-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merge mbed-crypto/development into psa-api-1.0-beta #198
Merge mbed-crypto/development into psa-api-1.0-beta #198
Commits on Jun 3, 2019
-
Remove restriction on value of MBEDTLS_SSL_CID_PADDING_GRANULARITY
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for b9ec44f - Browse repository at this point
Copy the full SHA b9ec44fView commit details -
Add specific SSL error code for unexpected CIDs
Currently, the stack silently ignores DTLS frames with an unexpected CID. However, in a system which performs CID-based demultiplexing before passing datagrams to the Mbed TLS stack, unexpected CIDs are a sign of something not working properly, and users might want to know about it. This commit introduces an SSL error code MBEDTLS_ERR_SSL_UNEXPECTED_CID which the stack can return in response to an unexpected CID. It will conditionally be put to use in subsequent commits.
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for c37c96a - Browse repository at this point
Copy the full SHA c37c96aView commit details -
Allow to configure the stack's behaviour on unexpected CIDs
This commit modifies the CID configuration API mbedtls_ssl_conf_cid_len() to allow the configuration of the stack's behaviour when receiving an encrypted DTLS record with unexpected CID.
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 8367ccc - Browse repository at this point
Copy the full SHA 8367cccView commit details -
Remove warnings about unfinished CID implementation
The implementation is complete now.
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 5d12467 - Browse repository at this point
Copy the full SHA 5d12467View commit details -
Modify MBEDTLS_SSL_UNEXPECTED_CID_{FAIL|IGNORE} to ignore by default
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 7fefd83 - Browse repository at this point
Copy the full SHA 7fefd83View commit details -
Fix mbedtls_ssl_conf_cid() to not depend on macro constant values
The previous implementation of mbedtls_ssl_conf_cid() relied on MBEDTLS_SSL_UNEXPECTED_CID_IGNORE being defined as 1.
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 611ac77 - Browse repository at this point
Copy the full SHA 611ac77View commit details -
Improve wording in documentation of MBEDTLS_SSL_CID
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 56f81c7 - Browse repository at this point
Copy the full SHA 56f81c7View commit details -
Update references to CID draft to version 5
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 4cac442 - Browse repository at this point
Copy the full SHA 4cac442View commit details -
Improve wording in documentation of mbedtls_ssl_set_cid()
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for d9d4adb - Browse repository at this point
Copy the full SHA d9d4adbView commit details -
Use uniform spacing in def's of MBEDTLS_SSL_CID_{IN|OUT}_LEN_MAX
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 08cbc0c - Browse repository at this point
Copy the full SHA 08cbc0cView commit details -
Use full sentences in Doxygen documentation of mbedtls_ssl_set_cid()
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 08cd9db - Browse repository at this point
Copy the full SHA 08cd9dbView commit details -
Slightly reword documentation of mbedtls_ssl_set_cid()
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 5cc145d - Browse repository at this point
Copy the full SHA 5cc145dView commit details -
Improve wording of documentation of mbedtls_ssl_get_peer_cid()
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for fb034e8 - Browse repository at this point
Copy the full SHA fb034e8View commit details -
Fix typo in documentation of
mbedtls_ssl_context::cid_in_use
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for f1a2808 - Browse repository at this point
Copy the full SHA f1a2808View commit details -
Slightly reorder CID debug messages during creation of transforms
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for d1f2035 - Browse repository at this point
Copy the full SHA d1f2035View commit details -
Consistently reference CID draft through name + URL
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for ebcc913 - Browse repository at this point
Copy the full SHA ebcc913View commit details -
Rename MBEDTLS_SSL_CID to MBEDTLS_SSL_DTLS_CONNECTION_ID
Files modified via sed -i 's/MBEDTLS_SSL_CID\([^_]\|$\)/MBEDTLS_SSL_DTLS_CONNECTION_ID\1/g' **/*.c **/*.h **/*.sh **/*.function
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for a0e20d0 - Browse repository at this point
Copy the full SHA a0e20d0View commit details -
Fix typo in Doxygen documentation of mbedtls_ssl_conf_cid()
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 62e5afa - Browse repository at this point
Copy the full SHA 62e5afaView commit details -
Rename MBEDTLS_SSL_CID->MBEDTLS_SSL_DTLS_CONNECTION_ID in SSL suite
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 8c07bee - Browse repository at this point
Copy the full SHA 8c07beeView commit details -
Allow passing NULL pointers to mbedtls_ssl_get_peer_cid()
This commit modifies mbedtls_ssl_get_peer_cid() to also allow passing NULL pointers in the arguments for the peer's CID value and length, in case this information is needed. For example, some users might only be interested in whether the use of the CID was negotiated, in which case both CID value and length pointers can be set to NULL. Other users might only be interested in confirming that the use of CID was negotiated and the peer chose the empty CID, in which case the CID value pointer only would be set to NULL. It doesn't make sense to pass a NULL pointer for the CID length but a non-NULL pointer for the CID value, as the caller has no way of telling the length of the returned CID - and this case is therefore forbidden.
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 615ef17 - Browse repository at this point
Copy the full SHA 615ef17View commit details -
Exemplify ways of calling mbedtls_ssl_get_peer_cid() in ssl_client2
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 6ae14c0 - Browse repository at this point
Copy the full SHA 6ae14c0View commit details -
Expand CID to Connection ID in documentation of mbedtls_ssl_conf_cid
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 1125952 - Browse repository at this point
Copy the full SHA 1125952View commit details -
Use negative-hex format for error codes in ssl_client2/ssl_server2
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for d5eed42 - Browse repository at this point
Copy the full SHA d5eed42View commit details -
Remove superfluous newline in ssl_client2
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 1d433a3 - Browse repository at this point
Copy the full SHA 1d433a3View commit details -
Improve readability of ssl_client2/ssl_server2 usage instructions
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 3279822 - Browse repository at this point
Copy the full SHA 3279822View commit details -
Remove superfluous new line in ssl_server2
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 3978d10 - Browse repository at this point
Copy the full SHA 3978d10View commit details -
Disable Connection ID feature by default
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 3739e20 - Browse repository at this point
Copy the full SHA 3739e20View commit details -
Improve comment in ssl_parse_record_header()
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 8e55b0f - Browse repository at this point
Copy the full SHA 8e55b0fView commit details -
Fix indentation in debug message in ssl_tls.c
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 92d30f5 - Browse repository at this point
Copy the full SHA 92d30f5View commit details -
Add bad_cid option UDP proxy to insert unexpected CID records
This commit adds the command line option 'bad_cid' to the UDP proxy `./programs/test/udp_proxy`. It takes a non-negative integral value N, which if not 0 has the effect of duplicating every 1:N CID records and modifying the CID in the first copy sent. This is to exercise the stacks documented behaviour on receipt of unexpected CIDs. It is important to send the record with the unexpected CID first, because otherwise the packet would be dropped already during replay protection (the same holds for the implementation of the existing 'bad_ad' option).
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 98aaf25 - Browse repository at this point
Copy the full SHA 98aaf25View commit details -
Add debug line witnessing receipt of unexpected CID
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for e8d6afd - Browse repository at this point
Copy the full SHA e8d6afdView commit details -
Insert records with unexpected CID in CID tests in ssl-opt.sh
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for d0ac5fa - Browse repository at this point
Copy the full SHA d0ac5faView commit details -
Add description of CID feature to ChangeLog
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for b9355b7 - Browse repository at this point
Copy the full SHA b9355b7View commit details -
Adapt ssl_server2 to parse DER encoded test CRTs if PEM is disabled
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 09b8cae - Browse repository at this point
Copy the full SHA 09b8caeView commit details -
Adapt ssl_client2 to parse DER encoded test CRTs if PEM is disabled
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 2900b14 - Browse repository at this point
Copy the full SHA 2900b14View commit details -
Correct white spaces in ssl_server2 and ssl_client2
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for a0c5ceb - Browse repository at this point
Copy the full SHA a0c5cebView commit details -
ssl_client2: Skip CA setup if
ca_path
orca_file
argument "none"This allows to test PSK-based ciphersuites via ssl_client2 in builds which have MBEDTLS_X509_CRT_PARSE_C enabled but both MBEDTLS_FS_IO and MBEDTLS_CERTS_C disabled. A similar change is applied to the `crt_file` and `key_file` arguments.
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 623e7b4 - Browse repository at this point
Copy the full SHA 623e7b4View commit details -
ssl_server2: Skip CA setup if
ca_path
orca_file
argument "none"This allows to test PSK-based ciphersuites via ssl_server2 in builds which have MBEDTLS_X509_CRT_PARSE_C enabled but both MBEDTLS_FS_IO and MBEDTLS_CERTS_C disabled.
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 8174bdf - Browse repository at this point
Copy the full SHA 8174bdfView commit details -
Document "none" value for ca_path/ca_file in ssl_client2/ssl_server2
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 422d199 - Browse repository at this point
Copy the full SHA 422d199View commit details -
Add build instructions to generate DER versions of CRTs and keys
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for e21387e - Browse repository at this point
Copy the full SHA e21387eView commit details -
Add DER encoded files to git tree
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 8843c25 - Browse repository at this point
Copy the full SHA 8843c25View commit details -
Rename server1.der to server1.crt.der
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 58fc28c - Browse repository at this point
Copy the full SHA 58fc28cView commit details -
Hanno Becker committed
Jun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 666f60d - Browse repository at this point
Copy the full SHA 666f60dView commit details -
Document origin of hardcoded certificates in library/certs.c
All of them are copied from (former) CRT and key files in `tests/data_files`. For files which have been regenerated since they've been copied to `certs.c`, update the copy. Add declarations for DER encoded test CRTs to certs.h Add DER encoded versions of CRTs to certs.c fix comment in certs.c Don't use (signed) char for DER encoded certificates Consistently use `const char *` for test CRTs regardless of encoding Remove non-sensical and unused PW variable for DER encoded key Provide test CRTs in PEM and DER fmt, + pick suitable per config This commit modifies `certs.h` and `certs.c` to start following the following pattern for the provided test certificates and files: - Raw test data is named `NAME_ATTR1_ATTR2_..._ATTRn` For example, there are `TEST_CA_CRT_{RSA|EC}_{PEM|DER}_{SHA1|SHA256}`. - Derived test data with fewer attributes, iteratively defined as one of the raw test data instances which suits the current configuration. For example, `TEST_CA_CRT_RSA_PEM` is one of `TEST_CA_CRT_RSA_PEM_SHA1` or `TEST_CA_CRT_RSA_PEM_SHA256`, depending on whether SHA-1 and/or SHA-256 are defined in the current config. Add missing public declaration of test key password Fix signedness and naming mismatches Further improve structure of certs.h and certs.c Fix definition of mbedtls_test_cas test CRTs depending on config Remove semicolon after macro string constant in certs.c
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 960e588 - Browse repository at this point
Copy the full SHA 960e588View commit details -
ssl-opt.sh: Auto-skip tests that use files if MBEDTLS_FS_IO unset
This should allow to run ssl-opt.sh successfully in the default configuration minus MBEDTLS_PEM_PARSE_C minus MBEDTLS_FS_IO.
