TeamHepta/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-03-20 11:11:08 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream-public/development' into no-generated-files-3.0

Browse Source 
Conflicts: generated files that are removed in this branch and have
changed in development. Resolved by keeping the files removed.
This commit is contained in:
Gilles Peskine
2021-05-19 14:38:52 +02:00
parent 502d889de7 2213871654
commit fd6f65fc46
17 changed files with 54 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog.d/issue4361.txt Normal file
View File

@@ -0,0 +1,3 @@
Removals
* Remove the MBEDTLS_SSL_RECORD_CHECKING option and enable by default its
previous action. Fixes #4361.

3
ChangeLog.d/make-generate-tests-python.txt Normal file
View File

@@ -0,0 +1,3 @@
Changes
* When building the test suites with GNU make, invoke python3 or python, not
python2, which is no longer supported upstream.

2
ChangeLog.d/psa_sign_message.txt Normal file
View File

@@ -0,0 +1,2 @@
Features
* Implement psa_sign_message() and psa_verify_message().

6
ChangeLog.d/sha512-output-type.txt Normal file
View File

@@ -0,0 +1,6 @@
API changes
* The output parameter of mbedtls_sha512_finish_ret, mbedtls_sha512_ret,
mbedtls_sha256_finish_ret and mbedtls_sha256_ret now has a pointer type
rather than array type. This removes spurious warnings in some compilers
when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
the hash size.

13
docs/3.0-migration-guide.d/remove_ssl_record_checking.md Normal file
View File

@@ -0,0 +1,13 @@
Remove MBEDTLS_SSL_RECORD_CHECKING option and enable its action by default
--------------------------------------------------------------------------
This change does not affect users who use the default config.h, as the
option MBEDTLS_SSL_RECORD_CHECKING was already on by default.
This option was added only to control compilation of one function,
mbedtls_ssl_check_record(), which is only useful in some specific cases, so it
was made optional to allow users who don't need it to save some code space.
However, the same effect can be achieve by using link-time garbage collection.
Users who changed the default setting of the option need to change the config/
build system to remove that change.

8
docs/3.0-migration-guide.d/sha512-output-type.md Normal file
View File

@@ -0,0 +1,8 @@
SHA-512 and SHA-256 output type change
--------------------------
The output parameter of `mbedtls_sha256_finish_ret()`, `mbedtls_sha256_ret()`, `mbedtls_sha512_finish_ret()`, `mbedtls_sha512_ret()` now has a pointer type rather than array type. This makes no difference in terms of C semantics, but removes spurious warnings in some compilers when outputting a SHA-384 hash into a 48-byte buffer or a SHA-224 hash into a 28-byte buffer.
This makes no difference to a vast majority of applications. If your code takes a pointer to one of these functions, you may need to change the type of the pointer.
Alternative implementations of the SHA256 and SHA512 modules must adjust their functions' prototype accordingly.

14
include/mbedtls/config.h
View File

@@ -1467,20 +1467,6 @@
*/
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
/**
* \def MBEDTLS_SSL_RECORD_CHECKING
*
* Enable the function mbedtls_ssl_check_record() which can be used to check
* the validity and authenticity of an incoming record, to verify that it has
* not been seen before. These checks are performed without modifying the
* externally visible state of the SSL context.
*
* See mbedtls_ssl_check_record() for more information.
*
* Uncomment to enable support for record checking.
*/
#define MBEDTLS_SSL_RECORD_CHECKING
/**
* \def MBEDTLS_SSL_DTLS_CONNECTION_ID
*

