Merge branch 'development'
diff --git a/ChangeLog b/ChangeLog
index 9e62acb..86f36bb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -44,9 +44,19 @@
* Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
by inestlerode. #559.
+ * Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf
+ data structure until after error checks are successful. Found by
+ subramanyam-c. #622
* Fix documentation and implementation missmatch for function arguments of
mbedtls_gcm_finish(). Found by cmiatpaar. #602
* Guarantee that P>Q at RSA key generation. Found by inestlerode. #558
+ * Fix potential byte overread when verifying malformed SERVER_HELLO in
+ ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken.
+ * Fix check for validity of date when parsing in mbedtls_x509_get_time().
+ Found by subramanyam-c. #626
+ * Fix compatibility issue with Internet Explorer client authentication,
+ where the limited hash choices prevented the client from sending its
+ certificate. Found by teumas. #513
Changes
* Extended test coverage of special cases, and added new timing test suite.
@@ -62,6 +72,8 @@
naming collision in projects which also have files with the common name
net.c. For consistency, the corresponding header file, net.h, is marked as
deprecated, and its contents moved to net_sockets.h.
+ * Changed the strategy for X.509 certificate parsing and validation, to no
+ longer disregard certificates with unrecognised fields.
= mbed TLS 2.3.0 branch released 2016-06-28
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 1c0513d..ba499d2 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -107,6 +107,8 @@
#define MBEDTLS_ERR_SSL_TIMEOUT -0x6800 /**< The operation timed out. */
#define MBEDTLS_ERR_SSL_CLIENT_RECONNECT -0x6780 /**< The client initiated a reconnect from the same port. */
#define MBEDTLS_ERR_SSL_UNEXPECTED_RECORD -0x6700 /**< Record header looks valid but is not expected. */
+#define MBEDTLS_ERR_SSL_NON_FATAL -0x6680 /**< The alert message received indicates a non-fatal error. */
+#define MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH -0x6600 /**< Couldn't set the hash for verifying CertificateVerify */
/*
* Various constants
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index d63d7d4..668c0f5 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -355,6 +355,11 @@
void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
+void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
+
int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl );
int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
@@ -384,6 +389,7 @@
mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
unsigned char mbedtls_ssl_hash_from_md_alg( int md );
+int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
#if defined(MBEDTLS_ECP_C)
int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
diff --git a/library/error.c b/library/error.c
index 71d4faa..dd2db0c 100644
--- a/library/error.c
+++ b/library/error.c
@@ -435,6 +435,10 @@
mbedtls_snprintf( buf, buflen, "SSL - The client initiated a reconnect from the same port" );
if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) )
mbedtls_snprintf( buf, buflen, "SSL - Record header looks valid but is not expected" );
+ if( use_ret == -(MBEDTLS_ERR_SSL_NON_FATAL) )
+ mbedtls_snprintf( buf, buflen, "SSL - The alert message received indicates a non-fatal error" );
+ if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH) )
+ mbedtls_snprintf( buf, buflen, "SSL - Couldn't set the hash for verifying CertificateVerify" );
#endif /* MBEDTLS_SSL_TLS_C */
