Merge branch 'development-restricted'
diff --git a/ChangeLog b/ChangeLog
index 9e62acb..f96786d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,12 +1,17 @@
mbed TLS ChangeLog (Sorted per branch, date)
-= mbed TLS 2.3.x branch released 2016-xx-xx
+= mbed TLS 2.4.0 branch released 2016-10-17
Security
- * Fix potential stack corruption in mbedtls_x509write_crt_der() and
+ * Removed the MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
+ with RFC-5116 and could lead to session key recovery in very long TLS
+ sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
+ TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
+ https://eprint.iacr.org/2016/475.pdf
+ * Fixed potential stack corruption in mbedtls_x509write_crt_der() and
mbedtls_x509write_csr_der() when the signature is copied to the buffer
without checking whether there is enough space in the destination. The
- issue cannot be triggered remotely. (found by Jethro Beekman)
+ issue cannot be triggered remotely. Found by Jethro Beekman.
Features
* Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
@@ -18,7 +23,7 @@
* Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to
configure the maximum length of a file path that can be buffered when
calling mbedtls_x509_crt_parse_path().
- * Added a configuration file config-no-entropy.h that enables a subset of
+ * Added a configuration file config-no-entropy.h that configures the subset of
library features that do not require an entropy source.
* Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users
to configure the minimum number of bytes for entropy sources using the
@@ -29,24 +34,35 @@
may need time but not the standard C library abstraction, and added
configuration consistency checks to check_config.h
* Fix dependency issue in Makefile to allow parallel builds.
- * Fix incorrect handling of block lengths in crypt_and_hash sample program,
- when GCM is used. #441
+ * Fix incorrect handling of block lengths in crypt_and_hash.c sample program,
+ when GCM is used. Found by udf2457. #441
* Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
enabled unless others were also present. Found by David Fernandez. #428
* Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
a contribution from Tobias Tangemann. #541
- * Fixed cert_app sample program for debug output and for use when no root
+ * Fixed cert_app.c sample program for debug output and for use when no root
certificates are provided.
* Fix conditional statement that would cause a 1 byte overread in
mbedtls_asn1_get_int(). Found and fixed by Guido Vranken. #599
* Fixed pthread implementation to avoid unintended double initialisations
- and double frees. (found by Niklas Amnebratt)
+ and double frees. Found by Niklas Amnebratt.
* Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
by inestlerode. #559.
+ * Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf
+ data structure until after error checks are successful. Found by
+ subramanyam-c. #622
* Fix documentation and implementation missmatch for function arguments of
mbedtls_gcm_finish(). Found by cmiatpaar. #602
* Guarantee that P>Q at RSA key generation. Found by inestlerode. #558
+ * Fix potential byte overread when verifying malformed SERVER_HELLO in
+ ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken.
+ * Fix check for validity of date when parsing in mbedtls_x509_get_time().
+ Found by subramanyam-c. #626
+ * Fix compatibility issue with Internet Explorer client authentication,
+ where the limited hash choices prevented the client from sending its
+ certificate. Found by teumas. #513
+ * Fix compilation without MBEDTLS_SELF_TEST enabled.
Changes
* Extended test coverage of special cases, and added new timing test suite.
@@ -57,11 +73,13 @@
* Added support for a Yotta specific configuration file -
through the symbol YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE.
* Added optimization for code space for X.509/OID based on configured
- features. (contributed by Aviv Palivoda)
+ features. Contributed by Aviv Palivoda.
* Renamed source file library/net.c to library/net_sockets.c to avoid
naming collision in projects which also have files with the common name
net.c. For consistency, the corresponding header file, net.h, is marked as
deprecated, and its contents moved to net_sockets.h.
+ * Changed the strategy for X.509 certificate parsing and validation, to no
+ longer disregard certificates with unrecognised fields.