12
include/mbedtls/sha256.h
View File

@@ -127,13 +127,14 @@ int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
* \param ctx The SHA-256 context. This must be initialized
* and have a hash operation started.
* \param output The SHA-224 or SHA-256 checksum result.
* This must be a writable buffer of length \c 32 Bytes.
* This must be a writable buffer of length \c 32 bytes
* for SHA-256, \c 28 bytes for SHA-224.
*
* \return \c 0 on success.
* \return A negative error code on failure.
*/
int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
unsigned char output[32] );
unsigned char *output );
/**
* \brief This function processes a single data block within
@@ -163,14 +164,15 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
* \param input The buffer holding the data. This must be a readable
* buffer of length \p ilen Bytes.
* \param ilen The length of the input data in Bytes.
* \param output The SHA-224 or SHA-256 checksum result. This must
* be a writable buffer of length \c 32 Bytes.
* \param output The SHA-224 or SHA-256 checksum result.
* This must be a writable buffer of length \c 32 bytes
* for SHA-256, \c 28 bytes for SHA-224.
* \param is224 Determines which function to use. This must be
* either \c 0 for SHA-256, or \c 1 for SHA-224.
*/
int mbedtls_sha256_ret( const unsigned char *input,
size_t ilen,
unsigned char output[32],
unsigned char *output,
int is224 );
#if defined(MBEDTLS_SELF_TEST)

10
include/mbedtls/sha512.h
View File

@@ -134,13 +134,14 @@ int mbedtls_sha512_update_ret( mbedtls_sha512_context *ctx,
* \param ctx The SHA-512 context. This must be initialized
* and have a hash operation started.
* \param output The SHA-384 or SHA-512 checksum result.
* This must be a writable buffer of length \c 64 Bytes.
* This must be a writable buffer of length \c 64 bytes
* for SHA-512, \c 48 bytes for SHA-384.
*
* \return \c 0 on success.
* \return A negative error code on failure.
*/
int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx,
unsigned char output[64] );
unsigned char *output );
/**
* \brief This function processes a single data block within
@@ -171,7 +172,8 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
* a readable buffer of length \p ilen Bytes.
* \param ilen The length of the input data in Bytes.
* \param output The SHA-384 or SHA-512 checksum result.
* This must be a writable buffer of length \c 64 Bytes.
* This must be a writable buffer of length \c 64 bytes
* for SHA-512, \c 48 bytes for SHA-384.
* \param is384 Determines which function to use. This must be either
* \c 0 for SHA-512, or \c 1 for SHA-384.
*
@@ -184,7 +186,7 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
*/
int mbedtls_sha512_ret( const unsigned char *input,
size_t ilen,
unsigned char output[64],
unsigned char *output,
int is384 );
#if defined(MBEDTLS_SELF_TEST)

2
include/mbedtls/ssl.h
View File

@@ -1791,7 +1791,6 @@ void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
*/
void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout );
#if defined(MBEDTLS_SSL_RECORD_CHECKING)
/**
* \brief Check whether a buffer contains a valid and authentic record
* that has not been seen before. (DTLS only).
@@ -1839,7 +1838,6 @@ void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
unsigned char *buf,
size_t buflen );
#endif /* MBEDTLS_SSL_RECORD_CHECKING */
/**
* \brief Set the timer callbacks (Mandatory for DTLS.)

2
library/padlock.h
View File

@@ -71,7 +71,7 @@ extern "C" {
*
* \param feature The feature to detect
*
* \return 1 if CPU has support for the feature, 0 otherwise
* \return non-zero if CPU has support for the feature, 0 otherwise
*/
int mbedtls_padlock_has_support( int feature );

4
library/sha256.c
View File

@@ -332,7 +332,7 @@ int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
* SHA-256 final digest
*/
int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
unsigned char output[32] )
unsigned char *output )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
uint32_t used;
@@ -401,7 +401,7 @@ int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
*/
int mbedtls_sha256_ret( const unsigned char *input,
size_t ilen,
unsigned char output[32],
unsigned char *output,
int is224 )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

