+From 43cd2295dcf0f83f2f11539050e3769d3fe79d7c Mon Sep 17 00:00:00 2001
+From: Kevin Kane <kkane@microsoft.com>
+Date: Thu, 18 May 2017 09:12:14 -0700
+Subject: [PATCH] With patches
+
+---
+ include/mbedtls/certs.h | 4 +
+ include/mbedtls/check_config.h | 5 +
+ include/mbedtls/compat-1.3.h | 5 +
+ include/mbedtls/config.h | 43 +++++-
+ include/mbedtls/net_sockets.h | 19 ++-
+ include/mbedtls/ssl.h | 50 ++++++-
+ include/mbedtls/ssl_ciphersuites.h | 6 +-
+ include/mbedtls/ssl_internal.h | 15 +-
+ include/mbedtls/x509.h | 2 +-
+ include/mbedtls/x509_crt.h | 44 ++++++
+ library/asn1write.c | 5 +-
+ library/bignum.c | 6 +-
+ library/certs.c | 17 +++
+ library/ctr_drbg.c | 2 +-
+ library/ecp.c | 2 +-
+ library/entropy_poll.c | 15 +-
+ library/md.c | 3 +-
+ library/net_sockets.c | 34 ++---
+ library/pkcs5.c | 5 +-
+ library/rsa.c | 5 +-
+ library/ssl_ciphersuites.c | 18 +++
+ library/ssl_cli.c | 144 +++++++++++++-----
+ library/ssl_srv.c | 42 ++++--
+ library/ssl_tls.c | 95 ++++++++++--
+ library/version_features.c | 6 +
+ library/x509.c | 40 ++++-
+ library/x509_create.c | 8 +-
+ library/x509_crl.c | 2 +-
+ library/x509_crt.c | 225 +++++++++++++++++++++++++++-
+ library/x509write_crt.c | 57 +++++++
+ programs/ssl/ssl_client2.c | 74 +++++++++
+ programs/ssl/ssl_server2.c | 75 ++++++++++
+ programs/x509/cert_write.c | 174 +++++++++++++++++++++
+ tests/data_files/server1-bothnames.crt | 22 +++
+ tests/data_files/server1-directoryname.crt | 22 +++
+ tests/data_files/server1-dnsname.crt | 21 +++
+ tests/data_files/server11-directoryname.crt | 10 ++
+ tests/ssl-opt.sh | 18 +++
+ tests/suites/test_suite_x509parse.data | 16 ++
+ tests/suites/test_suite_x509write.data | 12 ++
+ tests/suites/test_suite_x509write.function | 125 ++++++++++++++++
+ 41 files changed, 1376 insertions(+), 117 deletions(-)
+ create mode 100644 tests/data_files/server1-bothnames.crt
+ create mode 100644 tests/data_files/server1-directoryname.crt
+ create mode 100644 tests/data_files/server1-dnsname.crt
+ create mode 100644 tests/data_files/server11-directoryname.crt
+
diff --git a/include/mbedtls/certs.h b/include/mbedtls/certs.h
index ca49086e..e41de293 100644
--- a/include/mbedtls/certs.h
+extern const size_t mbedtls_test_srv_directoryname_ec_crt_len;
+#endif
#endif
-
+
#if defined(MBEDTLS_RSA_C)
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index fe86c1e8..e4583d6c 100644
@@ -189,6 +189,11 @@
#error "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all prerequisites"
#endif
-
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED) && \
+ ( !defined(MBEDTLS_ECDH_C) )
+#error "MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED defined, but not all prerequisites"
( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_ECDSA_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) )
diff --git a/include/mbedtls/compat-1.3.h b/include/mbedtls/compat-1.3.h
-index 27abbd97..fa4db26e 100644
+index af51b5f8..71af7eed 100644
--- a/include/mbedtls/compat-1.3.h
+++ b/include/mbedtls/compat-1.3.h
@@ -264,6 +264,9 @@
#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
-index 6fc9c77..2472f87 100644
+index 0f7e29bc..7e840cb2 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -648,6 +648,21 @@
#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
-
+
/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED
+ *
*/
-#define MBEDTLS_SSL_SESSION_TICKETS
+//#define MBEDTLS_SSL_SESSION_TICKETS
-
+
/**
* \def MBEDTLS_SSL_EXPORT_KEYS
@@ -1360,6 +1375,21 @@
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
-
+
/**
+ * \def MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT
+ *
*/
@@ -1949,6 +1980,16 @@
//#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
-
+
/**
+ * \def MBEDTLS_HAVE_WINSOCK2
+ *
*
* Enable the TCP and UDP over IPv6/IPv4 networking routines.
diff --git a/include/mbedtls/net_sockets.h b/include/mbedtls/net_sockets.h
-index de33552..a835534 100644
+index de335526..a835534d 100644
--- a/include/mbedtls/net_sockets.h
+++ b/include/mbedtls/net_sockets.h
@@ -29,6 +29,10 @@
#include MBEDTLS_CONFIG_FILE
#endif
-
+
+#if defined(MBEDTLS_HAVE_WINSOCK2)
+#include <winsock2.h>
+#endif
+
#include "ssl.h"
-
+
#include <stddef.h>
@@ -51,6 +55,19 @@
#define MBEDTLS_NET_PROTO_TCP 0 /**< The TCP transport protocol */
#define MBEDTLS_NET_PROTO_UDP 1 /**< The UDP transport protocol */
-
+
+/**
+ * Socket types and invalid values differ between platforms.
