Merge branch 'mbedtls-1.3' into mbedtls-1.3-restricted
* mbedtls-1.3:
Add ChangeLog entry for previous commit
cert_write : fix "Destination buffer is too small" error
Add ChangeLog entry for previous two commits
Test certificate "Server1 SHA1, key_usage" reissued.
Fix boolean values according to DER specs
Fix typo in an OID name
Disable reportedly broken assembly of Sparc(64)
ECHDE-PSK does not use a certificate
Actually ignore most non-fatal alerts
diff --git a/ChangeLog b/ChangeLog
index ffdb5c4..57592b4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -14,6 +14,20 @@
on untrusted input or write keys of untrusted origin. Found by Guido
Vranken, Interlworks.
+Bugfix
+ * Fix bug causing some handshakes to fail due to some non-fatal alerts not
+ begin properly ignored. Found by mancha and Kasom Koht-arsa, #308
+ * Fix build error with configurations where ECDHE-PSK is the only key
+ exchange. Found and fix provided by Chris Hammond. #270
+ * Fix failures in MPI on Sparc(64) due to use of bad assembly code.
+ Found by Kurt Danielson. #292
+ * Fix typo in name of the extKeyUsage OID. Found by inestlerode, #314
+ * Fix bug in ASN.1 encoding of booleans that caused generated CA
+ certificates to be rejected by some applications, including OS X
+ Keychain. Found and fixed by Jonathan Leroy, Inikup.
+ * Fix "Destination buffer is too small" error in cert_write program.
+ Found and fixed by Jonathan Leroy, Inikup.
+
= mbed TLS 1.3.14 released 2015-10-06
Security
diff --git a/include/polarssl/bn_mul.h b/include/polarssl/bn_mul.h
index b2eb1e8..55b94a7 100644
--- a/include/polarssl/bn_mul.h
+++ b/include/polarssl/bn_mul.h
@@ -409,10 +409,11 @@
#endif /* PPC32 */
/*
- * The Sparc64 assembly is reported to be broken.
+ * The Sparc(64) assembly is reported to be broken.
* Disable it for now, until we're able to fix it.
*/
-#if 0 && defined(__sparc__) && defined(__sparc64__)
+#if 0 && defined(__sparc__)
+#if defined(__sparc64__)
#define MULADDC_INIT \
asm( \
@@ -443,9 +444,8 @@
: "g1", "o0", "o1", "o2", "o3", "o4", \
"o5" \
);
-#endif /* SPARCv9 */
-#if defined(__sparc__) && !defined(__sparc64__)
+#else /* __sparc64__ */
#define MULADDC_INIT \
asm( \
@@ -477,7 +477,8 @@
"o5" \
);
-#endif /* SPARCv8 */
+#endif /* __sparc64__ */
+#endif /* __sparc__ */
#if defined(__microblaze__) || defined(microblaze)
diff --git a/include/polarssl/ssl_ciphersuites.h b/include/polarssl/ssl_ciphersuites.h
index 1fcf4c7..f0519ca 100644
--- a/include/polarssl/ssl_ciphersuites.h
+++ b/include/polarssl/ssl_ciphersuites.h
@@ -252,7 +252,6 @@
defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
- defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
#define POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED
diff --git a/library/asn1write.c b/library/asn1write.c
index 87e130e..6a7c9d3 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -192,7 +192,7 @@
if( *p - start < 1 )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
- *--(*p) = (boolean) ? 1 : 0;
+ *--(*p) = (boolean) ? 255 : 0;
len++;
ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
diff --git a/library/oid.c b/library/oid.c
index b616d7e..682b845 100644
--- a/library/oid.c
+++ b/library/oid.c
@@ -268,7 +268,7 @@
EXT_KEY_USAGE,
},
{