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 91e72c3 - Browse repository at this point
Copy the full SHA 91e72c3View commit details -
Allow DHM self test to run without MBEDTLS_PEM_PARSE_C
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 3217c8d - Browse repository at this point
Copy the full SHA 3217c8dView commit details -
Add run to all.sh exercising !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for a545be2 - Browse repository at this point
Copy the full SHA a545be2View commit details -
Use strict syntax to annotate origin of test data in certs.c
This allows to auto-generate them from scripts.
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 92b4f81 - Browse repository at this point
Copy the full SHA 92b4f81View commit details -
Add new line at the end of test-ca2.key.enc
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 471ad47 - Browse repository at this point
Copy the full SHA 471ad47View commit details -
Re-generate library/certs.c from script
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for ff552f7 - Browse repository at this point
Copy the full SHA ff552f7View commit details -
Remove heading spaces in tests/data_files/Makefile
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for 4cbea4b - Browse repository at this point
Copy the full SHA 4cbea4bView commit details -
This commit updates the Crypto submodule to the merge commit of ARMmbed#133 which mirrors the change of the DHM selftest, making the latter succeed in builds with !MBEDTLS_PEM_PARSE_C.
Hanno Becker committedJun 3, 2019 Configuration menu - View commit details
-
Copy full SHA for e35f02e - Browse repository at this point
Copy the full SHA e35f02eView commit details
Commits on Jun 4, 2019
-
Obey bounds of ASN.1 substructures
When parsing a substructure of an ASN.1 structure, no field within the substructure must exceed the bounds of the substructure. Concretely, the `end` pointer passed to the ASN.1 parsing routines must be updated to point to the end of the substructure while parsing the latter. This was previously not the case for the routines - x509_get_attr_type_and_value(), - mbedtls_x509_get_crt_ext(), - mbedtls_x509_get_crl_ext(). These functions kept using the end of the parent structure as the `end` pointer and would hence allow substructure fields to cross the substructure boundary. This could lead to successful parsing of ill-formed X.509 CRTs. This commit fixes this. Care has to be taken when adapting `mbedtls_x509_get_crt_ext()` and `mbedtls_x509_get_crl_ext()`, as the underlying function `mbedtls_x509_get_ext()` returns `0` if no extensions are present but doesn't set the variable which holds the bounds of the Extensions structure in case the latter is present. This commit addresses this by returning early from `mbedtls_x509_get_crt_ext()` and `mbedtls_x509_get_crl_ext()` if parsing has reached the end of the input buffer. The following X.509 parsing tests need to be adapted: - "TBSCertificate, issuer two inner set datas" This test exercises the X.509 CRT parser with a Subject name which has two empty `AttributeTypeAndValue` structures. This is supposed to fail with `MBEDTLS_ERR_ASN1_OUT_OF_DATA` because the parser should attempt to parse the first structure and fail because of a lack of data. Previously, it failed to obey the (0-length) bounds of the first AttributeTypeAndValue structure and would try to interpret the beginning of the second AttributeTypeAndValue structure as the first field of the first AttributeTypeAndValue structure, returning an UNEXPECTED_TAG error. - "TBSCertificate, issuer, no full following string" This test exercises the parser's behaviour on an AttributeTypeAndValue structure which contains more data than expected; it should therefore fail with MBEDTLS_ERR_ASN1_LENGTH_MISMATCH. Because of the missing bounds check, it previously failed with UNEXPECTED_TAG because it interpreted the remaining byte in the first AttributeTypeAndValue structure as the first byte in the second AttributeTypeAndValue structure. - "SubjectAltName repeated" This test should exercise two SubjectAltNames extensions in succession, but a wrong length values makes the second SubjectAltNames extension appear outside of the Extensions structure. With the new bounds in place, this therefore fails with a LENGTH_MISMATCH error. This commit adapts the test data to put the 2nd SubjectAltNames extension inside the Extensions structure, too.
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 12f62fb - Browse repository at this point
Copy the full SHA 12f62fbView commit details -
Always return a high-level error code from X.509 module
Some functions within the X.509 module return an ASN.1 low level error code where instead this error code should be wrapped by a high-level X.509 error code as in the bulk of the module. Specifically, the following functions are affected: - mbedtls_x509_get_ext() - x509_get_version() - x509_get_uid() This commit modifies these functions to always return an X.509 high level error code. Care has to be taken when adapting `mbetls_x509_get_ext()`: Currently, the callers `mbedtls_x509_crt_ext()` treat the return code `MBEDTLS_ERR_ASN1_UNEXPECTED_TAG` specially to gracefully detect and continue if the extension structure is not present. Wrapping the ASN.1 error with `MBEDTLS_ERR_X509_INVALID_EXTENSIONS` and adapting the check accordingly would mean that an unexpected tag somewhere down the extension parsing would be ignored by the caller. The way out of this is the following: Luckily, the extension structure is always the last field in the surrounding structure, so if there is some data remaining, it must be an Extension structure, so we don't need to deal with a tag mismatch gracefully in the first place. We may therefore wrap the return code from the initial call to `mbedtls_asn1_get_tag()` in `mbedtls_x509_get_ext()` by `MBEDTLS_ERR_X509_INVALID_EXTENSIONS` and simply remove the special treatment of `MBEDTLS_ERR_ASN1_UNEXPECTED_TAG` in the callers `x509_crl_get_ext()` and `x509_crt_get_ext()`. This renders `mbedtls_x509_get_ext()` unsuitable if it ever happened that an Extension structure is optional and does not occur at the end of its surrounding structure, but for CRTs and CRLs, it's fine. The following tests need to be adapted: - "TBSCertificate v3, issuerID wrong tag" The issuerID is optional, so if we look for its presence but find a different tag, we silently continue and try parsing the subjectID, and then the extensions. The tag '00' used in this test doesn't match either of these, and the previous code would hence return LENGTH_MISMATCH after unsucessfully trying issuerID, subjectID and Extensions. With the new code, any data remaining after issuerID and subjectID _must_ be Extension data, so we fail with UNEXPECTED_TAG when trying to parse the Extension data. - "TBSCertificate v3, UIDs, invalid length" The test hardcodes the expectation of MBEDTLS_ERR_ASN1_INVALID_LENGTH, which needs to be wrapped in MBEDTLS_ERR_X509_INVALID_FORMAT now. Fixes #2431.
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 6ccfb18 - Browse repository at this point
Copy the full SHA 6ccfb18View commit details -
Hanno Becker committed
Jun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for d57a3a6 - Browse repository at this point
Copy the full SHA d57a3a6View commit details -
Improve documentation of mbedtls_x509_get_ext()
- Explain the use of explicit ASN.1 tagging for the extensions structuree - Remove misleading comment which suggests that mbedtls_x509_get_ext() also parsed the header of the first extension, which is not the case.
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 3cddba8 - Browse repository at this point
Copy the full SHA 3cddba8View commit details -
Correct placement of ChangeLog entry
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 3c03a88 - Browse repository at this point
Copy the full SHA 3c03a88View commit details -
Configuration menu - View commit details
-
Copy full SHA for ca6aee4 - Browse repository at this point
Copy the full SHA ca6aee4View commit details -
Configuration menu - View commit details
-
Copy full SHA for 150deca - Browse repository at this point
Copy the full SHA 150decaView commit details -
Configuration menu - View commit details
-
Copy full SHA for fe20bea - Browse repository at this point
Copy the full SHA fe20beaView commit details -
Configuration menu - View commit details
-
Copy full SHA for a1491fe - Browse repository at this point
Copy the full SHA a1491feView commit details -
Extend negative testing for X.509 TBS header parsing
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for a5c481e - Browse repository at this point
Copy the full SHA a5c481eView commit details -
Extend negative testing for X.509 Version parsing
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for a9ef412 - Browse repository at this point
Copy the full SHA a9ef412View commit details -
Extend negative testing for X.509 Serial number parsing
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for e7d8f96 - Browse repository at this point
Copy the full SHA e7d8f96View commit details -
Extend negative testing for X.509 AlgorithmIdentifier parsing
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for a328fff - Browse repository at this point
Copy the full SHA a328fffView commit details -
Extend negative testing for X.509 Issuer parsing
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 5e2cf38 - Browse repository at this point
Copy the full SHA 5e2cf38View commit details -
Extend negative testing for X.509 Validity parsing
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 18459d4 - Browse repository at this point
Copy the full SHA 18459d4View commit details -
Extend negative testing for X.509 Subject parsing
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 28ae6b1 - Browse repository at this point
Copy the full SHA 28ae6b1View commit details -
Extend negative testing for X.509 SubjectPublicKeyInfo parsing
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for bb955e5 - Browse repository at this point
Copy the full SHA bb955e5View commit details -
Extend negative testing for X.509 IssuerID parsing
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 9f06b50 - Browse repository at this point
Copy the full SHA 9f06b50View commit details -
Extend negative testing for X.509 SubjectID parsing
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for be3850a - Browse repository at this point
Copy the full SHA be3850aView commit details -
Extend negative testing for X.509 v3 Extension parsing
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 05987e3 - Browse repository at this point
Copy the full SHA 05987e3View commit details -
Extend negative testing for X.509 SignatureAlgorithm parsing
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 5f88a77 - Browse repository at this point
Copy the full SHA 5f88a77View commit details -
Extend negative testing for X.509 Signature parsing
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 44199b6 - Browse repository at this point
Copy the full SHA 44199b6View commit details -
Shorten X.509 CRT parsing test names
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 2389d16 - Browse repository at this point
Copy the full SHA 2389d16View commit details -
Use ASN.1 NULL TLVs when testing invalid tags
Previously, a test exercising the X.509 CRT parser's behaviour on unexpected tags would use a '00' byte in place of the tag for the expected structure. This makes reviewing the examples harder because the binary data isn't valid DER-encoded ASN.1. This commit uses the ASN.1 NULL TLV '05 00' to test invalid tags, and adapts surrounding structures' length values accordingly. This eases reviewing because now the ASN.1 structures are still well-formed at the place where the mismatch occurs.