+ */
+ mbedtls_socket fd; /**< The underlying file descriptor */
}
mbedtls_net_context;
-
+
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
-index ba499d2..5e37add 100644
+index 495e02cb..f12a5419 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -358,7 +358,8 @@ union mbedtls_ssl_premaster_secret
+ size_t server_oid_len; /*!< length of server OID */
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
+
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
@@ -1615,6 +1622,47 @@ void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
+ const char *server_oid, size_t server_oid_len );
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
+
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h
index deaaa375..4f10540c 100644
@@ -158,6 +158,8 @@ extern "C" {
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 /**< TLS 1.2 */
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 0xC032 /**< TLS 1.2 */
-
+
+#define MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 0xFF00 /**< TLS 1.2 */
+
#define MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA 0xC033 /**< Not in SSL3! */
MBEDTLS_KEY_EXCHANGE_ECJPAKE,
+ MBEDTLS_KEY_EXCHANGE_ECDH_ANON,
} mbedtls_key_exchange_type_t;
-
+
/* Key exchanges using a certificate */
@@ -271,7 +274,8 @@ typedef enum {
/* Key exchanges using a ECDHE */
+ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED)
#define MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED
#endif
-
+
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
-index 668c0f5..3c33fad 100644
+index 668c0f56..3c33fadf 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -165,8 +165,8 @@ struct mbedtls_ssl_handshake_params
+ const char *server_oid, size_t server_oid_len,
uint32_t *flags );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
+
@@ -493,6 +495,15 @@ static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t
return( diff );
}
-
+
+/* SSL message type validation */
+static inline int mbedtls_ssl_message_type_valid(int message_type)
+{
}
#endif
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
-index 54dac166..21f11a4f 100644
+index f219bf12..c94de9d0 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -310,7 +310,7 @@ int mbedtls_x509_set_extension( mbedtls_asn1_named_data **head, const char *oid,
@@ -46,6 +46,31 @@ extern "C" {
* \{
*/
-
+
+#if defined(MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT)
+typedef enum
+{
+#else
mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */
+#endif
-
+
int ext_types; /**< Bit string containing detected and parsed extensions */
int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
@@ -593,6 +622,21 @@ int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx,
unsigned char ns_cert_type );
-
+
+
+#if defined(MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT)
+/**
* \brief Free the contents of a CRT write context
*
diff --git a/library/asn1write.c b/library/asn1write.c
-index 69b61b2..3fe98e6 100644
+index 69b61b20..3fe98e6c 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -232,6 +232,9 @@ int mbedtls_asn1_write_int( unsigned char **p, unsigned char *start, int val )
int ret;
size_t len = 0;
-
+
+ if (val > UCHAR_MAX)
+ return( MBEDTLS_ERR_ASN1_INVALID_DATA );
+
// should be 0 for positive numbers and 1 for negative numbers.
@@ -240,7 +243,7 @@ int mbedtls_asn1_write_int( unsigned char **p, unsigned char *start, int val )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
-
+
len += 1;
- *--(*p) = val;
+ *--(*p) = (unsigned char)val;
-
+
if( val > 0 && **p & 0x80 )
{
diff --git a/library/bignum.c b/library/bignum.c
-index 4c99e04..ffca597 100644
+index 8b9082cd..cd976de3 100644
--- a/library/bignum.c
+++ b/library/bignum.c
-@@ -1237,9 +1237,9 @@ static mbedtls_mpi_uint mbedtls_int_div_int( mbedtls_mpi_uint u1,
+@@ -1242,9 +1242,9 @@ static mbedtls_mpi_uint mbedtls_int_div_int( mbedtls_mpi_uint u1,
*/
if( 0 == d || u1 >= d )
{
- if (r != NULL) *r = ~0;
+ if (r != NULL) *r = (mbedtls_mpi_uint) ~0;
-
+
- return ( ~0 );
+ return ( (mbedtls_mpi_uint) ~0 );
}
-
+
#if defined(MBEDTLS_HAVE_UDBL)
-@@ -1365,7 +1365,7 @@ int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, c
+@@ -1370,7 +1370,7 @@ int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, c
for( i = n; i > t ; i-- )
{
if( X.p[i] >= Y.p[t] )
#define TEST_CA_CRT_EC
#endif /* MBEDTLS_ECDSA_C */
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
-index 386f8ad..f10152a 100644
+index 55612c7f..574f04fb 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@@ -178,7 +178,7 @@ static int block_cipher_df( unsigned char *output,
buf_len = MBEDTLS_CTR_DRBG_BLOCKSIZE + 8 + data_len + 1;
-
+
for( i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++ )
- key[i] = i;
+ key[i] = (unsigned char)i;
-
+
mbedtls_aes_setkey_enc( &aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS );
-
+
diff --git a/library/ecp.c b/library/ecp.c
-index f51f225..9ae3838 100644
+index f51f2251..9ae38388 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -483,7 +483,7 @@ int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp, const mbedtls_