4
library/sha512.c
View File

@@ -380,7 +380,7 @@ int mbedtls_sha512_update_ret( mbedtls_sha512_context *ctx,
* SHA-512 final digest
*/
int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx,
unsigned char output[64] )
unsigned char *output )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned used;
@@ -453,7 +453,7 @@ int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx,
*/
int mbedtls_sha512_ret( const unsigned char *input,
size_t ilen,
unsigned char output[64],
unsigned char *output,
int is384 )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2
library/ssl_msg.c
View File

@@ -86,7 +86,6 @@ int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl )
return( 0 );
}
#if defined(MBEDTLS_SSL_RECORD_CHECKING)
static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
unsigned char *buf,
size_t len,
@@ -150,7 +149,6 @@ exit:
MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) );
return( ret );
}
#endif /* MBEDTLS_SSL_RECORD_CHECKING */
#define SSL_DONT_FORCE_FLUSH 0
#define SSL_FORCE_FLUSH 1

10
library/ssl_tls.c
View File

@@ -2898,8 +2898,6 @@ static void ssl_calc_finished_tls_sha256(
#if defined(MBEDTLS_SHA512_C)
typedef int (*finish_sha384_t)(mbedtls_sha512_context*, unsigned char*);
static void ssl_calc_finished_tls_sha384(
mbedtls_ssl_context *ssl, unsigned char *buf, int from )
{
@@ -2958,13 +2956,7 @@ static void ssl_calc_finished_tls_sha384(
MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
sha512.state, sizeof( sha512.state ) );
#endif
/*
* For SHA-384, we can save 16 bytes by keeping padbuf 48 bytes long.
* However, to avoid stringop-overflow warning in gcc, we have to cast
* mbedtls_sha512_finish_ret().
*/
finish_sha384_t finish = (finish_sha384_t)mbedtls_sha512_finish_ret;
finish( &sha512, padbuf );
mbedtls_sha512_finish_ret( &sha512, padbuf );
mbedtls_sha512_free( &sha512 );
#endif

2
programs/fuzz/Makefile
View File

@@ -20,8 +20,6 @@ endif
DLEXT ?= so
EXEXT=
SHARED_SUFFIX=
# python2 for POSIX since FreeBSD has only python2 as default.
PYTHON ?= python2
ifdef FUZZINGENGINE
LOCAL_LDFLAGS += -lFuzzingEngine

6
programs/ssl/ssl_test_common_source.c
View File

@@ -159,7 +159,6 @@ int dtls_srtp_key_derivation( void *p_expkey,
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
#if defined(MBEDTLS_SSL_RECORD_CHECKING)
int ssl_check_record( mbedtls_ssl_context const *ssl,
unsigned char const *buf, size_t len )
{
@@ -220,7 +219,6 @@ int ssl_check_record( mbedtls_ssl_context const *ssl,
return( 0 );
}
#endif /* MBEDTLS_SSL_RECORD_CHECKING */
int recv_cb( void *ctx, unsigned char *buf, size_t len )
{
@@ -241,10 +239,8 @@ int recv_cb( void *ctx, unsigned char *buf, size_t len )
/* Here's the place to do any datagram/record checking
* in between receiving the packet from the underlying
* transport and passing it on to the TLS stack. */
#if defined(MBEDTLS_SSL_RECORD_CHECKING)
if( ssl_check_record( io_ctx->ssl, buf, recv_len ) != 0 )
return( -1 );
#endif /* MBEDTLS_SSL_RECORD_CHECKING */
}
return( (int) recv_len );
@@ -267,10 +263,8 @@ int recv_timeout_cb( void *ctx, unsigned char *buf, size_t len,
/* Here's the place to do any datagram/record checking
* in between receiving the packet from the underlying
* transport and passing it on to the TLS stack. */
#if defined(MBEDTLS_SSL_RECORD_CHECKING)
if( ssl_check_record( io_ctx->ssl, buf, recv_len ) != 0 )
return( -1 );
#endif /* MBEDTLS_SSL_RECORD_CHECKING */
}
return( (int) recv_len );