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 0f5acc1 - Browse repository at this point
Copy the full SHA 0f5acc1View commit details -
Fix test case name formatting in X.509 parsing suite
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 19db19e - Browse repository at this point
Copy the full SHA 19db19eView commit details -
Fix non-DER length encoding in two X.509 CRT parsing tests
Lengths below 128 Bytes must be encoded as a single 'XX' byte in DER, but two tests in the X.509 CRT parsing suite used the BER but non-DER encoding '81 XX' (the first byte 10000001 indicating that the length is to follow (high bit) and has length 1 byte (low bit)).
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 31af3b8 - Browse repository at this point
Copy the full SHA 31af3b8View commit details -
Fix test dependencies in X.509 CRT parsing suite
Most tests use an sha256WithRSAEncryption OID which isn't recognized unless RSA and SHA-256 are enabled.
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 60dd6fc - Browse repository at this point
Copy the full SHA 60dd6fcView commit details -
Always use the same X.509 alg structure inside and outside of TBS
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 764fbdf - Browse repository at this point
Copy the full SHA 764fbdfView commit details -
Improve name of X.509 CRT parsing test
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 7ca07e3 - Browse repository at this point
Copy the full SHA 7ca07e3View commit details -
Add negative X.509 parsing tests for IssuerID/SubjectID in v1 CRT
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for d51d485 - Browse repository at this point
Copy the full SHA d51d485View commit details -
Add negative X.509 parsing tests for v3Ext in v1/v2 CRT
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 04b10c0 - Browse repository at this point
Copy the full SHA 04b10c0View commit details -
Improve X.509 CRT parsing test names
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 8671e81 - Browse repository at this point
Copy the full SHA 8671e81View commit details -
Add X.509 CRT parsing test for mixed time-encodings
Hanno Becker committedJun 4, 2019 Configuration menu - View commit details
-
Copy full SHA for 7717c41 - Browse repository at this point
Copy the full SHA 7717c41View commit details
Commits on Jun 5, 2019
-
psa: Add NV seed as an entropy source when needed
When MBEDTLS_PSA_INJECT_ENTROPY is used, we now require also defining MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES. When MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES is defined, we do not add entropy sources by default. This includes the NV seed entropy source, which the PSA entropy injection API is built upon. The PSA entropy injection feature depends on using NV seed as an entropy source. Add NV seed as an entropy source for PSA entropy injection. Fixes e3dbdd8 ("Gate entropy injection through a dedicated configuration option")
Configuration menu - View commit details
-
Copy full SHA for 7654161 - Browse repository at this point
Copy the full SHA 7654161View commit details -
Configuration menu - View commit details
-
Copy full SHA for c6f874b - Browse repository at this point
Copy the full SHA c6f874bView commit details -
ssl: Don't access non-existent encrypt_then_mac field
When MBEDTLS_SSL_ENCRYPT_THEN_MAC is enabled, but not MBEDTLS_SSL_SOME_MODES_USE_MAC, mbedtls_ssl_derive_keys() and build_transforms() will attempt to use a non-existent `encrypt_then_mac` field in the ssl_transform. Compile [ 93.7%]: ssl_tls.c [Error] ssl_tls.c@865,14: 'mbedtls_ssl_transform {aka struct mbedtls_ssl_transform}' ha s no member named 'encrypt_then_mac' [ERROR] ./mbed-os/features/mbedtls/src/ssl_tls.c: In function 'mbedtls_ssl_derive_keys' : ./mbed-os/features/mbedtls/src/ssl_tls.c:865:14: error: 'mbedtls_ssl_transform {aka str uct mbedtls_ssl_transform}' has no member named 'encrypt_then_mac' transform->encrypt_then_mac = session->encrypt_then_mac; ^~ Change mbedtls_ssl_derive_keys() and build_transforms() to only access `encrypt_then_mac` if `encrypt_then_mac` is actually present. Add a regression test to detect when we have regressions with configurations that do not include any MAC ciphersuites. Fixes d56ed24 ("Reduce size of `ssl_transform` if no MAC ciphersuite is enabled")
Configuration menu - View commit details
-
Copy full SHA for 2de07f1 - Browse repository at this point
Copy the full SHA 2de07f1View commit details -
all.sh: Perform targeted EtM tests for MAC-less configs
When testing a configuration where no ciphersuites have MAC, via component_test_when_no_ciphersuites_have_mac(), perform a targeted test of only encrypt-then-MAC tests within ssl-opt.sh.
Configuration menu - View commit details
-
Copy full SHA for 6b1683d - Browse repository at this point
Copy the full SHA 6b1683dView commit details -
Merge pull request ARMmbed#138 from Patater/add-entropy-injection-source
psa: Add NV seed as an entropy source when needed
Configuration menu - View commit details
-
Copy full SHA for cad1223 - Browse repository at this point
Copy the full SHA cad1223View commit details
Commits on Jun 6, 2019
-
test: Check empty buffer decryption for chachapoly
Previously, even in the Chacha20 and Chacha20-Poly1305 tests, we would test that decryption of an empty buffer would work with MBEDTLS_CIPHER_AES_128_CBC. Make the cipher used with the dec_empty_buf() test configurable, so that Chacha20 and Chacha20-Poly1305 empty buffer tests can use ciphers other than AES CBC. Then, make the Chacha20 and Chacha20-Poly1305 empty buffer tests use the MBEDTLS_CIPHER_CHACHA20 and MBEDTLS_CIPHER_CHACHA20_POLY1305 cipher suites.
Configuration menu - View commit details
-
Copy full SHA for ab11889 - Browse repository at this point
Copy the full SHA ab11889View commit details -
test: Remove redundant 0-byte decryption test
Remove the "Decrypt empty buffer" test, as ChaCha20 is a stream cipher and 0 bytes encrypted is identical to a 0 length buffer. The "ChaCha20 Encrypt and decrypt 0 bytes" test will test decryption of a 0 length buffer.
Configuration menu - View commit details
-
Copy full SHA for 2353b54 - Browse repository at this point
Copy the full SHA 2353b54View commit details -
Merge remote-tracking branch 'origin/pr/2654' into development
* origin/pr/2654: Create link to include/mbedtls only when testing is enabled
Configuration menu - View commit details
-
Copy full SHA for bb16d0c - Browse repository at this point
Copy the full SHA bb16d0cView commit details -
Merge remote-tracking branch 'origin/pr/2679' into development
* origin/pr/2679: test: Remove redundant 0-byte decryption test test: Check empty buffer decryption for chachapoly
Configuration menu - View commit details
-
Copy full SHA for 048df33 - Browse repository at this point
Copy the full SHA 048df33View commit details -
Configuration menu - View commit details
-
Copy full SHA for aa4d152 - Browse repository at this point
Copy the full SHA aa4d152View commit details
Commits on Jun 7, 2019
-
psa: Avoid use of relative include paths
Relative include paths should be avoided. The build system will determine where to pull in includes from. Specifically, `#include "../mbedtls/config.h"` shouldn't be used. Use `#include "mbedtls/config.h` instead, so that the submodule-building makefiles can change which directory to use to get mbedtls include files from. Fixes ARMmbed#141
Configuration menu - View commit details
-
Copy full SHA for d58a00d - Browse repository at this point
Copy the full SHA d58a00dView commit details -
test: Check empty buffer decryption for chachapoly
Previously, even in the Chacha20 and Chacha20-Poly1305 tests, we would test that decryption of an empty buffer would work with MBEDTLS_CIPHER_AES_128_CBC. Make the cipher used with the dec_empty_buf() test configurable, so that Chacha20 and Chacha20-Poly1305 empty buffer tests can use ciphers other than AES CBC. Then, make the Chacha20 and Chacha20-Poly1305 empty buffer tests use the MBEDTLS_CIPHER_CHACHA20 and MBEDTLS_CIPHER_CHACHA20_POLY1305 cipher suites.
Configuration menu - View commit details
-
Copy full SHA for 5ab80ef - Browse repository at this point
Copy the full SHA 5ab80efView commit details -
test: Remove redundant 0-byte decryption test
Remove the "Decrypt empty buffer" test, as ChaCha20 is a stream cipher and 0 bytes encrypted is identical to a 0 length buffer. The "ChaCha20 Encrypt and decrypt 0 bytes" test will test decryption of a 0 length buffer.
Configuration menu - View commit details
-
Copy full SHA for b013146 - Browse repository at this point
Copy the full SHA b013146View commit details -
Merge pull request ARMmbed#142 from Patater/no-relative-includes
psa: Avoid use of relative include paths
Configuration menu - View commit details
-
Copy full SHA for 3d94e34 - Browse repository at this point
Copy the full SHA 3d94e34View commit details -
Merge pull request ARMmbed#143 from Patater/chachapoly-empty-buf-test
test: Check empty buffer decryption for chachapoly
Configuration menu - View commit details
-
Copy full SHA for 47f2de1 - Browse repository at this point
Copy the full SHA 47f2de1View commit details -
Configuration menu - View commit details
-
Copy full SHA for e1ae731 - Browse repository at this point
Copy the full SHA e1ae731View commit details -
Configuration menu - View commit details
-
Copy full SHA for 986b6f2 - Browse repository at this point
Copy the full SHA 986b6f2View commit details -
Don't systematically rebuild programs
Fix the dependency on libmbedcrypto.a, which is now located under crypto. Fix #2682
Configuration menu - View commit details
-
Copy full SHA for 95f5cbc - Browse repository at this point
Copy the full SHA 95f5cbcView commit details -
Pass -m32 to the linker as well
For unit tests and sample programs, CFLAGS=-m32 is enough to get a 32-bit build, because these programs are all compiled directly from *.c to the executable in one shot. But with makefile rules that first build object files and then link them, LDFLAGS=-m32 is also needed.