if( buflen < *olen )
return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
-
+
- buf[0] = 0x02 + mbedtls_mpi_get_bit( &P->Y, 0 );
+ buf[0] = 0x02 + (unsigned char)mbedtls_mpi_get_bit( &P->Y, 0 );
MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &P->X, buf + 1, plen ) );
}
-
+
diff --git a/library/entropy_poll.c b/library/entropy_poll.c
index a116e605..c022caf2 100644
--- a/library/entropy_poll.c
#include <windows.h>
-#include <wincrypt.h>
+#include <bcrypt.h>
-
+
int mbedtls_platform_entropy_poll( void *data, unsigned char *output, size_t len,
size_t *olen )
{
- HCRYPTPROV provider;
((void) data);
*olen = 0;
-
+
- if( CryptAcquireContext( &provider, NULL, NULL,
- PROV_RSA_FULL, CRYPT_VERIFYCONTEXT ) == FALSE )
+ /*
{
return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
}
-
+
- if( CryptGenRandom( provider, (DWORD) len, output ) == FALSE )
+ if ( !BCRYPT_SUCCESS(BCryptGenRandom(NULL, output, (ULONG) len, BCRYPT_USE_SYSTEM_PREFERRED_RNG)) )
{
- CryptReleaseContext( provider, 0 );
return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
}
-
+
- CryptReleaseContext( provider, 0 );
*olen = len;
-
+
return( 0 );
diff --git a/library/md.c b/library/md.c
-index eda98f6..c2b5d52 100644
+index eda98f63..c2b5d52a 100644
--- a/library/md.c
+++ b/library/md.c
@@ -449,7 +449,8 @@ unsigned char mbedtls_md_get_size( const mbedtls_md_info_t *md_info )
if( md_info == NULL )
return( 0 );
-
+
- return md_info->size;
+ /* NOTE: function should be updated if the value of "size" may exceed 255. */
+ return (unsigned char)md_info->size;
}
-
+
mbedtls_md_type_t mbedtls_md_get_type( const mbedtls_md_info_t *md_info )
diff --git a/library/net_sockets.c b/library/net_sockets.c
-index cc06cbf..a50d212 100644
+index 80be6ec6..2e43a795 100644
--- a/library/net_sockets.c
+++ b/library/net_sockets.c
@@ -127,7 +127,7 @@ static int net_prepare( void )
- ctx->fd = -1;
+ ctx->fd = MBEDTLS_INVALID_SOCKET;
}
-
+
/*
-@@ -154,8 +154,7 @@ int mbedtls_net_connect( mbedtls_net_context *ctx, const char *host, const char
+@@ -155,8 +155,7 @@ int mbedtls_net_connect( mbedtls_net_context *ctx, const char *host,
ret = MBEDTLS_ERR_NET_UNKNOWN_HOST;
for( cur = addr_list; cur != NULL; cur = cur->ai_next )
{
if( ctx->fd < 0 )
{
ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
-@@ -296,7 +295,7 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
+@@ -297,7 +296,7 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
mbedtls_net_context *client_ctx,
void *client_ip, size_t buf_size, size_t *ip_len )
{
- int ret;
+ mbedtls_socket ret;
int type;
-
+
struct sockaddr_storage client_addr;
-@@ -321,7 +320,7 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
+@@ -322,7 +321,7 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
if( type == SOCK_STREAM )
{
/* TCP: actual accept() */
- ret = client_ctx->fd = (int) accept( bind_ctx->fd,
+ ret = client_ctx->fd = accept( bind_ctx->fd,
- (struct sockaddr *) &client_addr, &n );
+ (struct sockaddr *) &client_addr, &n );
}
else
-@@ -329,8 +328,8 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
+@@ -330,8 +329,8 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
/* UDP: wait for a message, but keep it in the queue */
char buf[1] = { 0 };
-
+
- ret = (int) recvfrom( bind_ctx->fd, buf, sizeof( buf ), MSG_PEEK,
- (struct sockaddr *) &client_addr, &n );
+ ret = recvfrom( bind_ctx->fd, buf, sizeof( buf ),
+ MSG_PEEK, (struct sockaddr *) &client_addr, &n );
-
+
#if defined(_WIN32)
if( ret == SOCKET_ERROR &&
-@@ -342,7 +341,7 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
+@@ -343,7 +342,7 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
#endif
}
-
+
- if( ret < 0 )
+ if( ret == MBEDTLS_INVALID_SOCKET )
{
if( net_would_block( bind_ctx ) != 0 )
return( MBEDTLS_ERR_SSL_WANT_READ );
-@@ -361,13 +360,14 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
+@@ -362,13 +361,14 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
-
+
client_ctx->fd = bind_ctx->fd;
- bind_ctx->fd = -1; /* In case we exit early */
+
+ bind_ctx->fd = MBEDTLS_INVALID_SOCKET; /* In case we exit early */
-
+
n = sizeof( struct sockaddr_storage );
if( getsockname( client_ctx->fd,
(struct sockaddr *) &local_addr, &n ) != 0 ||
setsockopt( bind_ctx->fd, SOL_SOCKET, SO_REUSEADDR,
(const char *) &one, sizeof( one ) ) != 0 )
{
-@@ -458,7 +458,7 @@ void mbedtls_net_usleep( unsigned long usec )
+@@ -459,7 +459,7 @@ void mbedtls_net_usleep( unsigned long usec )
int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len )
{
int ret;
- int fd = ((mbedtls_net_context *) ctx)->fd;
+ mbedtls_socket fd = ((mbedtls_net_context *) ctx)->fd;
-
+
if( fd < 0 )
return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
-@@ -497,7 +497,7 @@ int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
+@@ -498,7 +498,7 @@ int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
int ret;
struct timeval tv;
fd_set read_fds;
- int fd = ((mbedtls_net_context *) ctx)->fd;
+ mbedtls_socket fd = ((mbedtls_net_context *) ctx)->fd;
-
+
if( fd < 0 )