= mbed TLS 2.3.0 branch released 2016-06-28
diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h
index b13083c..f2fcc8b 100644
--- a/doxygen/input/doc_mainpage.h
+++ b/doxygen/input/doc_mainpage.h
@@ -21,7 +21,7 @@
*/
/**
- * @mainpage mbed TLS v2.3.0 source code documentation
+ * @mainpage mbed TLS v2.4.0 source code documentation
*
* This documentation describes the internal structure of mbed TLS. It was
* automatically generated from specially formatted comment blocks in
diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile
index 253e184..344be8c 100644
--- a/doxygen/mbedtls.doxyfile
+++ b/doxygen/mbedtls.doxyfile
@@ -28,7 +28,7 @@
# identify the project. Note that if you do not use Doxywizard you need
# to put quotes around the project name if it contains spaces.
-PROJECT_NAME = "mbed TLS v2.3.0"
+PROJECT_NAME = "mbed TLS v2.4.0"
# The PROJECT_NUMBER tag can be used to enter a project or revision number.
# This could be handy for archiving the generated documentation or
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 498e5b5..6fc9c77 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -941,18 +941,6 @@
//#define MBEDTLS_SHA256_SMALLER
/**
- * \def MBEDTLS_SSL_AEAD_RANDOM_IV
- *
- * Generate a random IV rather than using the record sequence number as a
- * nonce for ciphersuites using and AEAD algorithm (GCM or CCM).
- *
- * Using the sequence number is generally recommended.
- *
- * Uncomment this macro to always use random IVs with AEAD ciphersuites.
- */
-//#define MBEDTLS_SSL_AEAD_RANDOM_IV
-
-/**
* \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
*
* Enable sending of alert messages in case of encountered errors as per RFC.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 1c0513d..ba499d2 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -107,6 +107,8 @@
#define MBEDTLS_ERR_SSL_TIMEOUT -0x6800 /**< The operation timed out. */
#define MBEDTLS_ERR_SSL_CLIENT_RECONNECT -0x6780 /**< The client initiated a reconnect from the same port. */
#define MBEDTLS_ERR_SSL_UNEXPECTED_RECORD -0x6700 /**< Record header looks valid but is not expected. */
+#define MBEDTLS_ERR_SSL_NON_FATAL -0x6680 /**< The alert message received indicates a non-fatal error. */
+#define MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH -0x6600 /**< Couldn't set the hash for verifying CertificateVerify */
/*
* Various constants
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index d63d7d4..668c0f5 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -355,6 +355,11 @@
void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
+void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
+
int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl );
int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
@@ -384,6 +389,7 @@
mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
unsigned char mbedtls_ssl_hash_from_md_alg( int md );
+int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
#if defined(MBEDTLS_ECP_C)
int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h
index b40aa51..6c0cc9b 100644
--- a/include/mbedtls/version.h
+++ b/include/mbedtls/version.h
@@ -38,7 +38,7 @@
* Major, Minor, Patchlevel
*/
#define MBEDTLS_VERSION_MAJOR 2
-#define MBEDTLS_VERSION_MINOR 3
+#define MBEDTLS_VERSION_MINOR 4
#define MBEDTLS_VERSION_PATCH 0
/**
@@ -46,9 +46,9 @@
* MMNNPP00
* Major version | Minor version | Patch version
*/
-#define MBEDTLS_VERSION_NUMBER 0x02030000
-#define MBEDTLS_VERSION_STRING "2.3.0"
-#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.3.0"
+#define MBEDTLS_VERSION_NUMBER 0x02040000
+#define MBEDTLS_VERSION_STRING "2.4.0"
+#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.4.0"
#if defined(MBEDTLS_VERSION_C)
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index eeb8e84..6eb11f2 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -140,15 +140,15 @@
if(USE_SHARED_MBEDTLS_LIBRARY)
add_library(mbedcrypto SHARED ${src_crypto})
- set_target_properties(mbedcrypto PROPERTIES VERSION 2.3.0 SOVERSION 0)
+ set_target_properties(mbedcrypto PROPERTIES VERSION 2.4.0 SOVERSION 0)
target_link_libraries(mbedcrypto ${libs})
add_library(mbedx509 SHARED ${src_x509})
- set_target_properties(mbedx509 PROPERTIES VERSION 2.3.0 SOVERSION 0)
+ set_target_properties(mbedx509 PROPERTIES VERSION 2.4.0 SOVERSION 0)
target_link_libraries(mbedx509 ${libs} mbedcrypto)
add_library(mbedtls SHARED ${src_tls})
- set_target_properties(mbedtls PROPERTIES VERSION 2.3.0 SOVERSION 10)