Configuration menu - View commit details
-
Copy full SHA for 5d26e7c - Browse repository at this point
Copy the full SHA 5d26e7cView commit details -
Typo rproduce -> reproducible Call mbedtls_entropy_func
Configuration menu - View commit details
-
Copy full SHA for 3ca5085 - Browse repository at this point
Copy the full SHA 3ca5085View commit details
Commits on Jun 10, 2019
-
Merge remote-tracking branch 'origin/pr/2678' into development
* origin/pr/2678: Update crypto submodule to 1.1.0d2 all.sh: Perform targeted EtM tests for MAC-less configs ssl: Don't access non-existent encrypt_then_mac field
Configuration menu - View commit details
-
Copy full SHA for a3daa21 - Browse repository at this point
Copy the full SHA a3daa21View commit details
Commits on Jun 11, 2019
-
Configuration menu - View commit details
-
Copy full SHA for 7c9d724 - Browse repository at this point
Copy the full SHA 7c9d724View commit details -
Configuration menu - View commit details
-
Copy full SHA for 0ff84fb - Browse repository at this point
Copy the full SHA 0ff84fbView commit details -
Configuration menu - View commit details
-
Copy full SHA for f91b372 - Browse repository at this point
Copy the full SHA f91b372View commit details -
Configuration menu - View commit details
-
Copy full SHA for 12e85de - Browse repository at this point
Copy the full SHA 12e85deView commit details -
Configuration menu - View commit details
-
Copy full SHA for d2235f2 - Browse repository at this point
Copy the full SHA d2235f2View commit details -
Configuration menu - View commit details
-
Copy full SHA for 154feb2 - Browse repository at this point
Copy the full SHA 154feb2View commit details
Commits on Jun 12, 2019
-
Configuration menu - View commit details
-
Copy full SHA for c5de462 - Browse repository at this point
Copy the full SHA c5de462View commit details
Commits on Jun 13, 2019
-
UDP proxy: Don't attempt to dissect dgram into records when dropping
To prevent dropping the same message over and over again, the UDP proxy test application programs/test/udp_proxy _logically_ maintains a mapping from records to the number of times the record has already been dropped, and stops dropping once a configurable threshold (currently 2) is passed. However, the actual implementation deviates from this logical view in two crucial respects: - To keep the implementation simple and independent of implementations of suitable map interfaces, it only counts how many times a record of a given _size_ has been dropped, and stops dropping further records of that size once the configurable threshold is passed. Of course, this is not fail-proof, but a good enough approximation for the proxy, and it allows to use an inefficient but simple array for the required map. - The implementation mixes datagram lengths and record lengths: When deciding whether it is allowed to drop a datagram, it uses the total datagram size as a lookup index into the map counting the number of times a package has been dropped. However, when updating this map, the UDP proxy traverses the datagram record by record, and updates the mapping at the level of record lengths. Apart from this inconsistency, the introduction of the Connection ID feature leads to yet another problem: The CID length is not part of the record header but dynamically negotiated during (potentially encrypted!) handshakes, and it is hence impossible for a passive traffic analyzer (in this case our UDP proxy) to reliably parse record headers; especially, it isn't possible to reliably infer the length of a record, nor to dissect a datagram into records. The previous implementation of the UDP proxy was not CID-aware and assumed that the record length would always reside at offsets 11, 12 in the DTLS record header, which would allow it to iterate through the datagram record by record. As mentioned, this is no longer possible for CID-based records, and the current implementation can run into a buffer overflow in this case (because it doesn't validate that the record length is not larger than what remains in the datagram). This commit removes the inconsistency in datagram vs. record length and resolves the buffer overflow issue by not attempting any dissection of datagrams into records, and instead only counting how often _datagrams_ of a particular size have been dropped. There is only one practical situation where this makes a difference: If datagram packing is used by default but disabled on retransmission (which OpenSSL has been seen to do), it can happen that we drop a datagram in its initial transmission, then also drop some of its records when they retransmitted one-by-one afterwards, yet still keeping the drop-counter at 1 instead of 2. However, even in this situation, we'll correctly count the number of droppings from that point on and eventually stop dropping, because the peer will not fall back to using packing and hence use stable record lengths.
Hanno Becker committedJun 13, 2019 Configuration menu - View commit details
-
Copy full SHA for 961e677 - Browse repository at this point
Copy the full SHA 961e677View commit details -
Fix documentation of X.509 parsing test
Hanno Becker committedJun 13, 2019 Configuration menu - View commit details
-
Copy full SHA for 61cf9e3 - Browse repository at this point
Copy the full SHA 61cf9e3View commit details -
Make test suites compatible with #include <assert.h>
Don't use the macro name assert. It's technically permitted as long as <assert.h> is not included, but it's fragile, because it means the code and any header that it includes must not include <assert.h>.
Configuration menu - View commit details
-
Copy full SHA for e7655df - Browse repository at this point
Copy the full SHA e7655dfView commit details -
Make test suites compatible with #include <assert.h>
Don't use the macro name assert. It's technically permitted as long as <assert.h> is not included, but it's fragile, because it means the code and any header that it includes must not include <assert.h>.
Configuration menu - View commit details
-
Copy full SHA for 9e23bea - Browse repository at this point
Copy the full SHA 9e23beaView commit details -
Make it easier to define MBEDTLS_PARAM_FAILED as assert
Introduce a new configuration option MBEDTLS_CHECK_PARAMS_ASSERT, which is disabled by default. When this option is enabled, MBEDTLS_PARAM_FAILED defaults to assert rather than to a call to mbedtls_param_failed, and <assert.h> is included. This fixes #2671 (no easy way to make MBEDTLS_PARAM_FAILED assert) without breaking backward compatibility. With this change, `config.pl full` runs tests with MBEDTLS_PARAM_FAILED set to assert, so the tests will fail if a validation check fails, and programs don't need to provide their own definition of mbedtls_param_failed().
Configuration menu - View commit details
-
Copy full SHA for c7ad122 - Browse repository at this point
Copy the full SHA c7ad122View commit details -
Remove mbedtls_param_failed from programs
All sample and test programs had a definition of mbedtls_param_failed. This was necessary because we wanted to be able to build them in a configuration with MBEDTLS_CHECK_PARAMS set but without a definition of MBEDTLS_PARAM_FAILED. Now that we activate the sample definition of MBEDTLS_PARAM_FAILED in config.h when testing with MBEDTLS_CHECK_PARAMS set, this boilerplate code is no longer needed.
Configuration menu - View commit details
-
Copy full SHA for 3abbced - Browse repository at this point
Copy the full SHA 3abbcedView commit details
Commits on Jun 14, 2019
-
Merge remote-tracking branch 'origin/pr/2260' into development
* origin/pr/2260: Update crypto submodule Remove heading spaces in tests/data_files/Makefile Re-generate library/certs.c from script Add new line at the end of test-ca2.key.enc Use strict syntax to annotate origin of test data in certs.c Add run to all.sh exercising !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO Allow DHM self test to run without MBEDTLS_PEM_PARSE_C ssl-opt.sh: Auto-skip tests that use files if MBEDTLS_FS_IO unset Document origin of hardcoded certificates in library/certs.c Adapt ChangeLog Rename server1.der to server1.crt.der Add DER encoded files to git tree Add build instructions to generate DER versions of CRTs and keys Document "none" value for ca_path/ca_file in ssl_client2/ssl_server2 ssl_server2: Skip CA setup if `ca_path` or `ca_file` argument "none" ssl_client2: Skip CA setup if `ca_path` or `ca_file` argument "none" Correct white spaces in ssl_server2 and ssl_client2 Adapt ssl_client2 to parse DER encoded test CRTs if PEM is disabled Adapt ssl_server2 to parse DER encoded test CRTs if PEM is disabled
Configuration menu - View commit details
-
Copy full SHA for e1b02df - Browse repository at this point
Copy the full SHA e1b02dfView commit details -
Merge remote-tracking branch 'origin/pr/2430' into development
* origin/pr/2430: Document support for MD2 and MD4 in programs/x509/cert_write Correct name of X.509 parsing test for well-formed, ill-signed CRT Add test cases exercising successful verification of MD2/MD4/MD5 CRT Add test case exercising verification of valid MD2 CRT Add MD[245] test CRTs to tree Add instructions for MD[245] test CRTs to tests/data_files/Makefile Add suppport for MD2 to CSR and CRT writing example programs Remove use of MD2 in further x509parse tests Convert further x509parse tests to use lower-case hex data Correct placement of ChangeLog entry Adapt ChangeLog Use SHA-256 instead of MD2 in X.509 CRT parsing tests Consistently use lower case hex data in X.509 parsing tests
Configuration menu - View commit details
-
Copy full SHA for 6b5dc68 - Browse repository at this point
Copy the full SHA 6b5dc68View commit details -
Merge remote-tracking branch 'origin/pr/2661' into development
* origin/pr/2661: Remove all abi dumps, not just ones shared between versions
Configuration menu - View commit details
-
Copy full SHA for 39a8a26 - Browse repository at this point
Copy the full SHA 39a8a26View commit details -
Merge remote-tracking branch 'origin/pr/2675' into development
* origin/pr/2675: Show removed symbols in abi check
Configuration menu - View commit details
-
Copy full SHA for d042198 - Browse repository at this point
Copy the full SHA d042198View commit details -
Merge remote-tracking branch 'origin/pr/2694' into development
* origin/pr/2694: UDP proxy: Don't attempt to dissect dgram into records when dropping
Configuration menu - View commit details
-
Copy full SHA for 3acb5eb - Browse repository at this point
Copy the full SHA 3acb5ebView commit details -
Merge pull request ARMmbed#148 from ARMmbed/dev/gilles-peskine-arm/ch…
…eck_params-test_without_function-crypto Make test suites compatible with #include <assert.h>
Configuration menu - View commit details
-
Copy full SHA for 86268e1 - Browse repository at this point
Copy the full SHA 86268e1View commit details -
Add all.sh component that exercises invalid_param checks
With the change to the full config, there were no longer any tests that exercise invalid-parameter behavior. The test suite exercises invalid-parameter behavior by calling TEST_INVALID_PARAM and friends, relying on the test suite's mbedtls_check_param function. This function is only enabled if MBEDTLS_CHECK_PARAMS is defined but not MBEDTLS_CHECK_PARAMS_ASSERT. Add a component to all.sh that enables MBEDTLS_CHECK_PARAMS but disables MBEDTLS_CHECK_PARAMS_ASSERT and doesn't define MBEDTLS_PARAM_FAILED. This way, the xxx_invalid_param() tests do run. Since sample programs don't provide a mbedtls_check_param function, this component doesn't build the sample programs.