return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
-@@ -508,7 +508,7 @@ int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
+@@ -509,7 +509,7 @@ int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
tv.tv_sec = timeout / 1000;
tv.tv_usec = ( timeout % 1000 ) * 1000;
-
+
- ret = select( fd + 1, &read_fds, NULL, NULL, timeout == 0 ? NULL : &tv );
+ ret = select( (int)fd + 1, &read_fds, NULL, NULL, timeout == 0 ? NULL : &tv );
-
+
/* Zero fds ready means we timed out */
if( ret == 0 )
-@@ -538,7 +538,7 @@ int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
+@@ -539,7 +539,7 @@ int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len )
{
int ret;
- int fd = ((mbedtls_net_context *) ctx)->fd;
+ mbedtls_socket fd = ((mbedtls_net_context *) ctx)->fd;
-
+
if( fd < 0 )
return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
-@@ -573,13 +573,13 @@ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len )
+@@ -574,13 +574,13 @@ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len )
*/
void mbedtls_net_free( mbedtls_net_context *ctx )
{
- if( ctx->fd == -1 )
+ if( ctx->fd == MBEDTLS_INVALID_SOCKET )
return;
-
+
shutdown( ctx->fd, 2 );
close( ctx->fd );
-
+
- ctx->fd = -1;
+ ctx->fd = MBEDTLS_INVALID_SOCKET;
}
-
+
#endif /* MBEDTLS_NET_C */
diff --git a/library/pkcs5.c b/library/pkcs5.c
-index e28d5a8..7405fc3 100644
+index e28d5a84..7405fc3f 100644
--- a/library/pkcs5.c
+++ b/library/pkcs5.c
@@ -219,12 +219,13 @@ int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, const unsigned char *p
+ size_t j;
unsigned char *out_p = output;
unsigned char counter[4];
-
+
diff --git a/library/rsa.c b/library/rsa.c
-index 40ef2a9..29d7a5b 100644
+index 40ef2a94..29d7a5b3 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -1083,6 +1083,9 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
+ *p++ = (unsigned char)hashlen;
memcpy( p, hash, hashlen );
}
-
+
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index a762bf7c..021ab509 100644
--- a/library/ssl_ciphersuites.c
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8,
+ MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256,
-
+
/* All CAMELLIA-128 ephemeral suites */
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
@@ -407,6 +408,22 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
-
+
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED)
+#if defined(MBEDTLS_AES_C)
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ANON:
return( 1 );
-
+
default:
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
-index 223823b..2a148d5 100644
+index 223823b3..2a148d53 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -433,7 +433,14 @@ static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
-
+
*olen = 0;
-
+
- if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
+ if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "max fragment length too large" ) );
return;
}
-
+
@@ -451,7 +458,7 @@ static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
*p++ = 0x00;
*p++ = 1;
-
+
- *p++ = ssl->conf->mfl_code;
+ *p++ = (unsigned char)ssl->conf->mfl_code;
-
+
*olen = 5;
}
@@ -907,7 +914,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
- MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+ MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED */
-
+
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
- MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED*/
-
+
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
unsigned char **p,
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
+ return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+ }
-
+
/*
- * PSK parameters:
- *
+
+ n = ( (*p)[0] << 8 ) | (*p)[1];
*p += 2;
-
+
- if( (*p) + len > end )
+ if (n == 0)
{
- return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+ return ( 0 );
}
-
+
- /*
- * Note: we currently ignore the PKS identity hint, as we only allow one
- * PSK to be provisionned on the client. This could be changed later if
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+ return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+ }
-
+
- return( ret );
+ if( ssl->conf->f_psk != NULL )
+ {
+ return( 0 );
}
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
-
+
@@ -2299,10 +2349,12 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
+#endif
+ mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
+ mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
-
+
/*
* Handle the digitally-signed structure
@@ -2384,6 +2439,13 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
-
+
+// Anonymous cipher suite without sign, ecdh param only
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED)
+ if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON )
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
ssl->state++;
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
-index fc0d2d7..ec98774 100644
+index fc0d2d7b..ec987743 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -224,8 +224,8 @@ static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
return( 0 );
-
+