+ set_target_properties(mbedtls PROPERTIES VERSION 2.4.0 SOVERSION 10)
target_link_libraries(mbedtls ${libs} mbedx509)
install(TARGETS mbedtls mbedx509 mbedcrypto
diff --git a/library/error.c b/library/error.c
index 71d4faa..dd2db0c 100644
--- a/library/error.c
+++ b/library/error.c
@@ -435,6 +435,10 @@
mbedtls_snprintf( buf, buflen, "SSL - The client initiated a reconnect from the same port" );
if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) )
mbedtls_snprintf( buf, buflen, "SSL - Record header looks valid but is not expected" );
+ if( use_ret == -(MBEDTLS_ERR_SSL_NON_FATAL) )
+ mbedtls_snprintf( buf, buflen, "SSL - The alert message received indicates a non-fatal error" );
+ if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH) )
+ mbedtls_snprintf( buf, buflen, "SSL - Couldn't set the hash for verifying CertificateVerify" );
#endif /* MBEDTLS_SSL_TLS_C */
#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
diff --git a/library/sha256.c b/library/sha256.c
index 4e82c0b..ad25d38 100644
--- a/library/sha256.c
+++ b/library/sha256.c
@@ -41,7 +41,10 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
+#include <stdlib.h>
#define mbedtls_printf printf
+#define mbedtls_calloc calloc
+#define mbedtls_free free
#endif /* MBEDTLS_PLATFORM_C */
#endif /* MBEDTLS_SELF_TEST */
@@ -389,10 +392,19 @@
int mbedtls_sha256_self_test( int verbose )
{
int i, j, k, buflen, ret = 0;
- unsigned char buf[1024];
+ unsigned char *buf;
unsigned char sha256sum[32];
mbedtls_sha256_context ctx;
+ buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
+ if( NULL == buf )
+ {
+ if( verbose != 0 )
+ mbedtls_printf( "Buffer allocation failed\n" );
+
+ return( 1 );
+ }
+
mbedtls_sha256_init( &ctx );
for( i = 0; i < 6; i++ )
@@ -436,6 +448,7 @@
exit:
mbedtls_sha256_free( &ctx );
+ mbedtls_free( buf );
return( ret );
}
diff --git a/library/sha512.c b/library/sha512.c
index 0f9e1e5..724522a 100644
--- a/library/sha512.c
+++ b/library/sha512.c
@@ -47,7 +47,10 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
+#include <stdlib.h>
#define mbedtls_printf printf
+#define mbedtls_calloc calloc
+#define mbedtls_free free
#endif /* MBEDTLS_PLATFORM_C */
#endif /* MBEDTLS_SELF_TEST */
@@ -445,10 +448,19 @@
int mbedtls_sha512_self_test( int verbose )
{
int i, j, k, buflen, ret = 0;
- unsigned char buf[1024];
+ unsigned char *buf;
unsigned char sha512sum[64];
mbedtls_sha512_context ctx;
+ buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
+ if( NULL == buf )
+ {
+ if( verbose != 0 )
+ mbedtls_printf( "Buffer allocation failed\n" );
+
+ return( 1 );
+ }
+
mbedtls_sha512_init( &ctx );
for( i = 0; i < 6; i++ )
@@ -492,6 +504,7 @@
exit:
mbedtls_sha512_free( &ctx );
+ mbedtls_free( buf );
return( ret );
}
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 29a3943..223823b 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1355,6 +1355,15 @@
cookie_len = *p++;
MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
+ if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "cookie length does not match incoming message size" ) );
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+ return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+ }
+
mbedtls_free( ssl->handshake->verify_cookie );
ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
@@ -2630,6 +2639,15 @@
{
size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
| ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
+#if defined(MBEDTLS_DEBUG_C)
+ unsigned char* sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
+ size_t i;
+
+ for( i = 0; i < sig_alg_len; i += 2 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d,%d", sig_alg[i], sig_alg[i + 1] ) );
+ }
+#endif
n += 2 + sig_alg_len;
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 4b0f997..fc0d2d7 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1043,7 +1043,6 @@
ssl->session_negotiate->ciphersuite = ciphersuites[i];
ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
- mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
/*
* SSLv2 Client Hello relevant renegotiation security checks
@@ -1840,7 +1839,6 @@
ssl->session_negotiate->ciphersuite = ciphersuites[i];
ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
- mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
ssl->state++;
@@ -2556,29 +2554,27 @@
*/
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{
- /*
- * Only use current running hash algorithm that is already required
- * for requested ciphersuite.
