default: no timeout.)
Expand Down Expand Up @@ -2071,6 +2109,63 @@ void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
mbedtls_x509_crt *ca_chain,
mbedtls_x509_crl *ca_crl );

#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
/**
* \brief Set the trusted certificate callback.
*
* This API allows to register the set of trusted certificates
* through a callback, instead of a linked list as configured
* by mbedtls_ssl_conf_ca_chain().
*
* This is useful for example in contexts where a large number
* of CAs are used, and the inefficiency of maintaining them
* in a linked list cannot be tolerated. It is also useful when
* the set of trusted CAs needs to be modified frequently.
*
* See the documentation of `mbedtls_x509_crt_ca_cb_t` for
* more information.
*
* \param conf The SSL configuration to register the callback with.
* \param f_ca_cb The trusted certificate callback to use when verifying
* certificate chains.
* \param p_ca_cb The context to be passed to \p f_ca_cb (for example,
* a reference to a trusted CA database).
*
* \note This API is incompatible with mbedtls_ssl_conf_ca_chain():
* Any call to this function overwrites the values set through
* earlier calls to mbedtls_ssl_conf_ca_chain() or
* mbedtls_ssl_conf_ca_cb().
*
* \note This API is incompatible with CA indication in
* CertificateRequest messages: A server-side SSL context which
* is bound to an SSL configuration that uses a CA callback
* configured via mbedtls_ssl_conf_ca_cb(), and which requires
* client authentication, will send an empty CA list in the
* corresponding CertificateRequest message.
*
* \note This API is incompatible with mbedtls_ssl_set_hs_ca_chain():
* If an SSL context is bound to an SSL configuration which uses
* CA callbacks configured via mbedtls_ssl_conf_ca_cb(), then
* calls to mbedtls_ssl_set_hs_ca_chain() have no effect.
*
* \note The use of this API disables the use of restartable ECC
* during X.509 CRT signature verification (but doesn't affect
* other uses).
*
* \warning This API is incompatible with the use of CRLs. Any call to
* mbedtls_ssl_conf_ca_cb() unsets CRLs configured through
* earlier calls to mbedtls_ssl_conf_ca_chain().
*
* \warning In multi-threaded environments, the callback \p f_ca_cb
* must be thread-safe, and it is the user's responsibility
* to guarantee this (for example through a mutex
* contained in the callback context pointed to by \p p_ca_cb).
*/
void mbedtls_ssl_conf_ca_cb( mbedtls_ssl_config *conf,
mbedtls_x509_crt_ca_cb_t f_ca_cb,
void *p_ca_cb );
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */

/**
* \brief Set own certificate chain and private key
*
Expand Down
Loading

0 comments on commit 521dbc6

Please sign in to comment.