have_sig_alg:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
- ssl->handshake->sig_alg ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %u",
+ (unsigned int)ssl->handshake->sig_alg ) );
-
+
return( 0 );
}
@@ -648,7 +648,15 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
-index 84a04ae..f215653 100644
+index d9ab8329..eff6e1d5 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1360,8 +1360,14 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
unsigned char taglen = ssl->transform_out->ciphersuite_info->flags &
MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
-
+
+ if ( !mbedtls_ssl_message_type_valid(ssl->out_msgtype) )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
@@ -1630,6 +1636,12 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
size_t explicit_iv_len = ssl->transform_in->ivlen -
ssl->transform_in->fixed_ivlen;
-
+
+ if ( !mbedtls_ssl_message_type_valid(ssl->in_msgtype) )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
@@ -1644,7 +1656,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
ssl->in_msglen = dec_msglen;
-
+
memcpy( add_data, ssl->in_ctr, 8 );
- add_data[8] = ssl->in_msgtype;
+ add_data[8] = (unsigned char)ssl->in_msgtype;
@@ -2473,6 +2485,12 @@ static int ssl_flight_append( mbedtls_ssl_context *ssl )
{
mbedtls_ssl_flight_item *msg;
-
+
+ if ( !mbedtls_ssl_message_type_valid(ssl->out_msgtype) )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
- msg->type = ssl->out_msgtype;
+ msg->type = (unsigned char)ssl->out_msgtype;
msg->next = NULL;
-
+
/* Append to the current flight */
@@ -4066,7 +4084,8 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
@@ -5759,6 +5788,28 @@ int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) );
}
-
+
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+int mbedtls_ssl_conf_ekus( mbedtls_ssl_config *conf,
+ const char *client_oid, size_t client_oid_len,
void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
mbedtls_x509_crt *ca_chain,
mbedtls_x509_crl *ca_crl )
-@@ -6032,14 +6083,14 @@ const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )
-
+@@ -6033,14 +6084,14 @@ const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )
+
void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
{
- conf->max_major_ver = major;
+ conf->max_major_ver = (unsigned char)major;
+ conf->max_minor_ver = (unsigned char)minor;
}
-
+
void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
{
- conf->min_major_ver = major;
+ conf->min_major_ver = (unsigned char)major;
+ conf->min_minor_ver = (unsigned char)minor;
}
-
+
#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
-@@ -7246,6 +7297,13 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
+@@ -7255,6 +7306,13 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
}
#endif
-
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+ conf->client_oid = MBEDTLS_OID_CLIENT_AUTH;
+ conf->client_oid_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
/*
* Preset-specific defaults
*/
-@@ -7493,6 +7551,8 @@ int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
+@@ -7502,6 +7560,8 @@ int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
const mbedtls_ssl_ciphersuite_t *ciphersuite,
int cert_endpoint,
uint32_t *flags )
{
int ret = 0;
-@@ -7509,6 +7569,10 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
+@@ -7518,6 +7578,10 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
((void) cert);
((void) cert_endpoint);
((void) flags);
+ ((void) server_oid);
+ ((void) server_oid_len);
#endif
-
+
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
-@@ -7539,6 +7603,7 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
+@@ -7548,6 +7612,7 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
usage = 0;
}
}
-@@ -7560,13 +7625,13 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
+@@ -7569,13 +7634,13 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
{
+ ext_oid = client_oid;
+ ext_len = client_oid_len;
}
-
+
if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
diff --git a/library/version_features.c b/library/version_features.c
index e866e67a..7798b27a 100644
"MBEDTLS_ZLIB_SUPPORT",
#endif /* MBEDTLS_ZLIB_SUPPORT */
diff --git a/library/x509.c b/library/x509.c
-index fad390d8..0bc5367e 100644
+index e4387707..e9df5c71 100644
--- a/library/x509.c
+++ b/library/x509.c
-@@ -1005,6 +1005,10 @@ int mbedtls_x509_self_test( int verbose )
+@@ -1040,6 +1040,10 @@ int mbedtls_x509_self_test( int verbose )
uint32_t flags;
mbedtls_x509_crt cacert;
mbedtls_x509_crt clicert;
+ mbedtls_x509_crt directorynamecert;
+ char buf[2048];
+#endif
-
+
if( verbose != 0 )
mbedtls_printf( " X.509 certificate load: " );
-@@ -1045,11 +1049,45 @@ int mbedtls_x509_self_test( int verbose )
+@@ -1080,11 +1084,45 @@ int mbedtls_x509_self_test( int verbose )
return( ret );
}
-
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+ if( verbose != 0 )
+ mbedtls_printf( "passed\n X.509 subject alt name verify: " );
if( verbose != 0 )
- mbedtls_printf( "passed\n\n");
+ mbedtls_printf( "passed\n\n" );
-
+
mbedtls_x509_crt_free( &cacert );
