projects / platform / upstream / iotivity.git / blob
? search:


972577d2cbff9aaf8fefd50c8e007a4bc966dde7
[platform/upstream/iotivity.git] / extlibs / mbedtls / ocf.patch
1 diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
2 index fe86c1e..e4583d6 100644
3 --- a/include/mbedtls/check_config.h
4 +++ b/include/mbedtls/check_config.h
5 @@ -189,6 +189,11 @@
6  #error "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all prerequisites"
7  #endif
8  
9 +#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED) &&                 \
10 +    ( !defined(MBEDTLS_ECDH_C) )
11 +#error "MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED defined, but not all prerequisites"
12 +#endif
13 +
14  #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) &&                 \
15      ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_ECDSA_C) ||          \
16        !defined(MBEDTLS_X509_CRT_PARSE_C) )
17 diff --git a/include/mbedtls/compat-1.3.h b/include/mbedtls/compat-1.3.h
18 index 27abbd9..fa4db26 100644
19 --- a/include/mbedtls/compat-1.3.h
20 +++ b/include/mbedtls/compat-1.3.h
21 @@ -264,6 +264,9 @@
22  #if defined MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
23  #define POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
24  #endif
25 +#if defined MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED
26 +#define POLARSSL_KEY_EXCHANGE_ECDH_ANON_ENABLED MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED
27 +#endif
28  #if defined MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
29  #define POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
30  #endif
31 @@ -1273,6 +1276,7 @@
32  #define POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
33  #define POLARSSL_KEY_EXCHANGE_ECDHE_PSK MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
34  #define POLARSSL_KEY_EXCHANGE_ECDHE_RSA MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
35 +#define POLARSSL_KEY_EXCHANGE_ECDH_ANON MBEDTLS_KEY_EXCHANGE_ECDH_ANON
36  #define POLARSSL_KEY_EXCHANGE_ECDH_ECDSA MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
37  #define POLARSSL_KEY_EXCHANGE_ECDH_RSA MBEDTLS_KEY_EXCHANGE_ECDH_RSA
38  #define POLARSSL_KEY_EXCHANGE_NONE MBEDTLS_KEY_EXCHANGE_NONE
39 @@ -1616,6 +1620,7 @@
40  #define TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
41  #define TLS_ECDHE_RSA_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA
42  #define TLS_ECDHE_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
43 +#define TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256
44  #define TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
45  #define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
46  #define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
47 diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
48 index ba499d2..8046e6e 100644
49 --- a/include/mbedtls/ssl.h
50 +++ b/include/mbedtls/ssl.h
51 @@ -358,7 +358,8 @@ union mbedtls_ssl_premaster_secret
52  #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)    || \
53      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)  || \
54      defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)     || \
55 -    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
56 +    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)   || \
57 +    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED)
58      unsigned char _pms_ecdh[MBEDTLS_ECP_MAX_BYTES];    /* RFC 4492 5.10 */
59  #endif
60  #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
61 diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h
62 index deaaa37..4f10540 100644
63 --- a/include/mbedtls/ssl_ciphersuites.h
64 +++ b/include/mbedtls/ssl_ciphersuites.h
65 @@ -158,6 +158,8 @@ extern "C" {
66  #define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256     0xC031 /**< TLS 1.2 */
67  #define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384     0xC032 /**< TLS 1.2 */
68  
69 +#define MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256    0xFF00 /**< TLS 1.2 */
70 +
71  #define MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA           0xC033 /**< Not in SSL3! */
72  #define MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA      0xC034 /**< Not in SSL3! */
73  #define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA       0xC035 /**< Not in SSL3! */
74 @@ -247,6 +249,7 @@ typedef enum {
75      MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
76      MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
77      MBEDTLS_KEY_EXCHANGE_ECJPAKE,
78 +    MBEDTLS_KEY_EXCHANGE_ECDH_ANON,
79  } mbedtls_key_exchange_type_t;
80  
81  /* Key exchanges using a certificate */
82 @@ -271,7 +274,8 @@ typedef enum {
83  /* Key exchanges using a ECDHE */
84  #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     || \
85      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)   || \
86 -    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
87 +    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)     || \
88 +    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED)
89  #define MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED
90  #endif
91  
92 diff --git a/library/entropy_poll.c b/library/entropy_poll.c
93 index a116e60..c022caf 100644
94 --- a/library/entropy_poll.c
95 +++ b/library/entropy_poll.c
96 @@ -54,28 +54,29 @@
97  #define _WIN32_WINNT 0x0400
98  #endif
99  #include <windows.h>
100 -#include <wincrypt.h>
101 +#include <bcrypt.h>
102  
103  int mbedtls_platform_entropy_poll( void *data, unsigned char *output, size_t len,
104                             size_t *olen )
105  {
106 -    HCRYPTPROV provider;
107      ((void) data);
108      *olen = 0;
109  
110 -    if( CryptAcquireContext( &provider, NULL, NULL,
111 -                              PROV_RSA_FULL, CRYPT_VERIFYCONTEXT ) == FALSE )
112 +    /*
113 +     * size_t may be 64 bits, but ULONG is always 32.