- */
- ssl->handshake->verify_sig_alg = MBEDTLS_SSL_HASH_SHA256;
-
- if( ssl->transform_negotiate->ciphersuite_info->mac ==
- MBEDTLS_MD_SHA384 )
- {
- ssl->handshake->verify_sig_alg = MBEDTLS_SSL_HASH_SHA384;
- }
+ const int *cur;
/*
* Supported signature algorithms
*/
+ for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
+ {
+ unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur );
+
+ if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) )
+ continue;
+
#if defined(MBEDTLS_RSA_C)
- p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
- p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
+ p[2 + sa_len++] = hash;
+ p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
#endif
#if defined(MBEDTLS_ECDSA_C)
- p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
- p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
+ p[2 + sa_len++] = hash;
+ p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
#endif
+ }
p[0] = (unsigned char)( sa_len >> 8 );
p[1] = (unsigned char)( sa_len );
@@ -3581,17 +3577,28 @@
return( 0 );
}
- /* Needs to be done before read_record() to exclude current message */
- ssl->handshake->calc_verify( ssl, hash );
+ /* Read the message without adding it to the checksum */
+ do {
- if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+ if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret );
+ return( ret );
+ }
+
+ ret = mbedtls_ssl_handle_message_type( ssl );
+
+ } while( MBEDTLS_ERR_SSL_NON_FATAL == ret );
+
+ if( 0 != ret )
{
- MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+ MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
return( ret );
}
ssl->state++;
+ /* Process the message contents */
if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
{
@@ -3638,14 +3645,19 @@
/*
* Hash
*/
- if( ssl->in_msg[i] != ssl->handshake->verify_sig_alg )
+ md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] );
+
+ if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
" for verify message" ) );
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
}
- md_alg = mbedtls_ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
+#if !defined(MBEDTLS_MD_SHA1)
+ if( MBEDTLS_MD_SHA1 == md_alg )
+ hash_start += 16;
+#endif
/* Info from md_alg will be used instead */
hashlen = 0;
@@ -3696,6 +3708,9 @@
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
}
+ /* Calculate hash and verify signature */
+ ssl->handshake->calc_verify( ssl, hash );
+
if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
md_alg, hash_start, hashlen,
ssl->in_msg + i, sig_len ) ) != 0 )
@@ -3704,6 +3719,8 @@
return( ret );
}
+ mbedtls_ssl_update_handshake_status( ssl );
+
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
return( ret );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 505bb6c..84a04ae 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -49,8 +49,7 @@
#include <string.h>
-#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
- defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
#include "mbedtls/oid.h"
#endif
@@ -1374,17 +1373,6 @@
/*
* Generate IV
*/
-#if defined(MBEDTLS_SSL_AEAD_RANDOM_IV)
- ret = ssl->conf->f_rng( ssl->conf->p_rng,
- ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
- ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
- if( ret != 0 )
- return( ret );
-
- memcpy( ssl->out_iv,
- ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
- ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
-#else
if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
{
/* Reminder if we ever add an AEAD mode with a different size */
@@ -1395,7 +1383,6 @@
memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
ssl->out_ctr, 8 );
memcpy( ssl->out_iv, ssl->out_ctr, 8 );
-#endif
MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
@@ -3083,7 +3070,7 @@
}
#endif /* MBEDTLS_SSL_PROTO_DTLS */
-static int ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
+int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
{
if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
{
@@ -3165,6 +3152,12 @@
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
+ return( 0 );
+}
+
+void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
+{
+
if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
ssl->handshake != NULL )
{