#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
diff --git a/library/sha256.c b/library/sha256.c
index 4e82c0b..ad25d38 100644
--- a/library/sha256.c
+++ b/library/sha256.c
@@ -41,7 +41,10 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
+#include <stdlib.h>
#define mbedtls_printf printf
+#define mbedtls_calloc calloc
+#define mbedtls_free free
#endif /* MBEDTLS_PLATFORM_C */
#endif /* MBEDTLS_SELF_TEST */
@@ -389,10 +392,19 @@
int mbedtls_sha256_self_test( int verbose )
{
int i, j, k, buflen, ret = 0;
- unsigned char buf[1024];
+ unsigned char *buf;
unsigned char sha256sum[32];
mbedtls_sha256_context ctx;
+ buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
+ if( NULL == buf )
+ {
+ if( verbose != 0 )
+ mbedtls_printf( "Buffer allocation failed\n" );
+
+ return( 1 );
+ }
+
mbedtls_sha256_init( &ctx );
for( i = 0; i < 6; i++ )
@@ -436,6 +448,7 @@
exit:
mbedtls_sha256_free( &ctx );
+ mbedtls_free( buf );
return( ret );
}
diff --git a/library/sha512.c b/library/sha512.c
index 0f9e1e5..724522a 100644
--- a/library/sha512.c
+++ b/library/sha512.c
@@ -47,7 +47,10 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
+#include <stdlib.h>
#define mbedtls_printf printf
+#define mbedtls_calloc calloc
+#define mbedtls_free free
#endif /* MBEDTLS_PLATFORM_C */
#endif /* MBEDTLS_SELF_TEST */
@@ -445,10 +448,19 @@
int mbedtls_sha512_self_test( int verbose )
{
int i, j, k, buflen, ret = 0;
- unsigned char buf[1024];
+ unsigned char *buf;
unsigned char sha512sum[64];
mbedtls_sha512_context ctx;
+ buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
+ if( NULL == buf )
+ {
+ if( verbose != 0 )
+ mbedtls_printf( "Buffer allocation failed\n" );
+
+ return( 1 );
+ }
+
mbedtls_sha512_init( &ctx );
for( i = 0; i < 6; i++ )
@@ -492,6 +504,7 @@
exit:
mbedtls_sha512_free( &ctx );
+ mbedtls_free( buf );
return( ret );
}
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 29a3943..223823b 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1355,6 +1355,15 @@
cookie_len = *p++;
MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
+ if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "cookie length does not match incoming message size" ) );
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+ return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+ }
+
mbedtls_free( ssl->handshake->verify_cookie );
ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
@@ -2630,6 +2639,15 @@
{
size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
| ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
+#if defined(MBEDTLS_DEBUG_C)
+ unsigned char* sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
+ size_t i;
+
+ for( i = 0; i < sig_alg_len; i += 2 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d,%d", sig_alg[i], sig_alg[i + 1] ) );
+ }
+#endif
n += 2 + sig_alg_len;
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 4b0f997..fc0d2d7 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1043,7 +1043,6 @@
ssl->session_negotiate->ciphersuite = ciphersuites[i];
ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
- mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
/*
* SSLv2 Client Hello relevant renegotiation security checks
@@ -1840,7 +1839,6 @@
ssl->session_negotiate->ciphersuite = ciphersuites[i];
ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
- mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
ssl->state++;
@@ -2556,29 +2554,27 @@
*/
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{
- /*
- * Only use current running hash algorithm that is already required
- * for requested ciphersuite.