114 +     * If len is larger than the maximum for ULONG, just fail.
115 +     * It's unlikely anything ever will want to ask for this much randomness.
116 +     */
117 +    if ( len > 0xFFFFFFFFULL )
118      {
119          return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
120      }
121  
122 -    if( CryptGenRandom( provider, (DWORD) len, output ) == FALSE )
123 +    if ( !BCRYPT_SUCCESS(BCryptGenRandom(NULL, output, (ULONG) len, BCRYPT_USE_SYSTEM_PREFERRED_RNG)) )
124      {
125 -        CryptReleaseContext( provider, 0 );
126          return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
127      }
128  
129 -    CryptReleaseContext( provider, 0 );
130      *olen = len;
131  
132      return( 0 );
133 diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
134 index a762bf7..021ab50 100644
135 --- a/library/ssl_ciphersuites.c
136 +++ b/library/ssl_ciphersuites.c
137 @@ -95,6 +95,7 @@ static const int ciphersuite_preference[] =
138      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
139      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
140      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8,
141 +    MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256,
142  
143      /* All CAMELLIA-128 ephemeral suites */
144      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
145 @@ -407,6 +408,22 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
146  #endif /* MBEDTLS_CIPHER_NULL_CIPHER */
147  #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
148  
149 +
150 +#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED)
151 +#if defined(MBEDTLS_AES_C)
152 +#if defined(MBEDTLS_SHA256_C)
153 +#if defined(MBEDTLS_CIPHER_MODE_CBC)
154 +    { MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256, "TLS-ECDH-ANON-WITH-AES-128-CBC-SHA256",
155 +      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ANON,
156 +      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
157 +      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
158 +      0 },
159 +#endif /* MBEDTLS_CIPHER_MODE_CBC */
160 +#endif /* MBEDTLS_SHA256_C */
161 +#endif /* MBEDTLS_AES_C */
162 +#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED */
163 +
164 +
165  #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
166  #if defined(MBEDTLS_AES_C)
167  #if defined(MBEDTLS_SHA1_C)
168 @@ -1829,6 +1846,7 @@ int mbedtls_ssl_ciphersuite_uses_ec( const mbedtls_ssl_ciphersuite_t *info )
169          case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
170          case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
171          case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
172 +        case MBEDTLS_KEY_EXCHANGE_ECDH_ANON:
173              return( 1 );
174  
175          default:
176 diff --git a/library/ssl_cli.c b/library/ssl_cli.c
177 index 223823b..945c973 100644
178 --- a/library/ssl_cli.c
179 +++ b/library/ssl_cli.c
180 @@ -1904,7 +1904,8 @@ static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char *
181      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
182      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                     \
183      defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
184 -    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
185 +    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) ||                    \
186 +    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED)
187  static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
188  {
189      const mbedtls_ecp_curve_info *curve_info;
190 @@ -1934,11 +1935,13 @@ static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
191            MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
192            MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
193            MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
194 -          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
195 +          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED ||
196 +          MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED */
197  
198  #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
199      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
200 -    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
201 +    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                     \
202 +    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED)
203  static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
204                                           unsigned char **p,
205                                           unsigned char *end )
206 @@ -1970,40 +1973,80 @@ static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
207  }
208  #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
209            MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
210 -          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
211 +          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
212 +          MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED*/
213  
214  #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
215  static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
216                                        unsigned char **p,
217                                        unsigned char *end )
218  {
219 -    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
220 -    size_t  len;
221 -    ((void) ssl);
222 +    int ret = 0;
223 +    size_t n;
224 +
225 +    if( ssl->conf->f_psk == NULL &&
226 +        ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
227 +          ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
228 +    {
229 +        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
230 +        return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
231 +    }
232  
233      /*
234 -     * PSK parameters:
235 -     *
236 -     * opaque psk_identity_hint<0..2^16-1>;
237 +     * Receive client pre-shared key identity name
238       */
239 -    len = (*p)[0] << 8 | (*p)[1];
240 +    if( *p + 2 > end )
241 +    {
242 +        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
243 +        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
244 +    }
245 +
246 +    n = ( (*p)[0] << 8 ) | (*p)[1];
247      *p += 2;
248  
249 -    if( (*p) + len > end )
250 +    if (n == 0)
251      {
252 -        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) );
253 -        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
254 +        return ( 0 );
255      }
256  
257 -    /*
258 -     * Note: we currently ignore the PKS identity hint, as we only allow one
259 -     * PSK to be provisionned on the client. This could be changed later if
260 -     * someone needs that feature.