@@ -3179,8 +3172,6 @@
ssl->handshake->in_msg_seq++;
}
#endif
-
- return( 0 );
}
/*
@@ -3736,6 +3727,38 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
+ do {
+
+ if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret );
+ return( ret );
+ }
+
+ ret = mbedtls_ssl_handle_message_type( ssl );
+
+ } while( MBEDTLS_ERR_SSL_NON_FATAL == ret );
+
+ if( 0 != ret )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
+ return( ret );
+ }
+
+ if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
+ {
+ mbedtls_ssl_update_handshake_status( ssl );
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
+
+ return( 0 );
+}
+
+int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl )
+{
+ int ret;
+
if( ssl->in_hslen != 0 && ssl->in_hslen < ssl->in_msglen )
{
/*
@@ -3749,9 +3772,6 @@
MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
ssl->in_msg, ssl->in_msglen );
- if( ( ret = ssl_prepare_handshake_record( ssl ) ) != 0 )
- return( ret );
-
return( 0 );
}
@@ -3760,7 +3780,10 @@
/*
* Read the record header and parse it
*/
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
read_record_header:
+#endif
+
if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
@@ -3914,13 +3937,22 @@
}
#endif
+ return( 0 );
+}
+
+int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
+{
+ int ret;
+
/*
* Handle particular types of records
*/
if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
{
- if( ( ret = ssl_prepare_handshake_record( ssl ) ) != 0 )
+ if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
+ {
return( ret );
+ }
}
if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
@@ -3968,11 +4000,9 @@
#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
/* Silently ignore: fetch new message */
- goto read_record_header;
+ return MBEDTLS_ERR_SSL_NON_FATAL;
}
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
-
return( 0 );
}
@@ -4347,7 +4377,7 @@
ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
ssl->in_msg + i, n );
- if( ret != 0 )
+ if( 0 != ret && ( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND ) != ret )
{
MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
return( ret );
@@ -7603,4 +7633,47 @@
}
}
+int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
+{
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+ return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+
+ switch( md )
+ {
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+#if defined(MBEDTLS_MD5_C)
+ case MBEDTLS_SSL_HASH_MD5:
+ ssl->handshake->calc_verify = ssl_calc_verify_tls;
+ break;
+#endif
+#if defined(MBEDTLS_SHA1_C)
+ case MBEDTLS_SSL_HASH_SHA1:
+ ssl->handshake->calc_verify = ssl_calc_verify_tls;
+ break;
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SHA512_C)
+ case MBEDTLS_SSL_HASH_SHA384:
+ ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
+ break;
+#endif
+#if defined(MBEDTLS_SHA256_C)
+ case MBEDTLS_SSL_HASH_SHA256:
+ ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
+ break;
+#endif
+ default:
+ return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+ }
+
+ return 0;
+#else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
+ (void) ssl;
+ (void) md;
+
+ return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+}
+
#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/library/version_features.c b/library/version_features.c
index 0a2f065..e866e67 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -324,9 +324,6 @@
#if defined(MBEDTLS_SHA256_SMALLER)
"MBEDTLS_SHA256_SMALLER",
#endif /* MBEDTLS_SHA256_SMALLER */
-#if defined(MBEDTLS_SSL_AEAD_RANDOM_IV)
- "MBEDTLS_SSL_AEAD_RANDOM_IV",
-#endif /* MBEDTLS_SSL_AEAD_RANDOM_IV */
#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
"MBEDTLS_SSL_ALL_ALERT_MESSAGES",
#endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */
diff --git a/library/x509.c b/library/x509.c
index bc3bfe0..fad390d 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -80,6 +80,7 @@
#endif
#define CHECK(code) if( ( ret = code ) != 0 ){ return( ret ); }
+#define CHECK_RANGE(min, max, val) if( val < min || val > max ){ return( ret ); }
/*
* CertificateSerialNumber ::= INTEGER
@@ -489,6 +490,33 @@
return 0;
}
+static int x509_date_is_valid(const mbedtls_x509_time *time)
+{
+ int ret = MBEDTLS_ERR_X509_INVALID_DATE;