Configuration menu - View commit details
-
Copy full SHA for adcde5e - Browse repository at this point
Copy the full SHA adcde5eView commit details -
Update to the merge of "Make test suites compatible with #include <assert.h>"
Configuration menu - View commit details
-
Copy full SHA for 3097a71 - Browse repository at this point
Copy the full SHA 3097a71View commit details -
Merge remote-tracking branch 'origin/pr/2442' into development
* origin/pr/2442: Correct placement of ChangeLog entry Improve documentation of mbedtls_x509_get_ext() Adapt ChangeLog Always return a high-level error code from X.509 module Obey bounds of ASN.1 substructures
Configuration menu - View commit details
-
Copy full SHA for 7af080a - Browse repository at this point
Copy the full SHA 7af080aView commit details -
Merge remote-tracking branch 'origin/pr/2443' into development
* origin/pr/2443: (25 commits) Fix documentation of X.509 parsing test Add X.509 CRT parsing test for mixed time-encodings Improve X.509 CRT parsing test names Add negative X.509 parsing tests for v3Ext in v1/v2 CRT Add negative X.509 parsing tests for IssuerID/SubjectID in v1 CRT Improve name of X.509 CRT parsing test Always use the same X.509 alg structure inside and outside of TBS Fix test dependencies in X.509 CRT parsing suite Fix non-DER length encoding in two X.509 CRT parsing tests Fix test case name formatting in X.509 parsing suite Use ASN.1 NULL TLVs when testing invalid tags Shorten X.509 CRT parsing test names Extend negative testing for X.509 Signature parsing Extend negative testing for X.509 SignatureAlgorithm parsing Extend negative testing for X.509 v3 Extension parsing Extend negative testing for X.509 SubjectID parsing Extend negative testing for X.509 IssuerID parsing Extend negative testing for X.509 SubjectPublicKeyInfo parsing Extend negative testing for X.509 Subject parsing Extend negative testing for X.509 Validity parsing ...
Configuration menu - View commit details
-
Copy full SHA for c54ee93 - Browse repository at this point
Copy the full SHA c54ee93View commit details -
Fix misuse of signed ints in the HAVEGE module
The elements of the HAVEGE state are manipulated with bitwise operations, with the expectations that the elements are 32-bit unsigned integers (or larger). But they are declared as int, and so the code has undefined behavior. Clang with Asan correctly points out some shifts that reach the sign bit. Since these are supposed to be 32-bit unsigned integers, declare them as uint32_t. This is technically an API break, since the type mbedtls_havege_state is exposed in a public header. However normal applications should not be affected.
Configuration menu - View commit details
-
Copy full SHA for 7846299 - Browse repository at this point
Copy the full SHA 7846299View commit details -
Fix misuse of signed ints in the HAVEGE module
Update havege.h to the new version in the crypto module. This is technically an API break, since the type mbedtls_havege_state is exposed in a public header. However normal applications should not be affected. There is no ABI break on platforms where uint32_t and int are treated identically, which is virtually all of them. Fix #2598
Configuration menu - View commit details
-
Copy full SHA for f3820e3 - Browse repository at this point
Copy the full SHA f3820e3View commit details
Commits on Jun 18, 2019
-
Configuration menu - View commit details
-
Copy full SHA for 738153a - Browse repository at this point
Copy the full SHA 738153aView commit details
Commits on Jun 19, 2019
-
Configuration menu - View commit details
-
Copy full SHA for b94cf82 - Browse repository at this point
Copy the full SHA b94cf82View commit details
Commits on Jun 20, 2019
-
Configuration menu - View commit details
-
Copy full SHA for a152e42 - Browse repository at this point
Copy the full SHA a152e42View commit details -
timing: Remove redundant include file
There is no need to include winbase.h, as it will be pulled in by windows.h as needed. Fixes #2640
Configuration menu - View commit details
-
Copy full SHA for a180926 - Browse repository at this point
Copy the full SHA a180926View commit details -
platform: Include stdarg.h where needed
Windows builds also need stdarg.h included when using variadic functions. Fixes #2656
Configuration menu - View commit details
-
Copy full SHA for 32eb58f - Browse repository at this point
Copy the full SHA 32eb58fView commit details -
windows: Fix Release x64 configuration
Inherit PlatformToolset from the project configuration. This allow the project to configure PlatformToolset, and aligns the Release x64 build with other build types. Fixes #1430
Configuration menu - View commit details
-
Copy full SHA for 4f4af6e - Browse repository at this point
Copy the full SHA 4f4af6eView commit details -
ssl_tls: Enable Suite B with subset of ECP curves
Make sure the code compiles even if some curves are not defined. Fixes #1591
Configuration menu - View commit details
-
Copy full SHA for d431104 - Browse repository at this point
Copy the full SHA d431104View commit details -
programs: Make
make clean
clean all programs alwaysIf `make TEST_CPP:=1` is run, and then `make clean` (as opposed to `make TEST_CPP:=1 clean`), the cpp_dummy_build will be left behind after the clean. Make `make clean more convenient to use by removing programs that could be generated from any configuration, not just the active one. Fixes #1862
Configuration menu - View commit details
-
Copy full SHA for befe1e1 - Browse repository at this point
Copy the full SHA befe1e1View commit details -
These functions became obsolete when the key export format changed from including the SubjectPublicKeyInfo to being just the key material.
Configuration menu - View commit details
-
Copy full SHA for 9e5bcbd - Browse repository at this point
Copy the full SHA 9e5bcbdView commit details -
Merge pull request ARMmbed#153 from gilles-peskine-arm/remove_unused_…
…functions-iotssl-2563-clang-warnings Remove unused functions from test_suite_psa_crypto
Configuration menu - View commit details
-
Copy full SHA for 54b8eab - Browse repository at this point
Copy the full SHA 54b8eabView commit details
Commits on Jun 21, 2019
-
Merge remote-tracking branch 'origin/pr/2053' into development
* origin/pr/2053: Clarify ChangeLog entry for fix to #1628 Add Changelog entry for clang test-ref-configs.pl fix Enable more compiler warnings in tests/Makefile Change file scoping of test helpers.function
Configuration menu - View commit details
-
Copy full SHA for aada0c7 - Browse repository at this point
Copy the full SHA aada0c7View commit details -
Merge remote-tracking branch 'origin/pr/2614' into development
* origin/pr/2614: Use 'config.pl baremetal' in all.sh
Configuration menu - View commit details
-
Copy full SHA for ca4e4a8 - Browse repository at this point
Copy the full SHA ca4e4a8View commit details -
Merge remote-tracking branch 'origin/pr/2681' into development
* origin/pr/2681: unconditional mbedtls_ssl_conf_rng Adding usage and removing dummy random comment alignment Commit to C90 style Adds missing ret definition More clarity for ifdef orders Only warns if MBEDTLS_HAVE_TIME Option used added in string Code review Style fixes SSL reproducible test mode
Configuration menu - View commit details
-
Copy full SHA for 8d936e8 - Browse repository at this point
Copy the full SHA 8d936e8View commit details -
Merge remote-tracking branch 'origin/pr/2690' into development
* origin/pr/2690: Making version features easily ROM-able when using Arm C compiler.
Configuration menu - View commit details
-
Copy full SHA for e2d5b9e - Browse repository at this point
Copy the full SHA e2d5b9eView commit details -
Merge remote-tracking branch 'origin/pr/2697' into development
* origin/pr/2697: Update crypto submodule Add all.sh component that exercises invalid_param checks Remove mbedtls_param_failed from programs Make it easier to define MBEDTLS_PARAM_FAILED as assert Make test suites compatible with #include <assert.h> Pass -m32 to the linker as well Don't systematically rebuild programs
Configuration menu - View commit details
-
Copy full SHA for fd0f654 - Browse repository at this point
Copy the full SHA fd0f654View commit details -
Merge remote-tracking branch 'origin/pr/2711' into development
* origin/pr/2711: programs: Make `make clean` clean all programs always ssl_tls: Enable Suite B with subset of ECP curves windows: Fix Release x64 configuration platform: Include stdarg.h where needed timing: Remove redundant include file net_sockets: Fix typo in net_would_block()
Configuration menu - View commit details
-
Copy full SHA for 66b7edb - Browse repository at this point
Copy the full SHA 66b7edbView commit details -
Fuzz targets are x509 crt csr and crl parsing as well as private and public key parsing and client and server communication Fuzz targets for DTLS Simple corpus with valid DTLS connection Deterministic behavior for fuzzing, ie no timestamps
Configuration menu - View commit details
-
Copy full SHA for 7233352 - Browse repository at this point
Copy the full SHA 7233352View commit details -
Configuration menu - View commit details
-
Copy full SHA for 9c7b698 - Browse repository at this point
Copy the full SHA 9c7b698View commit details -
Configuration menu - View commit details
-
Copy full SHA for f049304 - Browse repository at this point
Copy the full SHA f049304View commit details -
Configuration menu - View commit details
-
Copy full SHA for 2b7c9a2 - Browse repository at this point
Copy the full SHA 2b7c9a2View commit details -
Configuration menu - View commit details
-
Copy full SHA for 3abe15b - Browse repository at this point
Copy the full SHA 3abe15bView commit details -
Configuration menu - View commit details
-
Copy full SHA for dbc0db9 - Browse repository at this point
Copy the full SHA dbc0db9View commit details -
Configuration menu - View commit details
-
Copy full SHA for 0863382 - Browse repository at this point
Copy the full SHA 0863382View commit details -
Configuration menu - View commit details
-
Copy full SHA for 499c735 - Browse repository at this point
Copy the full SHA 499c735View commit details -
Configuration menu - View commit details
-
Copy full SHA for 801194b - Browse repository at this point
Copy the full SHA 801194bView commit details -
Configuration menu - View commit details
-
Copy full SHA for 8149627 - Browse repository at this point
Copy the full SHA 8149627View commit details -
Configuration menu - View commit details
-
Copy full SHA for 03e87d9 - Browse repository at this point
Copy the full SHA 03e87d9View commit details -
Configuration menu - View commit details
-
Copy full SHA for c32fd24 - Browse repository at this point
Copy the full SHA c32fd24View commit details -
Configuration menu - View commit details
-
Copy full SHA for cd6cd81 - Browse repository at this point
Copy the full SHA cd6cd81View commit details -
Configuration menu - View commit details
-
Copy full SHA for a8210b3 - Browse repository at this point
Copy the full SHA a8210b3View commit details -
Configuration menu - View commit details
-
Copy full SHA for 7fff1fb - Browse repository at this point
Copy the full SHA 7fff1fbView commit details
Commits on Jun 24, 2019
-
Configuration menu - View commit details
-
Copy full SHA for 661d725 - Browse repository at this point
Copy the full SHA 661d725View commit details -
Configuration menu - View commit details
-
Copy full SHA for bc2adf9 - Browse repository at this point
Copy the full SHA bc2adf9View commit details
Commits on Jun 25, 2019
-
Update `mbedtls_test.py` script to work with Python 3.7. resolves #2653
Ron Eldor authored and Ron Eldor committedJun 25, 2019 Configuration menu - View commit details
-
Copy full SHA for 33908e8 - Browse repository at this point
Copy the full SHA 33908e8View commit details -
Update the test encoding to support python3
Since Python3 handles encoding differently than Python2, a change in the way the data is encoded and sent to the target is needed. 1. Change the test data to be sent as hex string 2. Convert the characters to binary bytes. This is done because the mbed tools translate the encoding differently (mbed-greentea, and mbed-htrunner)
Ron Eldor authored and Ron Eldor committedJun 25, 2019 Configuration menu - View commit details
-
Copy full SHA for 5075f4d - Browse repository at this point
Copy the full SHA 5075f4dView commit details -
Make the script portable to both pythons
Make the script work for python3 and for python2
Ron Eldor authored and Ron Eldor committedJun 25, 2019 Configuration menu - View commit details
-
Copy full SHA for 64e4595 - Browse repository at this point
Copy the full SHA 64e4595View commit details -
Change implementation of `get_byte()` to call `unhexify()`.