mbedtls_x509_crt_free( &clicert );
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+ mbedtls_x509_crt_free( &directorynamecert );
+#endif
-
+
return( 0 );
#else
diff --git a/library/x509_create.c b/library/x509_create.c
-index df20ec8..fa4a480 100644
+index df20ec8e..fa4a4805 100644
--- a/library/x509_create.c
+++ b/library/x509_create.c
@@ -174,7 +174,7 @@ int mbedtls_x509_set_extension( mbedtls_asn1_named_data **head, const char *oid,
return( MBEDTLS_ERR_X509_ALLOC_FAILED );
}
-
+
- cur->val.p[0] = critical;
+ cur->val.p[0] = critical == 0 ? 0 : 1;
memcpy( cur->val.p + 1, val, val_len );
-
+
return( 0 );
@@ -231,15 +231,15 @@ static int x509_write_name( unsigned char **p, unsigned char *start,
}
-
+
int mbedtls_x509_write_names( unsigned char **p, unsigned char *start,
- mbedtls_asn1_named_data *first )
+ const mbedtls_asn1_named_data *first )
size_t len = 0;
- mbedtls_asn1_named_data *cur = first;
+ const mbedtls_asn1_named_data *cur = first;
-
+
while( cur != NULL )
{
- MBEDTLS_ASN1_CHK_ADD( len, x509_write_name( p, start, (char *) cur->oid.p,
cur->val.p, cur->val.len ) );
cur = cur->next;
diff --git a/library/x509_crl.c b/library/x509_crl.c
-index 7b2b473..b08baee 100644
+index 76c49f13..67efec03 100644
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@@ -491,7 +491,7 @@ int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, s
+ size_t use_len = 0U;
mbedtls_pem_context pem;
int is_pem = 0;
-
+
diff --git a/library/x509_crt.c b/library/x509_crt.c
-index 60e14f90..037efae8 100644
+index 234f1456..0d3f0eac 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -62,6 +62,7 @@
-
+
#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
#include <windows.h>
+#include <intsafe.h>
+ mbedtls_asn1_buf *buf;
mbedtls_asn1_sequence *cur = subject_alt_name;
+#endif
-
+
/* Get main sequence tag */
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
@@ -474,6 +489,49 @@ static int x509_get_subject_alt_name( unsigned char **p,
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
-
+
+#if defined(MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT)
+ memset( &general_name, 0, sizeof( general_name ) );
+ switch ( tag )
*p += buf->len;
+#endif
}
-
+
/* Set final sequence entry's next pointer to NULL */
@@ -1108,6 +1167,7 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path )
char filename[MAX_PATH];
char *p;
size_t len = strlen( path );
+ int lengthAsInt = 0;
-
+
WIN32_FIND_DATAW file_data;
HANDLE hFind;
@@ -1122,7 +1182,10 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path )
p = filename + len;
filename[len++] = '*';
-
-- w_ret = MultiByteToWideChar( CP_ACP, 0, filename, len, szDir,
+
+- w_ret = MultiByteToWideChar( CP_ACP, 0, filename, (int)len, szDir,
+ if ( FAILED ( SizeTToInt( len, &lengthAsInt ) ) )
+ return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
+
@@ -1139,8 +1202,11 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path )
if( file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY )
continue;
-
+
+ if ( FAILED( SizeTToInt( wcslen( file_data.cFileName ), &lengthAsInt ) ) )
+ return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
+
@@ -1219,6 +1285,98 @@ cleanup:
}
#endif /* MBEDTLS_FS_IO */
-
+
+#if defined(MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT)
+static const char x509_directory_name_label[] = "directoryName=(";
+static const char x509_directory_name_epilogue[] = ")";
const mbedtls_x509_sequence *subject_alt_name )
{
@@ -1256,6 +1414,7 @@ static int x509_info_subject_alt_name( char **buf, size_t *size,
-
+
return( 0 );
}
+#endif
-
+
#define PRINT_ITEM(i) \
{ \
-@@ -2188,7 +2347,11 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
+@@ -2197,7 +2356,11 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
int pathlen = 0, selfsigned = 0;
mbedtls_x509_crt *parent;
mbedtls_x509_name *name;
mbedtls_x509_sequence *cur = NULL;
+#endif
mbedtls_pk_type_t pk_type;
-
+
if( profile == NULL )
-@@ -2207,6 +2370,22 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
-
+@@ -2216,6 +2379,22 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
+
while( cur != NULL )
{
+#if defined(MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT)
if( cur->buf.len == cn_len &&
x509_memcasecmp( cn, cur->buf.p, cn_len ) == 0 )
break;
-@@ -2217,6 +2396,7 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
+@@ -2226,6 +2405,7 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
{
break;
}
+#endif
-
+
cur = cur->next;
}
-@@ -2318,6 +2498,10 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
+@@ -2327,6 +2507,10 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
mbedtls_x509_crt *cert_prv;
mbedtls_x509_name *name_cur;
mbedtls_x509_name *name_prv;
+#endif
mbedtls_x509_sequence *seq_cur;
mbedtls_x509_sequence *seq_prv;
-
-@@ -2359,6 +2543,38 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
+
+@@ -2368,6 +2552,38 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
mbedtls_free( seq_prv );
}
-
+
+#if defined(MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT)