- */
- ssl->handshake->verify_sig_alg = MBEDTLS_SSL_HASH_SHA256;
-
- if( ssl->transform_negotiate->ciphersuite_info->mac ==
- MBEDTLS_MD_SHA384 )
- {
- ssl->handshake->verify_sig_alg = MBEDTLS_SSL_HASH_SHA384;
- }
+ const int *cur;
/*
* Supported signature algorithms
*/
+ for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
+ {
+ unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur );
+
+ if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) )
+ continue;
+
#if defined(MBEDTLS_RSA_C)
- p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
- p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
+ p[2 + sa_len++] = hash;
+ p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
#endif
#if defined(MBEDTLS_ECDSA_C)
- p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
- p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
+ p[2 + sa_len++] = hash;
+ p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
#endif
+ }
p[0] = (unsigned char)( sa_len >> 8 );
p[1] = (unsigned char)( sa_len );
@@ -3581,17 +3577,28 @@
return( 0 );
}
- /* Needs to be done before read_record() to exclude current message */
- ssl->handshake->calc_verify( ssl, hash );
+ /* Read the message without adding it to the checksum */
+ do {
- if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+ if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret );
+ return( ret );
+ }
+
+ ret = mbedtls_ssl_handle_message_type( ssl );
+
+ } while( MBEDTLS_ERR_SSL_NON_FATAL == ret );
+
+ if( 0 != ret )
{
- MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+ MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
return( ret );
}
ssl->state++;
+ /* Process the message contents */
if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
{
@@ -3638,14 +3645,19 @@
/*
* Hash
*/
- if( ssl->in_msg[i] != ssl->handshake->verify_sig_alg )
+ md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] );
+
+ if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
" for verify message" ) );
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
}
- md_alg = mbedtls_ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
+#if !defined(MBEDTLS_MD_SHA1)
+ if( MBEDTLS_MD_SHA1 == md_alg )
+ hash_start += 16;
+#endif
/* Info from md_alg will be used instead */
hashlen = 0;
@@ -3696,6 +3708,9 @@
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
}
+ /* Calculate hash and verify signature */
+ ssl->handshake->calc_verify( ssl, hash );
+
if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
md_alg, hash_start, hashlen,
ssl->in_msg + i, sig_len ) ) != 0 )
@@ -3704,6 +3719,8 @@
return( ret );
}
+ mbedtls_ssl_update_handshake_status( ssl );
+
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
return( ret );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 505bb6c..5272318 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -49,8 +49,7 @@
#include <string.h>
-#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
- defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
#include "mbedtls/oid.h"
#endif
@@ -3083,7 +3082,7 @@
}
#endif /* MBEDTLS_SSL_PROTO_DTLS */
-static int ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
+int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
{
if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
{
@@ -3165,6 +3164,12 @@
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
+ return( 0 );
+}
+
+void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
+{
+
if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
ssl->handshake != NULL )
{
@@ -3179,8 +3184,6 @@
ssl->handshake->in_msg_seq++;
}
#endif
-
- return( 0 );
}
/*
@@ -3736,6 +3739,38 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
+ do {
+
+ if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret );
+ return( ret );
+ }
+
+ ret = mbedtls_ssl_handle_message_type( ssl );
+
+ } while( MBEDTLS_ERR_SSL_NON_FATAL == ret );
+
+ if( 0 != ret )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
+ return( ret );
+ }
+
+ if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
+ {
+ mbedtls_ssl_update_handshake_status( ssl );
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
+
+ return( 0 );
+}
+
+int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl )
+{
+ int ret;
+
if( ssl->in_hslen != 0 && ssl->in_hslen < ssl->in_msglen )
{
/*
@@ -3749,9 +3784,6 @@
MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
ssl->in_msg, ssl->in_msglen );
- if( ( ret = ssl_prepare_handshake_record( ssl ) ) != 0 )
- return( ret );
-
return( 0 );
}
@@ -3760,7 +3792,10 @@
/*
* Read the record header and parse it
*/
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