+
+ CHECK_RANGE( 0, 9999, time->year );
+ CHECK_RANGE( 0, 23, time->hour );
+ CHECK_RANGE( 0, 59, time->min );
+ CHECK_RANGE( 0, 59, time->sec );
+
+ switch( time->mon )
+ {
+ case 1: case 3: case 5: case 7: case 8: case 10: case 12:
+ CHECK_RANGE( 1, 31, time->day );
+ break;
+ case 4: case 6: case 9: case 11:
+ CHECK_RANGE( 1, 30, time->day );
+ break;
+ case 2:
+ CHECK_RANGE( 1, 28 + (time->year % 4 == 0), time->day );
+ break;
+ default:
+ return( ret );
+ }
+
+ return( 0 );
+}
+
/*
* Time ::= CHOICE {
* utcTime UTCTime,
@@ -528,6 +556,8 @@
time->year += 100 * ( time->year < 50 );
time->year += 1900;
+ CHECK( x509_date_is_valid( time ) );
+
return( 0 );
}
else if( tag == MBEDTLS_ASN1_GENERALIZED_TIME )
@@ -548,6 +578,8 @@
if( len > 14 && *(*p)++ != 'Z' )
return( MBEDTLS_ERR_X509_INVALID_DATE );
+ CHECK( x509_date_is_valid( time ) );
+
return( 0 );
}
else
@@ -559,16 +591,18 @@
{
int ret;
size_t len;
+ int tag_type;
if( ( end - *p ) < 1 )
return( MBEDTLS_ERR_X509_INVALID_SIGNATURE +
MBEDTLS_ERR_ASN1_OUT_OF_DATA );
- sig->tag = **p;
+ tag_type = **p;
if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 )
return( MBEDTLS_ERR_X509_INVALID_SIGNATURE + ret );
+ sig->tag = tag_type;
sig->len = len;
sig->p = *p;
diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c
index 48b97ce..875d0b0 100644
--- a/programs/pkey/dh_client.c
+++ b/programs/pkey/dh_client.c
@@ -36,7 +36,8 @@
#if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) && \
- defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C)
+ defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) && \
+ defined(MBEDTLS_SHA1_C)
#include "mbedtls/net_sockets.h"
#include "mbedtls/aes.h"
#include "mbedtls/dhm.h"
@@ -55,7 +56,8 @@
#if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) || \
- !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C)
+ !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \
+ !defined(MBEDTLS_SHA1_C)
int main( void )
{
mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c
index 173a29d..8bf2b1b 100644
--- a/programs/pkey/dh_server.c
+++ b/programs/pkey/dh_server.c
@@ -36,7 +36,8 @@
#if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) && \
- defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C)
+ defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) && \
+ defined(MBEDTLS_SHA1_C)
#include "mbedtls/net_sockets.h"
#include "mbedtls/aes.h"
#include "mbedtls/dhm.h"
@@ -55,7 +56,8 @@
#if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) || \
- !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C)
+ !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \
+ !defined(MBEDTLS_SHA1_C)
int main( void )
{
mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 429d9cd..57155b8 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -333,8 +333,10 @@
# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
# Options: -s pattern pattern that must be present in server output
# -c pattern pattern that must be present in client output
+# -u pattern lines after pattern must be unique in client output
# -S pattern pattern that must be absent in server output
# -C pattern pattern that must be absent in client output
+# -U pattern lines after pattern must be unique in server output
run_test() {
NAME="$1"
shift 1
@@ -475,28 +477,49 @@
case $1 in
"-s")
if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
- fail "-s $2"
+ fail "pattern '$2' MUST be present in the Server output"
return
fi
;;
"-c")
if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
- fail "-c $2"
+ fail "pattern '$2' MUST be present in the Client output"
return
fi
;;
"-S")
if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
- fail "-S $2"
+ fail "pattern '$2' MUST NOT be present in the Server output"
return
fi
;;
"-C")
if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
- fail "-C $2"
+ fail "pattern '$2' MUST NOT be present in the Client output"
+ return
+ fi
+ ;;
+
+ # The filtering in the following two options (-u and -U) do the following
+ # - ignore valgrind output
+ # - filter out everything but lines right after the pattern occurances
+ # - keep one of each non-unique line
+ # - count how many lines remain
+ # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
+ # if there were no duplicates.
