Merge branch 'development-proposed' into development-restricted
diff --git a/ChangeLog b/ChangeLog
index 1808b9f..ecbbb78 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -62,6 +62,17 @@
with an alternative implementation:
mbedtls_ecdh_gen_public() and mbedtls_ecdh_compute_shared().
+API Changes
+ * Extend RSA interface by multiple functions allowing structure-
+ independent setup and export of RSA contexts. Most notably,
+ mbedtls_rsa_import and mbedtls_rsa_complete are introduced for setting
+ up RSA contexts from partial key material and having them completed to the
+ needs of the implementation automatically. This allows to setup private RSA
+ contexts from keys consisting of N,D,E only, even if P,Q are needed for the
+ purpose or CRT and/or blinding.
+ * The configuration option MBEDTLS_RSA_ALT can be used to define alternative
+ implementations of the RSA interface declared in rsa.h.
+
New deprecations
* Deprecate usage of RSA primitives with non-matching key-type
(e.g., signing with a public key).
@@ -121,6 +132,9 @@
RSA test suite where the failure of CTR DRBG initialization lead to
freeing an RSA context and several MPI's without proper initialization
beforehand.
+ * Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue.
+ * Fix programs/pkey/dh_server.c so that it actually works with dh_client.c.
+ Found and fixed by Martijn de Milliano.
Changes
* Extend cert_write example program by options to set the CRT version
@@ -133,17 +147,7 @@
* Only run AES-192 self-test if AES-192 is available. Fixes #963.
* Tighten the RSA PKCS#1 v1.5 signature verification code and remove the
undeclared dependency of the RSA module on the ASN.1 module.
-
-API Changes
- * Extend RSA interface by multiple functions allowing structure-
- independent setup and export of RSA contexts. Most notably,
- mbedtls_rsa_import and mbedtls_rsa_complete are introduced for setting
- up RSA contexts from partial key material and having them completed to the
- needs of the implementation automatically. This allows to setup private RSA
- contexts from keys consisting of N,D,E only, even if P,Q are needed for the
- purpose or CRT and/or blinding.
- * The configuration option MBEDTLS_RSA_ALT can be used to define alternative
- implementations of the RSA interface declared in rsa.h.
+ * Add mechanism to provide alternative implementation of the DHM module.
= mbed TLS 2.6.0 branch released 2017-08-10
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 4933108..7003989 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -269,6 +269,7 @@
//#define MBEDTLS_CCM_ALT
//#define MBEDTLS_CMAC_ALT
//#define MBEDTLS_DES_ALT
+//#define MBEDTLS_DHM_ALT
//#define MBEDTLS_GCM_ALT
//#define MBEDTLS_MD2_ALT
//#define MBEDTLS_MD4_ALT
diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h
index d7ab152..f9725ab 100644
--- a/include/mbedtls/dhm.h
+++ b/include/mbedtls/dhm.h
@@ -23,7 +23,13 @@
#ifndef MBEDTLS_DHM_H
#define MBEDTLS_DHM_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
#include "bignum.h"
+#if !defined(MBEDTLS_DHM_ALT)
/*
* DHM Error codes
@@ -291,6 +297,18 @@
#endif /* MBEDTLS_FS_IO */
#endif /* MBEDTLS_ASN1_PARSE_C */
+#ifdef __cplusplus
+}
+#endif
+
+#else /* MBEDTLS_DHM_ALT */
+#include "dhm_alt.h"
+#endif /* MBEDTLS_DHM_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
/**
* \brief Checkup routine
*
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 06166d8..b7a5098 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -373,21 +373,22 @@
#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
/**
- * \brief Check usage of certificate against extentedJeyUsage.
+ * \brief Check usage of certificate against extendedKeyUsage.
*
- * \param crt Leaf certificate used.
- * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH).
+ * \param crt Leaf certificate used.
+ * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or
+ * MBEDTLS_OID_CLIENT_AUTH).
* \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()).
*
- * \return 0 if this use of the certificate is allowed,
- * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not.
+ * \return 0 if this use of the certificate is allowed,
+ * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not.
*
- * \note Usually only makes sense on leaf certificates.
+ * \note Usually only makes sense on leaf certificates.
*/
int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
- const char *usage_oid,
- size_t usage_len );
-#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) */
+ const char *usage_oid,
+ size_t usage_len );
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
#if defined(MBEDTLS_X509_CRL_PARSE_C)
/**
diff --git a/library/dhm.c b/library/dhm.c
index 668d5f7..24c3bf8 100644
--- a/library/dhm.c
+++ b/library/dhm.c
@@ -57,6 +57,7 @@
#define mbedtls_free free
#endif
+#if !defined(MBEDTLS_DHM_ALT)
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
volatile unsigned char *p = v; while( n-- ) *p++ = 0;
@@ -583,6 +584,7 @@
}
#endif /* MBEDTLS_FS_IO */
#endif /* MBEDTLS_ASN1_PARSE_C */
+#endif /* MBEDTLS_DHM_ALT */
#if defined(MBEDTLS_SELF_TEST)
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index de3ea80..d8fbe35 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2042,7 +2042,7 @@
const mbedtls_ssl_ciphersuite_t *suite = NULL;
const mbedtls_cipher_info_t *cipher = NULL;
- if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
+ if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
{
*olen = 0;
diff --git a/library/version_features.c b/library/version_features.c
index 172cf12..ede2276 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -105,6 +105,9 @@
#if defined(MBEDTLS_DES_ALT)
"MBEDTLS_DES_ALT",
#endif /* MBEDTLS_DES_ALT */
+#if defined(MBEDTLS_DHM_ALT)
+ "MBEDTLS_DHM_ALT",
+#endif /* MBEDTLS_DHM_ALT */
#if defined(MBEDTLS_GCM_ALT)
"MBEDTLS_GCM_ALT",
#endif /* MBEDTLS_GCM_ALT */
diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c
index a8ee8fd..4038c36 100644
--- a/programs/pkey/dh_server.c
+++ b/programs/pkey/dh_server.c
@@ -248,6 +248,7 @@
memset( buf, 0, sizeof( buf ) );
+ n = dhm.len;
if( ( ret = mbedtls_net_recv( &client_fd, buf, n ) ) != (int) n )
{
mbedtls_printf( " failed\n ! mbedtls_net_recv returned %d\n\n", ret );
diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c
index ed6ed30..a7f5c90 100644
--- a/programs/pkey/gen_key.c
+++ b/programs/pkey/gen_key.c
@@ -345,7 +345,7 @@
mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_rsa_gen_key returned -0x%04x", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_ecp_gen_key returned -0x%04x", -ret );
goto exit;
}
}