+ if ( cert_cur->subject_alt_names.general_name.name_type == MBEDTLS_X509_GENERALNAME_DIRECTORYNAME )
+ {
seq_cur = cert_cur->subject_alt_names.next;
while( seq_cur != NULL )
{
-@@ -2367,6 +2583,7 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
+@@ -2376,6 +2592,7 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
mbedtls_zeroize( seq_prv, sizeof( mbedtls_x509_sequence ) );
mbedtls_free( seq_prv );
}
+#endif
-
+
if( cert_cur->raw.p != NULL )
{
diff --git a/library/x509write_crt.c b/library/x509write_crt.c
@@ -263,6 +263,63 @@ int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx,
return( 0 );
}
-
+
+#if defined(MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT)
+static int x509write_crt_set_subject_alt_name( unsigned char **c, unsigned char *buf,
+ const mbedtls_x509_general_name *name )
#include "mbedtls/debug.h"
#include "mbedtls/timing.h"
+#include "mbedtls/oid.h"
-
+
#include <stdio.h>
#include <stdlib.h>
@@ -103,6 +104,8 @@ int main( void )
#define DFL_ETM -1
+#define DFL_EKU_CLIENT ""
+#define DFL_EKU_SERVER ""
-
+
#define GET_REQUEST "GET %s HTTP/1.0\r\nExtra-header: "
#define GET_REQUEST_END "\r\n\r\n"
@@ -222,6 +225,14 @@ int main( void )
#define USAGE_ECJPAKE ""
#endif
-
+
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+#define USAGE_EKU \
+ " eku=%%s-%%s default: client-server\n" \
+ const char *eku_srv; /* EKU to check for in server cert */
+ size_t eku_srv_len; /* length of eku_srv */
} opt;
-
+
static void my_debug( void *ctx, int level,
@@ -507,6 +523,10 @@ int main( int argc, char *argv[] )
opt.fallback = DFL_FALLBACK;
+ opt.eku_cli_len = MBEDTLS_OID_SIZE( DFL_EKU_CLIENT );
+ opt.eku_srv = DFL_EKU_SERVER;
+ opt.eku_srv_len = MBEDTLS_OID_SIZE( DFL_EKU_SERVER );
-
+
for( i = 1; i < argc; i++ )
{
@@ -797,6 +817,47 @@ int main( int argc, char *argv[] )
@@ -1088,6 +1149,19 @@ int main( int argc, char *argv[] )
goto exit;
}
-
+
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+ if ( opt.eku_cli_len > 0 && opt.eku_srv_len > 0 )
+ {
if( opt.debug_level > 0 )
mbedtls_ssl_conf_verify( &conf, my_verify, NULL );
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
-index 18bda599..e65576b0 100644
+index 96bd35f6..018d1492 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -59,6 +59,7 @@ int main( void )
#include "mbedtls/debug.h"
#include "mbedtls/timing.h"
+#include "mbedtls/oid.h"
-
+
#include <stdio.h>
#include <stdlib.h>
-@@ -136,6 +137,8 @@ int main( void )
+@@ -141,6 +142,8 @@ int main( void )
#define DFL_BADMAC_LIMIT -1
#define DFL_EXTENDED_MS -1
#define DFL_ETM -1
+#define DFL_EKU_CLIENT ""
+#define DFL_EKU_SERVER ""
-
+
#define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
"02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
-@@ -304,6 +307,14 @@ int main( void )
+@@ -309,6 +312,14 @@ int main( void )
#define USAGE_ECJPAKE ""
#endif
-
+
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+#define USAGE_EKU \
+ " eku=%%s-%%s default: client-server\n" \
#define USAGE \
"\n usage: ssl_server2 param=<>...\n" \
"\n acceptable parameters:\n" \
-@@ -338,6 +349,7 @@ int main( void )
+@@ -343,6 +354,7 @@ int main( void )
USAGE_ALPN \
USAGE_EMS \
USAGE_ETM \
"\n" \
" arc4=%%d default: (library default: 0)\n" \
" min_version=%%s default: (library default: tls1)\n" \
-@@ -400,6 +412,10 @@ struct options
+@@ -418,6 +430,10 @@ struct options
uint32_t hs_to_min; /* Initial value of DTLS handshake timer */
uint32_t hs_to_max; /* Max value of DTLS handshake timer */
int badmac_limit; /* Limit of records with bad MAC */
+ const char *eku_srv; /* EKU to check for in server cert */
+ size_t eku_srv_len; /* length of eku_srv */
} opt;
-
+
static void my_debug( void *ctx, int level,
-@@ -943,6 +959,10 @@ int main( int argc, char *argv[] )
+@@ -961,6 +977,10 @@ int main( int argc, char *argv[] )
opt.badmac_limit = DFL_BADMAC_LIMIT;
opt.extended_ms = DFL_EXTENDED_MS;
opt.etm = DFL_ETM;
+ opt.eku_cli_len = MBEDTLS_OID_SIZE( DFL_EKU_CLIENT );
+ opt.eku_srv = DFL_EKU_SERVER;
+ opt.eku_srv_len = MBEDTLS_OID_SIZE( DFL_EKU_SERVER );
-
+
for( i = 1; i < argc; i++ )
{
-@@ -1232,6 +1252,47 @@ int main( int argc, char *argv[] )
+@@ -1255,6 +1275,47 @@ int main( int argc, char *argv[] )
{
opt.sni = q;
}
else
goto usage;
}
-@@ -1608,6 +1669,20 @@ int main( int argc, char *argv[] )
+@@ -1631,6 +1692,20 @@ int main( int argc, char *argv[] )
goto exit;
}
-
+
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+ if ( opt.eku_cli_len > 0 && opt.eku_srv_len > 0 )
+ {
+
if( opt.auth_mode != DFL_AUTH_MODE )
mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );
-
+
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index 66e5f1da..1405e711 100644
--- a/programs/x509/cert_write.c
@@ -66,6 +66,16 @@ int main( void )
#define USAGE_CSR ""
#endif /* MBEDTLS_X509_CSR_PARSE_C */
-
+
+#if defined(MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT)
+#define USAGE_SUBJ_ALT_NAME \
+ " subj_alt_name=%%s default: (empty)\n" \
" object_signing_ca\n" \
+ USAGE_SUBJ_ALT_NAME \
"\n"
-
+
/*
@@ -151,6 +162,9 @@ struct options
int max_pathlen; /* maximum CA path length */