- { ADD_LEN( OID_EXTENDED_KEY_USAGE ), "id-ce-keyUsage", "Extended Key Usage" },
+ { ADD_LEN( OID_EXTENDED_KEY_USAGE ), "id-ce-extKeyUsage", "Extended Key Usage" },
EXT_EXTENDED_KEY_USAGE,
},
{
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 82d0380..d9eb0a9 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2220,6 +2220,7 @@
/*
* Read the record header and validate it
*/
+read_record_header:
if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
{
SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
@@ -2417,7 +2418,7 @@
ssl->in_msg[0], ssl->in_msg[1] ) );
/*
- * Ignore non-fatal alerts, except close_notify
+ * Ignore non-fatal alerts, except close_notify and no_renego
*/
if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
{
@@ -2432,6 +2433,29 @@
SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
}
+
+ if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
+ ssl->in_msg[1] == SSL_ALERT_MSG_NO_RENEGOTIATION )
+ {
+ SSL_DEBUG_MSG( 2, ( "is a no_renegotiation" ) );
+ /* Will be handled when trying to parse ServerHello */
+ ssl->in_left = 0;
+ return( 0 );
+ }
+
+ if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
+ ssl->endpoint == SSL_IS_SERVER &&
+ ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
+ ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
+ {
+ SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
+ /* Will be handled in ssl_parse_certificate() */
+ ssl->in_left = 0;
+ return( 0 );
+ }
+
+ /* Silently discard: fetch new message */
+ goto read_record_header;
}
ssl->in_left = 0;
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index 5010193..57cb6c7 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -190,11 +190,11 @@
pk_context *issuer_key = &loaded_issuer_key,
*subject_key = &loaded_subject_key;
char buf[1024];
- char issuer_name[128];
+ char issuer_name[256];
int i;
char *p, *q, *r;
#if defined(POLARSSL_X509_CSR_PARSE_C)
- char subject_name[128];
+ char subject_name[256];
x509_csr csr;
#endif
x509write_cert crt;
diff --git a/tests/data_files/server1.key_usage.crt b/tests/data_files/server1.key_usage.crt
index 8a4c480..8f4e59f 100644
--- a/tests/data_files/server1.key_usage.crt
+++ b/tests/data_files/server1.key_usage.crt
@@ -10,11 +10,11 @@
lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
o10wWzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
-BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAOBgNVHQ8BAQEEBAMCAeAw
-DQYJKoZIhvcNAQEFBQADggEBAFd3JxNC2rEz94ProSZcv8NNk3e3Dhfms84qjkCM
-YhLyZCZywZ2cj3bXThNGVND81UNgqyzk/MEGfKh5d0EHD8v97H7Zvs/EN814d0UC
-/BZWlXqX9XInjxlI3baJrRWvsJJdRxMqub9LGBdhgZAtF1BVF9fk2QrV0GW6VN7a
-dGYdRYO80yf+vf5g41A0DIi3dhdLF1H7UPDwfUwkF5QckXw0yqueszcmxvCAnxng
-AUKoFS971WWCjCo8lMzOXOjeAwmibihT9XBabVzN1w3gOfSBbpHFi770bWgbKPWu
-csFKtvrXGtLVQeKkfI1lIMWWeddvkMWWBIqFrkBBLLOI4+A=
+BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAOBgNVHQ8BAf8EBAMCAeAw
+DQYJKoZIhvcNAQEFBQADggEBABKC/1x0m57EY4H412ue3ghCWgg07VcRKamnUSTs
+tnqI5T0mSvuPrxhINdQB6360ibctBkXP3S9rxGHiUdeK/JqxYs2YamCs50TSWpon
+p4Hzcmjsw1YgXsQ6pmYwkzU03zqs361gt7JSOzL2dN0IjwIy47qfLQb/AXhX2Ims
+7gBuqVpYqJuSHR0qsN/c6WgIE3IrbK1MB6CJTkxBfcSc5E4oUIBHmww+RSVLOczM
+nGk3U13dmfG0ndhMtrMyyxBZZSUwoZLjRZ6J5mHSv+k8oo1PYQeiivNEP53mgVaY
+ha0gLUIk6zNBRpY1uUmxQ+RQSMIyYPBb1RedHn2s8El2mlo=
-----END CERTIFICATE-----