Ron Eldor authored and Ron Eldor committedJun 25, 2019 Configuration menu - View commit details
-
Copy full SHA for b220489 - Browse repository at this point
Copy the full SHA b220489View commit details -
Call `greentea_getc()` 8 times, and then `unhexify` once, instead of calling `receive_byte()`, which inside calls `greentea_getc()` twice, for every hex digit.
Ron Eldor authored and Ron Eldor committedJun 25, 2019 Configuration menu - View commit details
-
Copy full SHA for 72662a4 - Browse repository at this point
Copy the full SHA 72662a4View commit details -
Remove use of CMAKE_SOURCE_DIR
Remove use of CMAKE_SOURCE_DIR in case mbedtls is built from within another CMake project. Define MBEDTLS_DIR to ${CMAKE_CURRENT_SOURCE_DIR} in the main CMakeLists.txt file and refer to that when defining target include paths to enable mbedtls to be built as a sub project. Fixes #2609 Signed-off-by: Ashley Duncan <ashes.man@gmail.com> Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
Configuration menu - View commit details
-
Copy full SHA for 3278081 - Browse repository at this point
Copy the full SHA 3278081View commit details -
Configuration menu - View commit details
-
Copy full SHA for 33b6a99 - Browse repository at this point
Copy the full SHA 33b6a99View commit details -
README: Enable builds as a CMake subproject
Update the README with information on a newly supported feature: the ability to build Mbed TLS as a subproject of another CMake project.
Configuration menu - View commit details
-
Copy full SHA for 41421c4 - Browse repository at this point
Copy the full SHA 41421c4View commit details -
CMake: Add a subdirectory build regression test
If we have a regression with the "build Mbed TLS as a subdirectory with CMake" feature and fail to build, fail the test.
Configuration menu - View commit details
-
Copy full SHA for ab83fdf - Browse repository at this point
Copy the full SHA ab83fdfView commit details -
Allow declarations after statements
We officially allow C99, so don't forbid this C99 feature.
Configuration menu - View commit details
-
Copy full SHA for c2d56a4 - Browse repository at this point
Copy the full SHA c2d56a4View commit details -
Configuration menu - View commit details
-
Copy full SHA for cd2c127 - Browse repository at this point
Copy the full SHA cd2c127View commit details -
Configuration menu - View commit details
-
Copy full SHA for adc23e6 - Browse repository at this point
Copy the full SHA adc23e6View commit details -
Restore tests/fuzz/Makefile after in-tree cmake
Save and restore the Makefile in tests/fuzz like the other makefiles.
Configuration menu - View commit details
-
Copy full SHA for 1c582c3 - Browse repository at this point
Copy the full SHA 1c582c3View commit details -
Configuration menu - View commit details
-
Copy full SHA for cf8fdfd - Browse repository at this point
Copy the full SHA cf8fdfdView commit details
Commits on Jun 26, 2019
-
Remove use of CMAKE_SOURCE_DIR
Remove use of CMAKE_SOURCE_DIR in case mbedtls is built from within another CMake project. Define MBEDTLS_DIR to ${CMAKE_CURRENT_SOURCE_DIR} in the main CMakeLists.txt file and refer to that when defining target include paths to enable mbedtls to be built as a sub project. Fixes Mbed-TLS/mbedtls#2609 Signed-off-by: Ashley Duncan <ashes.man@gmail.com> Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
Configuration menu - View commit details
-
Copy full SHA for d85a7e9 - Browse repository at this point
Copy the full SHA d85a7e9View commit details -
tests: Enable building with add_subdirectory()
When building Mbed Crypto when including it via CMake's `add_subdirectory()`, the tests are also built by default. This means all headers the tests need must be public, in order for the build of the tests to have access to the headers.
Configuration menu - View commit details
-
Copy full SHA for 77dd25d - Browse repository at this point
Copy the full SHA 77dd25dView commit details -
CMake: Add a subdirectory build regression test
If we have a regression with the "build Mbed Crypto as a subdirectory with CMake" feature and fail to build, fail the test.
Configuration menu - View commit details
-
Copy full SHA for e8451f2 - Browse repository at this point
Copy the full SHA e8451f2View commit details -
Configuration menu - View commit details
-
Copy full SHA for 0291cb7 - Browse repository at this point
Copy the full SHA 0291cb7View commit details -
Configuration menu - View commit details
-
Copy full SHA for 0069ab7 - Browse repository at this point
Copy the full SHA 0069ab7View commit details
Commits on Jun 27, 2019
-
Configuration menu - View commit details
-
Copy full SHA for 48f35f5 - Browse repository at this point
Copy the full SHA 48f35f5View commit details -
Configuration menu - View commit details
-
Copy full SHA for 5559b31 - Browse repository at this point
Copy the full SHA 5559b31View commit details -
Configuration menu - View commit details
-
Copy full SHA for 5dece6d - Browse repository at this point
Copy the full SHA 5dece6dView commit details
Commits on Jun 28, 2019
-
Merge pull request ARMmbed#156 from k-stachowiak/add-basic-build-to-a…
…ll-sh Add an alternarive full build component to all.sh
Configuration menu - View commit details
-
Copy full SHA for 8646a92 - Browse repository at this point
Copy the full SHA 8646a92View commit details -
Configuration menu - View commit details
-
Copy full SHA for daab28a - Browse repository at this point
Copy the full SHA daab28aView commit details
Commits on Jun 29, 2019
-
Enable running tests under Docker. This makes it easier to spin up an environment with all dependencies (especially the multiple versions of openssl and gnutls needed). * tests/docker/xenial/Dockerfile: Definition for the docker image, including local builds for openssl and gnutls. * tests/scripts/docker_env.sh: New helper script that creates the Docker image and has a function to run a command in the Docker container. * tests/docker/all-in-docker.sh: Wrapper for all.sh under Docker. * tests/docker/basic-in-docker.sh: Script that runs the same commands as .travis.yml, in Docker. * tests/ssl-opt-in-docker.sh: Wrapper to run ssl-opt.sh in Docker. * tests/compat-in-docker.sh: Wrapper to run compat.sh in Docker. * tests/make-in-docker.sh: Wrapper to run make in Docker. Change-Id: Ie092b1deed24c24c3859754535589523ce1d0a58
Configuration menu - View commit details
-
Copy full SHA for e4e2d3a - Browse repository at this point
Copy the full SHA e4e2d3aView commit details -
Clean up file prologue comments
Update new files to include the same legalese as in aes.h. Editorial touchups in Dockerfile and ssl-opt-in-docker.sh.
Configuration menu - View commit details
-
Copy full SHA for 4225b1a - Browse repository at this point
Copy the full SHA 4225b1aView commit details -
Change Docker container to bionic
Commit 117b8a4 requires version 6+ of i686-w64-mingw32-gcc to run the mingw builds, but Ubuntu Xenial (16.04) supplies 5.3.1. Change the Docker container to Ubuntu Bionic (18.04) to pick up a version that will run the tests.
Configuration menu - View commit details
-
Copy full SHA for 49c2435 - Browse repository at this point
Copy the full SHA 49c2435View commit details -
Dockerfile commands should be using apt-get, not apt.
Configuration menu - View commit details
-
Copy full SHA for be54358 - Browse repository at this point
Copy the full SHA be54358View commit details -
Improve compatibility with firewalled networks
* Allow specifying MBEDTLS_DOCKER_REGISTRY for organizations that have a mirroring proxy of Docker Hub * Specify "--network host" during build to ensure use of the host's DNS resolution.
Configuration menu - View commit details
-
Copy full SHA for 718c74c - Browse repository at this point
Copy the full SHA 718c74cView commit details
Commits on Jul 2, 2019
-
Merge pull request ARMmbed#152 from Patater/cmake-subproject-fix
Enable use of Mbed TLS and Mbed Crypto as a CMake subproject
Configuration menu - View commit details
-
Copy full SHA for ee6f9b2 - Browse repository at this point
Copy the full SHA ee6f9b2View commit details -
Update Mbed Crypto to contain mbed-crypto#152
Update Mbed Crypto to a commit on its development branch that contains the merged [mbed-crypto#152 PR](ARMmbed#152).
Configuration menu - View commit details
-
Copy full SHA for a4b94c4 - Browse repository at this point
Copy the full SHA a4b94c4View commit details -
Fix parsing issue when int parameter is in base 16
Fix error `ValueError: invalid literal for int() with base 10:` that is caused when a parameter is given in base 16. Use relevant base when calling `int()` function.
Ron Eldor authored and Ron Eldor committedJul 2, 2019 Configuration menu - View commit details
-
Copy full SHA for 5131f77 - Browse repository at this point
Copy the full SHA 5131f77View commit details -
-W is a deprecated alias of -Wextra. Consistently use the new name.
Configuration menu - View commit details
-
Copy full SHA for 85aba47 - Browse repository at this point
Copy the full SHA 85aba47View commit details -
Remove redundant compiler flag
`-Wunused' is included in `-Wall -Wextra'.
Configuration menu - View commit details
-
Copy full SHA for 1e65771 - Browse repository at this point
Copy the full SHA 1e65771View commit details -
We don't intend to use C99 variable-length arrays, so make the compiler complain about them.
Configuration menu - View commit details
-
Copy full SHA for be51716 - Browse repository at this point
Copy the full SHA be51716View commit details
Commits on Jul 3, 2019
-
tests: Limit each log to 10 GiB
Limit log output in compat.sh and ssl-opt.sh, in case of failures with these scripts where they may output seemingly unlimited length error logs. Note that ulimit -f uses units of 512 bytes, so we use 10 * 1024 * 1024 * 2 to get 10 GiB.