read_record_header:
+#endif
+
if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
@@ -3914,13 +3949,22 @@
}
#endif
+ return( 0 );
+}
+
+int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
+{
+ int ret;
+
/*
* Handle particular types of records
*/
if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
{
- if( ( ret = ssl_prepare_handshake_record( ssl ) ) != 0 )
+ if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
+ {
return( ret );
+ }
}
if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
@@ -3968,11 +4012,9 @@
#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
/* Silently ignore: fetch new message */
- goto read_record_header;
+ return MBEDTLS_ERR_SSL_NON_FATAL;
}
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
-
return( 0 );
}
@@ -4347,7 +4389,7 @@
ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
ssl->in_msg + i, n );
- if( ret != 0 )
+ if( 0 != ret && ( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND ) != ret )
{
MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
return( ret );
@@ -7603,4 +7645,47 @@
}
}
+int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
+{
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+ return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+
+ switch( md )
+ {
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+#if defined(MBEDTLS_MD5_C)
+ case MBEDTLS_SSL_HASH_MD5:
+ ssl->handshake->calc_verify = ssl_calc_verify_tls;
+ break;
+#endif
+#if defined(MBEDTLS_SHA1_C)
+ case MBEDTLS_SSL_HASH_SHA1:
+ ssl->handshake->calc_verify = ssl_calc_verify_tls;
+ break;
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SHA512_C)
+ case MBEDTLS_SSL_HASH_SHA384:
+ ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
+ break;
+#endif
+#if defined(MBEDTLS_SHA256_C)
+ case MBEDTLS_SSL_HASH_SHA256:
+ ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
+ break;
+#endif
+ default:
+ return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+ }
+
+ return 0;
+#else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
+ (void) ssl;
+ (void) md;
+
+ return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+}
+
#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/library/x509.c b/library/x509.c
index bc3bfe0..fad390d 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -80,6 +80,7 @@
#endif
#define CHECK(code) if( ( ret = code ) != 0 ){ return( ret ); }
+#define CHECK_RANGE(min, max, val) if( val < min || val > max ){ return( ret ); }
/*
* CertificateSerialNumber ::= INTEGER
@@ -489,6 +490,33 @@
return 0;
}
+static int x509_date_is_valid(const mbedtls_x509_time *time)
+{
+ int ret = MBEDTLS_ERR_X509_INVALID_DATE;
+
+ CHECK_RANGE( 0, 9999, time->year );
+ CHECK_RANGE( 0, 23, time->hour );
+ CHECK_RANGE( 0, 59, time->min );
+ CHECK_RANGE( 0, 59, time->sec );
+
+ switch( time->mon )
+ {
+ case 1: case 3: case 5: case 7: case 8: case 10: case 12:
+ CHECK_RANGE( 1, 31, time->day );
+ break;
+ case 4: case 6: case 9: case 11:
+ CHECK_RANGE( 1, 30, time->day );
+ break;
+ case 2:
+ CHECK_RANGE( 1, 28 + (time->year % 4 == 0), time->day );
+ break;
+ default:
+ return( ret );
+ }
+
+ return( 0 );
+}
+
/*
* Time ::= CHOICE {
* utcTime UTCTime,
@@ -528,6 +556,8 @@
time->year += 100 * ( time->year < 50 );
time->year += 1900;
+ CHECK( x509_date_is_valid( time ) );
+
return( 0 );
}
else if( tag == MBEDTLS_ASN1_GENERALIZED_TIME )
@@ -548,6 +578,8 @@
if( len > 14 && *(*p)++ != 'Z' )
return( MBEDTLS_ERR_X509_INVALID_DATE );
+ CHECK( x509_date_is_valid( time ) );
+
return( 0 );
}
else
@@ -559,16 +591,18 @@
{
int ret;
size_t len;
+ int tag_type;
if( ( end - *p ) < 1 )
return( MBEDTLS_ERR_X509_INVALID_SIGNATURE +
MBEDTLS_ERR_ASN1_OUT_OF_DATA );
- sig->tag = **p;
+ tag_type = **p;
if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 )
return( MBEDTLS_ERR_X509_INVALID_SIGNATURE + ret );
+ sig->tag = tag_type;
sig->len = len;
sig->p = *p;
diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c
index 48b97ce..875d0b08 100644
--- a/programs/pkey/dh_client.c
+++ b/programs/pkey/dh_client.c
@@ -36,7 +36,8 @@
#if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) && \
- defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C)
+ defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) && \
+ defined(MBEDTLS_SHA1_C)
#include "mbedtls/net_sockets.h"
#include "mbedtls/aes.h"
#include "mbedtls/dhm.h"
@@ -55,7 +56,8 @@
#if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) || \
- !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C)
+ !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \
+ !defined(MBEDTLS_SHA1_C)
int main( void )
{
mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c
index 173a29d..8bf2b1b 100644
--- a/programs/pkey/dh_server.c
+++ b/programs/pkey/dh_server.c
@@ -36,7 +36,8 @@
#if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) && \
- defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C)
+ defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) && \
+ defined(MBEDTLS_SHA1_C)
#include "mbedtls/net_sockets.h"
#include "mbedtls/aes.h"
#include "mbedtls/dhm.h"
@@ -55,7 +56,8 @@
#if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) || \
- !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C)
+ !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \
+ !defined(MBEDTLS_SHA1_C)
int main( void )
{
mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 429d9cd..09a947e 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1725,6 +1725,24 @@
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
+run_test "Authentication: client SHA256, server required" \
+ "$P_SRV auth_mode=required" \
+ "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
+ key_file=data_files/server6.key \
+ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
+ 0 \
+ -c "Supported Signature Algorithm found: 4," \
+ -c "Supported Signature Algorithm found: 5,"
+
+run_test "Authentication: client SHA384, server required" \
+ "$P_SRV auth_mode=required" \
+ "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
+ key_file=data_files/server6.key \
+ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
+ 0 \
+ -c "Supported Signature Algorithm found: 4," \
+ -c "Supported Signature Algorithm found: 5,"
+
run_test "Authentication: client badcert, server required" \
"$P_SRV debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 17711dc..c829823 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -1526,3 +1526,39 @@
X509 File parse (trailing spaces, OK)
depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
x509parse_crt_file:"data_files/server7_trailing_space.crt":0
+
+X509 Get time (UTC no issues)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_UTC_TIME:"500101000000Z":0:1950:1:1:0:0:0
+
+X509 Get time (Generalized Time no issues)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"99991231235959Z":0:9999:12:31:23:59:59
+
+X509 Get time (UTC year without leap day)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_UTC_TIME:"490229121212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
+
+X509 Get time (UTC year with leap day)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_UTC_TIME:"000229121212Z":0:2000:2:29:12:12:12
+
+X509 Get time (UTC invalid day of month #1)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_UTC_TIME:"000132121212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
+
+X509 Get time (UTC invalid day of month #2)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_UTC_TIME:"001131121212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
+
+X509 Get time (UTC invalid hour)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_UTC_TIME:"001130241212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
+
+X509 Get time (UTC invalid min)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_UTC_TIME:"001130236012Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
+
+X509 Get time (UTC invalid sec)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_UTC_TIME:"001130235960Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 2affab7..be85869 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -1,4 +1,5 @@
/* BEGIN_HEADER */
+#include "mbedtls/x509.h"
#include "mbedtls/x509_crt.h"
#include "mbedtls/x509_crl.h"
#include "mbedtls/x509_csr.h"
@@ -590,6 +591,39 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C */
+void x509_get_time( int tag, char *time_str, int ret,
+ int year, int mon, int day,
+ int hour, int min, int sec )
+{
+ mbedtls_x509_time time;
+ unsigned char buf[17];
+ unsigned char* start = buf;
+ unsigned char* end = buf;
+
+ memset( &time, 0x00, sizeof( time ) );
+ *end = (unsigned char)tag; end++;
+ if( tag == MBEDTLS_ASN1_UTC_TIME )
+ *end = 13;
+ else
+ *end = 15;
+ end++;
+ memcpy( end, time_str, (size_t)*(end - 1) );
+ end += *(end - 1);
+
+ TEST_ASSERT( mbedtls_x509_get_time( &start, end, &time ) == ret );
+ if( ret == 0 )
+ {
+ TEST_ASSERT( year == time.year );
+ TEST_ASSERT( mon == time.mon );
+ TEST_ASSERT( day == time.day );
+ TEST_ASSERT( hour == time.hour );
+ TEST_ASSERT( min == time.min );
+ TEST_ASSERT( sec == time.sec );
+ }
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT */
void x509_parse_rsassa_pss_params( char *hex_params, int params_tag,
int ref_msg_md, int ref_mgf_md,