+ "-U")
+ if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
+ fail "lines following pattern '$2' must be unique in Server output"
+ return
+ fi
+ ;;
+
+ "-u")
+ if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
+ fail "lines following pattern '$2' must be unique in Client output"
return
fi
;;
@@ -639,6 +662,14 @@
-s "Protocol is DTLSv1.2" \
-s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
+# Test for uniqueness of IVs in AEAD ciphersuites
+run_test "Unique IV in GCM" \
+ "$P_SRV exchanges=20 debug_level=4" \
+ "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
+ 0 \
+ -u "IV used" \
+ -U "IV used"
+
# Tests for rc4 option
requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
@@ -1725,6 +1756,24 @@
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
+run_test "Authentication: client SHA256, server required" \
+ "$P_SRV auth_mode=required" \
+ "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
+ key_file=data_files/server6.key \
+ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
+ 0 \
+ -c "Supported Signature Algorithm found: 4," \
+ -c "Supported Signature Algorithm found: 5,"
+
+run_test "Authentication: client SHA384, server required" \
+ "$P_SRV auth_mode=required" \
+ "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
+ key_file=data_files/server6.key \
+ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
+ 0 \
+ -c "Supported Signature Algorithm found: 4," \
+ -c "Supported Signature Algorithm found: 5,"
+
run_test "Authentication: client badcert, server required" \
"$P_SRV debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function
index 5938447..63815df 100644
--- a/tests/suites/helpers.function
+++ b/tests/suites/helpers.function
@@ -140,6 +140,11 @@
return 0;
}
+
+static void close_output( FILE* out_stream )
+{
+ fclose( out_stream );
+}
#endif /* __unix__ || __APPLE__ __MACH__ */
static int unhexify( unsigned char *obuf, const char *ibuf )
diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function
index 14209a5..afff5a4 100644
--- a/tests/suites/main_test.function
+++ b/tests/suites/main_test.function
@@ -261,7 +261,7 @@
char buf[5000];
char *params[50];
void *pointer;
- int stdout_fd = 0;
+ int stdout_fd = -1;
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && \
!defined(TEST_SUITE_MEMORY_BUFFER_ALLOC)
@@ -499,6 +499,11 @@
mbedtls_memory_buffer_alloc_free();
#endif
+#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
+ if( stdout_fd != -1 )
+ close_output( stdout );
+#endif /* __unix__ || __APPLE__ __MACH__ */
+
return( total_errors != 0 );
}
diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data
index f9c2011..52f09ed 100644
--- a/tests/suites/test_suite_version.data
+++ b/tests/suites/test_suite_version.data
@@ -1,8 +1,8 @@
Check compiletime library version
-check_compiletime_version:"2.3.0"
+check_compiletime_version:"2.4.0"
Check runtime library version
-check_runtime_version:"2.3.0"
+check_runtime_version:"2.4.0"
Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 17711dc..c829823 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -1526,3 +1526,39 @@
X509 File parse (trailing spaces, OK)
depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
x509parse_crt_file:"data_files/server7_trailing_space.crt":0
+
+X509 Get time (UTC no issues)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_UTC_TIME:"500101000000Z":0:1950:1:1:0:0:0
+
+X509 Get time (Generalized Time no issues)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"99991231235959Z":0:9999:12:31:23:59:59
+
+X509 Get time (UTC year without leap day)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_UTC_TIME:"490229121212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
+
+X509 Get time (UTC year with leap day)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_UTC_TIME:"000229121212Z":0:2000:2:29:12:12:12