261 -     */
262 -    *p += len;
263 -    ret = 0;
264 +    if( n < 1 || n > 65535 || *p + n > end )
265 +    {
266 +        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
267 +        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
268 +    }
269  
270 -    return( ret );
271 +    if( ssl->conf->f_psk != NULL )
272 +    {
273 +        if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
274 +            ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
275 +    }
276 +    else
277 +    {
278 +        /* Identity is not a big secret since clients send it in the clear,
279 +         * but treat it carefully anyway, just in case */
280 +        if( n != ssl->conf->psk_identity_len ||
281 +            mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
282 +        {
283 +            ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
284 +        }
285 +    }
286 +
287 +    if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
288 +    {
289 +        MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
290 +        if( ( ret = mbedtls_ssl_send_alert_message( ssl,
291 +                              MBEDTLS_SSL_ALERT_LEVEL_FATAL,
292 +                              MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
293 +        {
294 +            return( ret );
295 +        }
296 +
297 +        return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
298 +    }
299 +
300 +    *p += n;
301 +
302 +    return( 0 );
303  }
304  #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
305  
306 @@ -2299,10 +2342,12 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
307            MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
308  #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
309      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                     \
310 -    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
311 +    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
312 +    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED)
313      if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
314          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
315 -        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
316 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
317 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON )
318      {
319          if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
320          {
321 @@ -2313,7 +2358,8 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
322      else
323  #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
324            MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
325 -          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
326 +          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
327 +          MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED */
328  #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
329      if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
330      {
331 @@ -2384,6 +2430,10 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
332              return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
333          }
334  
335 +// Anonim cipher suite without sign, ecdh param only
336 +#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED)
337 +        goto exit;
338 +#endif
339          /*
340           * Read signature
341           */
342 @@ -2534,7 +2584,8 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
343          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
344          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
345          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
346 -        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
347 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
348 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON )
349      {
350          MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
351          ssl->state++;
352 @@ -2559,7 +2610,8 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
353          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
354          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
355          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
356 -        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
357 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
358 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON )
359      {
360          MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
361          ssl->state++;
362 @@ -2773,11 +2825,13 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
363  #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
364      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
365      defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
366 -    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
367 +    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) ||                    \
368 +    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED)
369      if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
370          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
371          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
372 -        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
373 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ||
374 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON)
375      {
376          /*
377           * ECDH key exchange -- send client public value
378 @@ -2812,7 +2866,8 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
379  #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
380            MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
381            MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
382 -          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
383 +          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
384 +          MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED */
385  #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
386      if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
387          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
388 @@ -3002,7 +3057,8 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
389          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
390          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
391          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
392 -        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
393 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
394 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON )
395      {
396          MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
397          ssl->state++;
398 @@ -3035,7 +3091,8 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
399          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
400          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
401          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
402 -        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
403 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
404 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON )
405      {
406          MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
407          ssl->state++;
408 diff --git a/library/ssl_srv.c b/library/ssl_srv.c
409 index fc0d2d7..6965f1f 100644
410 --- a/library/ssl_srv.c
411 +++ b/library/ssl_srv.c
412 @@ -2498,6 +2498,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
413          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
414          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
415          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
416 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON ||
417          authmode == MBEDTLS_SSL_VERIFY_NONE )
418      {
419          MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
420 @@ -2675,7 +2676,8 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
421      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
422      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                     \
423      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
424 -    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
425 +    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) ||                        \
426 +    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED)
427      unsigned char *p = ssl->out_msg + 4;
428      unsigned char *dig_signed = p;
429      size_t dig_signed_len = 0, len;
430 @@ -2736,12 +2738,11 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
431      if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
432          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
433      {