Configuration menu - View commit details
-
Copy full SHA for 6e70eb2 - Browse repository at this point
Copy the full SHA 6e70eb2View commit details
Commits on Jul 4, 2019
-
The window size variable in ecp_pick_window_size() can take values 4, 5 or 6, but we clamp it not to exceed the value of MBEDTLS_ECP_WINDOW_SIZE. If that is 6 (default) or higher, the static analyzer will point out that the test: w > MBEDTLS_ECP_WINDOW_SIZE always evaluates to false. This commit removes the test for the cases of the window size large enough to fit all the potential values of the variable.
Configuration menu - View commit details
-
Copy full SHA for 653a4a2 - Browse repository at this point
Copy the full SHA 653a4a2View commit details -
Allow running /somewhere/else/path/to/abi_check.py
Don't require abi_check.py to be the one in scripts/ under the current directory.
Configuration menu - View commit details
-
Copy full SHA for 6aa32cc - Browse repository at this point
Copy the full SHA 6aa32ccView commit details -
Configuration menu - View commit details
-
Copy full SHA for b6ce234 - Browse repository at this point
Copy the full SHA b6ce234View commit details -
Record the commits that were compared
Record the commit ID in addition to the symbolic name of the version being tested. This makes it easier to figure out what has been compared when reading logs that don't always indicate explicitly what things like HEAD are. This makes the title of HTML reports somewhat verbose, but I think that's a small price to pay.
Configuration menu - View commit details
-
Copy full SHA for 3e2da4a - Browse repository at this point
Copy the full SHA 3e2da4aView commit details -
Split _abi_compliance_command into smaller functions
This makes the code easier to read and pacifies pylint.
Configuration menu - View commit details
-
Copy full SHA for ada828f - Browse repository at this point
Copy the full SHA ada828fView commit details -
Configuration menu - View commit details
-
Copy full SHA for 7dfcfce - Browse repository at this point
Copy the full SHA 7dfcfceView commit details -
Configuration menu - View commit details
-
Copy full SHA for 55b49ee - Browse repository at this point
Copy the full SHA 55b49eeView commit details
Commits on Jul 5, 2019
-
Merge pull request ARMmbed#159 from k-stachowiak/IOTCRYPT-474-prevent…
…-dead-code-warning Prevent dead code warning
Configuration menu - View commit details
-
Copy full SHA for e78cd62 - Browse repository at this point
Copy the full SHA e78cd62View commit details -
Test with MBEDTLS_ECP_RESTARTABLE
We accidentally disabled testing with MBEDTLS_ECP_RESTARTABLE. Re-enable testing with restartable ECP when MBEDTLS_USE_PSA_CRYPTO is not set. Fixes 971dea3 ("Enable USE_PSA_CRYPTO with config.pl full")
Configuration menu - View commit details
-
Copy full SHA for 0f220ec - Browse repository at this point
Copy the full SHA 0f220ecView commit details -
Merge pull request ARMmbed#149 from gilles-peskine-arm/havege-asan-cr…
…ypto Fix misuse of signed ints in the HAVEGE module
Configuration menu - View commit details
-
Copy full SHA for b6229e3 - Browse repository at this point
Copy the full SHA b6229e3View commit details -
Configuration menu - View commit details
-
Copy full SHA for 06e752b - Browse repository at this point
Copy the full SHA 06e752bView commit details -
Merge remote-tracking branch 'origin/pr/2699' into development
* origin/pr/2699: Update crypto submodule to a revision with the HAVEGE header changes Fix misuse of signed ints in the HAVEGE module
Configuration menu - View commit details
-
Copy full SHA for 482a479 - Browse repository at this point
Copy the full SHA 482a479View commit details
Commits on Jul 9, 2019
-
Configuration menu - View commit details
-
Copy full SHA for 702c659 - Browse repository at this point
Copy the full SHA 702c659View commit details -
Configuration menu - View commit details
-
Copy full SHA for 3e408d5 - Browse repository at this point
Copy the full SHA 3e408d5View commit details
Commits on Jul 10, 2019
-
Configuration menu - View commit details
-
Copy full SHA for 2321945 - Browse repository at this point
Copy the full SHA 2321945View commit details -
Merge remote-tracking branch 'origin/pr/2314' into development
* origin/pr/2314: Improve compatibility with firewalled networks Dockerfile: apt -> apt-get Change Docker container to bionic Clean up file prologue comments Add docker-based test scripts
Configuration menu - View commit details
-
Copy full SHA for b348a3b - Browse repository at this point
Copy the full SHA b348a3bView commit details -
Merge remote-tracking branch 'origin/pr/2455' into development
* origin/pr/2455: change .gitignore line endings to UNIX Update ChangeLog mention .gitignore changes in ChangeLog add Visual Studio filters to .gitignore update .gitignore to include Visual Studio artifacts
Configuration menu - View commit details
-
Copy full SHA for f473fa8 - Browse repository at this point
Copy the full SHA f473fa8View commit details -
Merge remote-tracking branch 'origin/pr/2632' into development
* origin/pr/2632: Adapt ChangeLog Avoid use of large stack buffers in mbedtls_x509_write_crt_pem() Improve documentation of mbedtls_pem_write_buffer() Perform CRT writing in-place on the output buffer Adapt x509write_crt.c to coding style
Configuration menu - View commit details
-
Copy full SHA for 6d77d20 - Browse repository at this point
Copy the full SHA 6d77d20View commit details -
Merge remote-tracking branch 'origin/pr/2706' into development
* origin/pr/2706: Update Mbed Crypto to contain mbed-crypto#152 CMake: Add a subdirectory build regression test README: Enable builds as a CMake subproject ChangeLog: Enable builds as a CMake subproject Remove use of CMAKE_SOURCE_DIR
Configuration menu - View commit details
-
Copy full SHA for 0b8b5e3 - Browse repository at this point
Copy the full SHA 0b8b5e3View commit details -
Merge remote-tracking branch 'origin/pr/2719' into development
* origin/pr/2719: Deref pointer when using sizeof in x509_get_other_name
Configuration menu - View commit details
-
Copy full SHA for 150d774 - Browse repository at this point
Copy the full SHA 150d774View commit details -
Merge remote-tracking branch 'origin/pr/2721' into development
* origin/pr/2721: ChangeLog: Add ChangeLog entry for #2681
Configuration menu - View commit details
-
Copy full SHA for 58259fe - Browse repository at this point
Copy the full SHA 58259feView commit details -
Merge remote-tracking branch 'origin/pr/2726' into development
* origin/pr/2726: Warn if VLAs are used Remove redundant compiler flag Consistently spell -Wextra Allow declarations after statements
Configuration menu - View commit details
-
Copy full SHA for 01604a3 - Browse repository at this point
Copy the full SHA 01604a3View commit details -
Merge remote-tracking branch 'origin/pr/2729' into development
* origin/pr/2729: Split _abi_compliance_command into smaller functions Record the commits that were compared Document how to build the typical argument for -s Allow running /somewhere/else/path/to/abi_check.py
Configuration menu - View commit details
-
Copy full SHA for 98c234f - Browse repository at this point
Copy the full SHA 98c234fView commit details -
Merge remote-tracking branch 'origin/pr/2730' into development
* origin/pr/2730: Allow TODO in code Use the docstring in the command line help
Configuration menu - View commit details
-
Copy full SHA for 5db519b - Browse repository at this point
Copy the full SHA 5db519bView commit details -
Merge remote-tracking branch 'origin/pr/2738' into development
* origin/pr/2738: Test with MBEDTLS_ECP_RESTARTABLE
Configuration menu - View commit details
-
Copy full SHA for 74a87f8 - Browse repository at this point
Copy the full SHA 74a87f8View commit details -
Configuration menu - View commit details
-
Copy full SHA for b3d3127 - Browse repository at this point
Copy the full SHA b3d3127View commit details -
Configuration menu - View commit details
-
Copy full SHA for a82fdd4 - Browse repository at this point
Copy the full SHA a82fdd4View commit details -
Configuration menu - View commit details
-
Copy full SHA for 42a2ce8 - Browse repository at this point
Copy the full SHA 42a2ce8View commit details -
Correct version number for 1.1.0 format (formerly 1.0.1)
Update the 1.1.0 format description now that its version number has been decided. This release turned out to be 1.1.0, not 1.0.1.
Configuration menu - View commit details
-
Copy full SHA for 2c8f909 - Browse repository at this point
Copy the full SHA 2c8f909View commit details -
Configuration menu - View commit details
-
Copy full SHA for a864db0 - Browse repository at this point
Copy the full SHA a864db0View commit details
Commits on Jul 11, 2019
-
Merge remote-tracking branch 'origin/pr/1622' into development
* origin/pr/1622: (29 commits) Do not build fuzz on windows No booleans and import config Removing space before opening parenthesis Style corrections Syntax fix Fixes warnings from MSVC Add a linker flag to enable gcov in basic-build-test.sh checks MBEDTLS_PEM_PARSE_C Restore programs/fuzz/Makefile after in-tree cmake Move fuzz directory to programs Documentation for corpus generation Restore tests/fuzz/Makefile after in-tree cmake Adding ifdefs to avoid warnings for unused globals Adds LDFLAGS fsanitize=address Ignore compiled object files and executables Also clean the fuzz subdirectory copyediting README.md Protecting client/server fuzz targts with ifdefs Makefile support 1 Fuzz README and direct compilation ...
Configuration menu - View commit details
-
Copy full SHA for 072959f - Browse repository at this point
Copy the full SHA 072959fView commit details -
Merge remote-tracking branch 'origin/pr/2660' into development
* origin/pr/2660: Fix parsing issue when int parameter is in base 16 Refactor receive_uint32() Refactor get_byte function Make the script portable to both pythons Update the test encoding to support python3 update the test script
Configuration menu - View commit details
-
Copy full SHA for 8306508 - Browse repository at this point
Copy the full SHA 8306508View commit details -
Merge remote-tracking branch 'origin/pr/2727' into development
* origin/pr/2727: tests: Limit each log to 10 GiB
Configuration menu - View commit details
-
Copy full SHA for ff645d9 - Browse repository at this point
Copy the full SHA ff645d9View commit details
Commits on Jul 15, 2019
-
Use mbedtls-based path for includes
To help the build system find the correct include files, paths starting with "mbedtls/" or "psa/" must be used. Otherwise, you can run into build failures like the following when building Mbed Crypto as a submodule. In file included from chachapoly.c:31:0: ../../include/mbedtls/chachapoly.h:43:10: fatal error: poly1305.h: No such file or directory #include "poly1305.h" ^~~~~~~~~~~~ compilation terminated. Includes for ALT implementations are not modified, as the alt headers are provided by system integrators and not Mbed TLS or Mbed Crypto.