+
+X509 Get time (UTC invalid day of month #1)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_UTC_TIME:"000132121212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
+
+X509 Get time (UTC invalid day of month #2)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_UTC_TIME:"001131121212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
+
+X509 Get time (UTC invalid hour)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_UTC_TIME:"001130241212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
+
+X509 Get time (UTC invalid min)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_UTC_TIME:"001130236012Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
+
+X509 Get time (UTC invalid sec)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_UTC_TIME:"001130235960Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 2affab7..be85869 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -1,4 +1,5 @@
/* BEGIN_HEADER */
+#include "mbedtls/x509.h"
#include "mbedtls/x509_crt.h"
#include "mbedtls/x509_crl.h"
#include "mbedtls/x509_csr.h"
@@ -590,6 +591,39 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C */
+void x509_get_time( int tag, char *time_str, int ret,
+ int year, int mon, int day,
+ int hour, int min, int sec )
+{
+ mbedtls_x509_time time;
+ unsigned char buf[17];
+ unsigned char* start = buf;
+ unsigned char* end = buf;
+
+ memset( &time, 0x00, sizeof( time ) );
+ *end = (unsigned char)tag; end++;
+ if( tag == MBEDTLS_ASN1_UTC_TIME )
+ *end = 13;
+ else
+ *end = 15;
+ end++;
+ memcpy( end, time_str, (size_t)*(end - 1) );
+ end += *(end - 1);
+
+ TEST_ASSERT( mbedtls_x509_get_time( &start, end, &time ) == ret );
+ if( ret == 0 )
+ {
+ TEST_ASSERT( year == time.year );
+ TEST_ASSERT( mon == time.mon );
+ TEST_ASSERT( day == time.day );
+ TEST_ASSERT( hour == time.hour );
+ TEST_ASSERT( min == time.min );
+ TEST_ASSERT( sec == time.sec );
+ }
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT */
void x509_parse_rsassa_pss_params( char *hex_params, int params_tag,
int ref_msg_md, int ref_mgf_md,
diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj
index a92e581..85dc3d8 100644
--- a/visualc/VS2010/mbedTLS.vcxproj
+++ b/visualc/VS2010/mbedTLS.vcxproj
@@ -157,6 +157,7 @@
<ClInclude Include="..\..\include\mbedtls\check_config.h" />
<ClInclude Include="..\..\include\mbedtls\cipher.h" />
<ClInclude Include="..\..\include\mbedtls\cipher_internal.h" />
+ <ClInclude Include="..\..\include\mbedtls\cmac.h" />
<ClInclude Include="..\..\include\mbedtls\compat-1.3.h" />
<ClInclude Include="..\..\include\mbedtls\config.h" />
<ClInclude Include="..\..\include\mbedtls\ctr_drbg.h" />
@@ -179,6 +180,7 @@
<ClInclude Include="..\..\include\mbedtls\md5.h" />
<ClInclude Include="..\..\include\mbedtls\md_internal.h" />
<ClInclude Include="..\..\include\mbedtls\memory_buffer_alloc.h" />
+ <ClInclude Include="..\..\include\mbedtls\net.h" />
<ClInclude Include="..\..\include\mbedtls\net_sockets.h" />
<ClInclude Include="..\..\include\mbedtls\oid.h" />
<ClInclude Include="..\..\include\mbedtls\padlock.h" />
@@ -189,6 +191,7 @@
<ClInclude Include="..\..\include\mbedtls\pkcs12.h" />
<ClInclude Include="..\..\include\mbedtls\pkcs5.h" />
<ClInclude Include="..\..\include\mbedtls\platform.h" />
+ <ClInclude Include="..\..\include\mbedtls\platform_time.h" />
<ClInclude Include="..\..\include\mbedtls\ripemd160.h" />
<ClInclude Include="..\..\include\mbedtls\rsa.h" />
<ClInclude Include="..\..\include\mbedtls\sha1.h" />
@@ -223,6 +226,7 @@
<ClCompile Include="..\..\library\certs.c" />
<ClCompile Include="..\..\library\cipher.c" />
<ClCompile Include="..\..\library\cipher_wrap.c" />
+ <ClCompile Include="..\..\library\cmac.c" />
<ClCompile Include="..\..\library\ctr_drbg.c" />
<ClCompile Include="..\..\library\debug.c" />
<ClCompile Include="..\..\library\des.c" />