+ mbedtls_x509_general_names subj_alt_names; /* Subject alternative names */
+#endif
} opt;
-
+
int write_certificate( mbedtls_x509write_cert *crt, const char *output_file,
@@ -182,6 +196,58 @@ int write_certificate( mbedtls_x509write_cert *crt, const char *output_file,
return( 0 );
}
-
+
+#if defined(MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT)
+static int add_subj_alt_name( mbedtls_x509_general_names **cur, const mbedtls_x509_general_name *add )
+{
+ mbedtls_x509_general_names *name_cur = &opt.subj_alt_names;
+ mbedtls_x509_general_name name_tmp;
+#endif
-
+
/*
* Set to sane values
@@ -243,6 +313,9 @@ int main( int argc, char *argv[] )
+#if defined(MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT)
+ memset( &opt.subj_alt_names, 0, sizeof( opt.subj_alt_names ) );
+#endif
-
+
for( i = 1; i < argc; i++ )
{
@@ -358,6 +431,86 @@ int main( int argc, char *argv[] )
@@ -632,6 +785,24 @@ int main( int argc, char *argv[] )
mbedtls_printf( " ok\n" );
}
-
+
+#if defined(MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT)
+ if ( opt.subj_alt_names.general_name.name_type )
+ {
*/
@@ -649,6 +820,9 @@ int main( int argc, char *argv[] )
mbedtls_printf( " ok\n" );
-
+
exit:
+#if defined(MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT)
+ subj_alt_names_free( &opt.subj_alt_names );
+G9lDDpiediVxGO0=
+-----END CERTIFICATE-----
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
-index 57155b89..7e754bba 100755
+index 41fbc3d2..1f5614ed 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
-@@ -2526,6 +2526,16 @@ run_test "extKeyUsage cli: codeSign -> fail" \
+@@ -2539,6 +2539,16 @@ run_test "extKeyUsage cli: codeSign -> fail" \
-c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is TLS-"
-
+
+run_test "extKeyUsage cli: codeSign(requested) -> OK " \
+ "$O_SRV -key data_files/server5.key \
+ -cert data_files/server5.eku-cs.crt" \
+
+
# Tests for extendedKeyUsage, part 3: server-side checking of client cert
-
+
run_test "extKeyUsage cli-auth: clientAuth -> OK" \
-@@ -2568,6 +2578,14 @@ run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
+@@ -2581,6 +2591,14 @@ run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
-s "bad certificate (usage extensions)" \
-s "Processing of the Certificate handshake message failed"
-
+
+run_test "extKeyUsage cli-auth: codeSign(requested) -> OK" \
+ "$P_SRV debug_level=1 auth_mode=required eku=codesign-server" \
+ "$O_CLI -key data_files/server5.key \
+ -S "Processing of the Certificate handshake message failed"
+
# Tests for DHM parameters loading
-
+
run_test "DHM parameters: reference" \
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
-index c8298231..30fff786 100644
+index 11605aba..4563982d 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -122,6 +122,22 @@ X509 certificate v1 with extension
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_SHA1_C
x509_cert_info:"data_files/cert_v1_with_ext.crt":"cert. version \: 1\nserial number \: BD\:ED\:44\:C7\:D2\:3E\:C2\:A4\nissuer name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nsubject name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nissued on \: 2013-07-04 16\:17\:02\nexpires on \: 2014-07-04 16\:17\:02\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nsubject alt name \: identity-check.org, www.identity-check.org\n"
-
+
+X509 Certificate information EC directoryName subjectAltName
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT
+x509_cert_info:"data_files/server11-directoryname.crt":"cert. version \: 3\nserial number \: 91\:6B\:E0\:62\:31\:5E\:59\:5D\nissuer name \: CN=TestCert\nsubject name \: CN=TestCert\nissued on \: 2016-12-13 23\:04\:37\nexpires on \: 2030-08-22 23\:04\:37\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \: directoryName=(OU=Name Assigner, CN=My Role)\n"
@@ -58,6 +58,18 @@ Certificate write check Server1 SHA1, version 1
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt"
-
+
+Certificate write check Server1 SHA256 with dNSName
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C:MBEDTLS_SHA256_C:MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT
+x509_crt_subj_alt_name_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA256:0:0:-1:1:"data_files/server1-dnsname.crt"
+
X509 String to Names #1
mbedtls_x509_string_to_names:"C=NL,O=Offspark\, Inc., OU=PolarSSL":"C=NL, O=Offspark, Inc., OU=PolarSSL":0
-
+
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 89be31f9..184ac2ce 100644
--- a/tests/suites/test_suite_x509write.function
@@ -157,6 +157,131 @@ exit:
}
/* END_CASE */
-
+
+/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CRT_WRITE_C:MBEDTLS_SHA1_C:MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT */
+void x509_crt_subj_alt_name_check( char *subject_key_file, char *subject_pwd,
+ char *subject_name, char *issuer_key_file,
/* BEGIN_CASE depends_on:MBEDTLS_X509_CREATE_C:MBEDTLS_X509_USE_C */
void mbedtls_x509_string_to_names( char *name, char *parsed_name, int result )
{
+--
+2.12.2.gvfs.2.14.gfbee0b9
+
projects / platform / upstream / iotivity.git / commitdiff