434 -        /* Note: we don't support identity hints, until someone asks
435 -         * for them. */
436 -        *(p++) = 0x00;
437 -        *(p++) = 0x00;
438 -
439 -        n += 2;
440 +        *(p++) = (unsigned char)( ssl->conf->psk_identity_len >> 8 );
441 +        *(p++) = (unsigned char)( ssl->conf->psk_identity_len      );
442 +        memcpy(p, ssl->conf->psk_identity, ssl->conf->psk_identity_len);
443 +        p += ssl->conf->psk_identity_len;
444 +        n += ssl->conf->psk_identity_len + 2;
445      }
446  #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
447            MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
448 @@ -2798,7 +2799,8 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
449  #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
450      if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
451          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
452 -        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
453 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
454 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON)
455      {
456          /*
457           * Ephemeral ECDH parameters:
458 @@ -3336,11 +3338,13 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
459  #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
460      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
461      defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
462 -    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
463 +    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) ||                    \
464 +    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED)
465      if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
466          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
467          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
468 -        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
469 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ||
470 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON )
471      {
472          if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
473                                        p, end - p) ) != 0 )
474 @@ -3539,7 +3543,8 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
475          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
476          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
477          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
478 -        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
479 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
480 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON )
481      {
482          MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
483          ssl->state++;
484 @@ -3570,6 +3575,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
485          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
486          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
487          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
488 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON ||
489          ssl->session_negotiate->peer_cert == NULL )
490      {
491          MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
492 diff --git a/library/ssl_tls.c b/library/ssl_tls.c
493 index 84a04ae..938b840 100644
494 --- a/library/ssl_tls.c
495 +++ b/library/ssl_tls.c
496 @@ -4066,7 +4066,8 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
497      if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
498          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
499          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
500 -        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
501 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
502 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON )
503      {
504          MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
505          ssl->state++;
506 @@ -4086,7 +4087,8 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
507      if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
508          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
509          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
510 -        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
511 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
512 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON )
513      {
514          MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
515          ssl->state++;
516 @@ -4109,7 +4111,8 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
517      if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
518          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
519          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
520 -        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
521 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
522 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON )
523      {
524          MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
525          ssl->state++;
526 @@ -4225,7 +4228,8 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
527      if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
528          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
529          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
530 -        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
531 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
532 +        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON )
533      {
534          MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
535          ssl->state++;
536 @@ -7539,6 +7543,7 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
537              case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
538              case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
539              case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
540 +            case MBEDTLS_KEY_EXCHANGE_ECDH_ANON:
541                  usage = 0;
542          }
543      }
544 diff --git a/library/version_features.c b/library/version_features.c
545 index e866e67..3184bc2 100644
546 --- a/library/version_features.c
547 +++ b/library/version_features.c
548 @@ -264,6 +264,9 @@ static const char *features[] = {
549  #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
550      "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED",
551  #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
552 +#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED)
553 +    "MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED",
554 +#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED */
555  #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
556      "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED",
557  #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
558 diff --git a/library/x509_crt.c b/library/x509_crt.c
559 index 60e14f9..67cedde 100644
560 --- a/library/x509_crt.c
561 +++ b/library/x509_crt.c
562 @@ -62,6 +62,7 @@
563  
564  #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
565  #include <windows.h>
566 +#include <intsafe.h>
567  #else
568  #include <time.h>
569  #endif
570 @@ -1108,6 +1109,7 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path )
571      char filename[MAX_PATH];
572      char *p;
573      size_t len = strlen( path );
574 +    int lengthAsInt = 0;
575  
576      WIN32_FIND_DATAW file_data;
577      HANDLE hFind;
578 @@ -1122,7 +1124,10 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path )
579      p = filename + len;
580      filename[len++] = '*';
581  
582 -    w_ret = MultiByteToWideChar( CP_ACP, 0, filename, len, szDir,
583 +    if ( FAILED ( SizeTToInt( len, &lengthAsInt ) ) )
584 +        return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
585 +
586 +    w_ret = MultiByteToWideChar( CP_ACP, 0, filename, lengthAsInt, szDir,
587                                   MAX_PATH - 3 );
588      if( w_ret == 0 )
589          return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
590 @@ -1139,8 +1144,11 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path )
591          if( file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY )
592              continue;
593  
594 +        if ( FAILED( SizeTToInt( wcslen( file_data.cFileName ), &lengthAsInt ) ) )
595 +            return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
596 +
597          w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
598 -                                     lstrlenW( file_data.cFileName ),
599 +                                     lengthAsInt,
600                                       p, (int) len - 1,
601                                       NULL, NULL );
602          if( w_ret == 0 )
Domain: Network & Connectivity / IoT Connectivity;