Configuration menu - View commit details
-
Copy full SHA for c49fbbf - Browse repository at this point
Copy the full SHA c49fbbfView commit details -
Enable ALT implementations of ripemd160
In configurations wanting an alternative ripemd160 implementation, We were including the ordinary Mbed Crypto ripemd160.h instead of the user-provided ripemd160_alt.h. Use the user-provided header instead.
Configuration menu - View commit details
-
Copy full SHA for 8045cfb - Browse repository at this point
Copy the full SHA 8045cfbView commit details -
certs.h is not needed in Mbed Crypto. No programs or other library code use it.
Configuration menu - View commit details
-
Copy full SHA for b8e4ae1 - Browse repository at this point
Copy the full SHA b8e4ae1View commit details -
Revert "cpp_dummy_build: Remove dependency on compat-1.3.h"
There is now a test that ensures all headers are included in the cpp_dummy_build test, so we can't remove compat-1.3.h from the cpp_dummy_build test until we remove compat-1.3.h. This reverts commit 2b725ef.
Configuration menu - View commit details
-
Copy full SHA for 3a0f08d - Browse repository at this point
Copy the full SHA 3a0f08dView commit details -
Allow building with the -Wunused flag
Make some functions non-static, to avoid Wunused function warnings. Make a function scoped variable block scoped instead, to avoid Wunused variable warnings in some configurations.
Configuration menu - View commit details
-
Copy full SHA for f7dca86 - Browse repository at this point
Copy the full SHA f7dca86View commit details
Commits on Jul 19, 2019
-
Merge pull request ARMmbed#173 from Patater/prep-remove-crypto-from-tls
Prepare for removing crypto from mbedtls
Configuration menu - View commit details
-
Copy full SHA for 9565a97 - Browse repository at this point
Copy the full SHA 9565a97View commit details
Commits on Jul 23, 2019
-
Add psa_trusted_storage_linux persistent storage support for v1.0.0 APIs
The following provides more information on this PR: - PSA stands for Platform Security Architecture. - Add support for use of psa_trusted_storage_api internal_trusted_storage.h v1.0.0 as the interface to the psa_trusted_storage_linux backend (i.e. for persistent storage when MBEDTLS_PSA_ITS_FILE_C is not defined). This requires changes to psa_crypto_its.h and psa_crypto_storage.c to migrate to the new API.
Configuration menu - View commit details
-
Copy full SHA for bda5a21 - Browse repository at this point
Copy the full SHA bda5a21View commit details
Commits on Jul 24, 2019
-
Merge pull request ARMmbed#180 from simonqhughes/feature-psa-storage
PSA Storage: Add psa_trusted_storage_linux persistent storage support for v1.0.0 APIs
Configuration menu - View commit details
-
Copy full SHA for b992313 - Browse repository at this point
Copy the full SHA b992313View commit details -
Add CMake option for explicitly link library to trusted_storage (ARMm…
…bed#2) option name: LINK_WITH_TRUSTED_STORAGE default value: ON
Moshe Shahar committedJul 24, 2019 Configuration menu - View commit details
-
Copy full SHA for 7e36765 - Browse repository at this point
Copy the full SHA 7e36765View commit details -
Change LINK_WITH_TRUSTED_STORAGE option to OFF
Moshe Shahar committedJul 24, 2019 Configuration menu - View commit details
-
Copy full SHA for 6763fe4 - Browse repository at this point
Copy the full SHA 6763fe4View commit details -
Merge pull request ARMmbed#186 from simonqhughes/psa-storage-and-cmak…
…e-fix Add CMake option for explicitly link library to trusted_storage
Configuration menu - View commit details
-
Copy full SHA for 456674d - Browse repository at this point
Copy the full SHA 456674dView commit details
Commits on Jul 30, 2019
-
Merge pull request ARMmbed#165 from gilles-peskine-arm/storage_spec-1…
….1.0-release Correct version number in storage format spec
Configuration menu - View commit details
-
Copy full SHA for aad3dab - Browse repository at this point
Copy the full SHA aad3dabView commit details
Commits on Jul 31, 2019
-
Merge remote-tracking branch 'tls/development' into development
Resolve conflicts by performing the following operations: - Reject changes related to building a crypto submodule, since Mbed Crypto is the crypto submodule. - Reject X.509, NET, and SSL changes. - Reject changes to README, as Mbed Crypto is a different project from Mbed TLS, with a different README. - Avoid adding mention of ssl-opt.sh in a comment near some modified code in include/CMakeLists.txt (around where ENABLE_TESTING as added). - Align config.pl in Mbed TLS with config.pl in Mbed Crypto where PSA options are concerned, to make future merging easier. There is no reason for the two to be different in this regard, now that Mbed TLS always depends on Mbed Crypto. Remaining differences are only the PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER option and the absence of X.509, NET, and SSL related options in Mbed Crypto's config.pl. - Align config.h in Mbed Crypto with Mbed TLS's copy, with a few notable exceptions: - Leave CMAC on by default. - Leave storage on by default (including ITS emulation). - Avoid documenting the PSA Crypto API as is in beta stage in documentation for MBEDTLS_PSA_CRYPTO_C. The only remaining differences are a lack of X.509, NET, and SSL options in Mbed Crypto's config.h, as well as an additional Mbed-Crypto-specific PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER option. Documentation for the check params feature and related macros is also updated to match Mbed TLS's description. - Reject tests/data_files/Makefile changes to generate DER versions of CRTs and keys, as none of those are used by Mbed Crypto tests. - Add the "no PEM and no filesystem" test to all.sh, without ssl-opt.sh run, as Mbed Crypto doesn't have ssl-opt.sh. Also remove use of PSA Crypto storage and ITS emulation, since those depend on filesystem support. - Reject addition of test when no ciphersuites have MAC to all.sh, as the option being tested, MBEDTLS_SSL_SOME_MODES_USE_MAC, is not present in Mbed Crypto. - Use baremetal config in all.sh, as Mbed Crypto's baremetal configuration does exclude the net module (as it doesn't exist in Mbed Crypto) - Reject cmake_subproject_build changes, continuing to link only libmbedcrypto. - Reject changes to visualc and associated templates. Mbed Crypto doesn't need additional logic to handle submodule-sourced headers. - Avoid adding fuzzers from Mbed TLS. The only relevant fuzzers are the privkey and pubkey fuzzers, but non-trivial work would be required to integrate those into Mbed Crypto (more than is comfortable in a merge commit). - Reject addition of Docker wrappers for compat.sh and ssl-opt.sh, as those are not present in Mbed Crypto. - Remove calls to SSL-related scripts from basic-in-docker.sh Fix test errors by performing the following: - Avoid using a link that Doxygen can't seem to resolve in Mbed Crypto, but can resolve in Mbed TLS. In documentation for MBEDTLS_CHECK_PARAMS, don't attempt to link to MBEDTLS_PARAM_FAILED. * origin/development: (339 commits) Do not build fuzz on windows No booleans and import config Removing space before opening parenthesis Style corrections Syntax fix Fixes warnings from MSVC Add a linker flag to enable gcov in basic-build-test.sh Update crypto submodule to a revision with the HAVEGE header changes Test with MBEDTLS_ECP_RESTARTABLE Allow TODO in code Use the docstring in the command line help Split _abi_compliance_command into smaller functions Record the commits that were compared Document how to build the typical argument for -s Allow running /somewhere/else/path/to/abi_check.py tests: Limit each log to 10 GiB Warn if VLAs are used Remove redundant compiler flag Consistently spell -Wextra Fix parsing issue when int parameter is in base 16 ...
Configuration menu - View commit details
-
Copy full SHA for 8dd1690 - Browse repository at this point
Copy the full SHA 8dd1690View commit details -
Merge pull request ARMmbed#187 from Patater/tls-development-20190722
Bring in changes from Mbed TLS as of 2019-07-22
Configuration menu - View commit details
-
Copy full SHA for fe93bc4 - Browse repository at this point
Copy the full SHA fe93bc4View commit details -
Merge remote-tracking branch 'upstream-crypto/development' into psa-a…
…pi-1.0-beta-merge_development_20190801 Conflict resolution: * `scripts/config.pl`: Take the exclusion of `MBEDTLS_PSA_CRYPTO_SE_C` from the API branch. Take the removal of `MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C` (obsolete) from the development branch. * `tests/scripts/all.sh`: Multiple instances of factoring a sequence of `config.pl` calls into a mere `config.pl baremetal` in the development branch, and a change in the composition of `baremetal` in the API branch. In each case, take the version from development. * `tests/suites/test_suite_psa_crypto_slot_management.function`: A function became non-static in development and disappeared in the API branch. Keep the version from the API branch. Functions need to be non-static if they're defined but unused in some configurations, which is not the case for any function in this file at the moment. * `tests/suites/test_suite_psa_crypto.function`: Consecutive changes in the two branches, reconciled.
Configuration menu - View commit details
-
Copy full SHA for 72c8c5b - Browse repository at this point
Copy the full SHA 72c8c5bView commit details -
Configuration menu - View commit details
-
Copy full SHA for 8b66389 - Browse repository at this point
Copy the full SHA 8b66389View commit details
Commits on Aug 1, 2019
-
Fix PSA init/deinit in mbedtls_xxx tests when using PSA
In tests of mbedtls_cipher_xxx and mbedtls_pk_xxx with MBEDTLS_USE_PSA_CRYPTO enabled, initialize and deinitialize the PSA subsystem in every function. Before, the tests were only passing because the first function to be called happened to call psa_crypto_init() but not mbedtls_psa_crypto_free(). In some configurations (not tested on CI), psa_crypto_init() was not called so the tests using PSA failed. Call PSA_DONE() at the end of each test function. This ensures that no resources are leaked in the form of PSA crypto slot contents. Incidentally, this also fixes a build error due to test_helper_psa_done() being unused in test_suite_pk: the fact that it wasn't used betrayed the missing calls to PSA_DONE().
Configuration menu - View commit details
-
Copy full SHA for 5386f6b - Browse repository at this point
Copy the full SHA 5386f6bView commit details