Merge branch 'pr_1219' into development-proposed
diff --git a/ChangeLog b/ChangeLog
index 01e2a73..a81e3a6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,6 @@
mbed TLS ChangeLog (Sorted per branch, date)
-= mbed TLS x.x.x branch released xxxx-xx-xx
+= mbed TLS 2.7.x branch released 2018-xx-xx
Features
* Extend PKCS#8 interface by introducing support for the entire SHA
@@ -9,6 +9,17 @@
uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
OpenVPN Inc. Fixes #1339
+Bugfix
+ * Fix the name of a DHE parameter that was accidentally changed in 2.7.0.
+ Fixes #1358.
+ * Fix test_suite_pk to work on 64-bit ILP32 systems. #849
+
+Changes
+ * Fix tag lengths and value ranges in the documentation of CCM encryption.
+ Contributed by Mathieu Briand.
+ * Fix typo in a comment ctr_drbg.c. Contributed by Paul Sokolovsky.
+ * Remove support for the library reference configuration for picocoin.
+
= mbed TLS 2.7.0 branch released 2018-02-03
Security
diff --git a/configs/config-picocoin.h b/configs/config-picocoin.h
deleted file mode 100644
index 5d41f28..0000000
--- a/configs/config-picocoin.h
+++ /dev/null
@@ -1,74 +0,0 @@
-/**
- * \file config-picocoin.h
- *
- * \brief Reduced configuration used by Picocoin.
- */
-/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- * SPDX-License-Identifier: Apache-2.0
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may
- * not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
- */
-/*
- * Reduced configuration used by Picocoin.
- *
- * See README.txt for usage instructions.
- *
- * Distinguishing features:
- * - no SSL/TLS;
- * - no X.509;
- * - ECDSA/PK and some other chosen crypto bits.
- */
-
-#ifndef MBEDTLS_CONFIG_H
-#define MBEDTLS_CONFIG_H
-
-/* System support */
-#define MBEDTLS_HAVE_ASM
-#define MBEDTLS_HAVE_TIME
-
-/* mbed TLS feature support */
-#define MBEDTLS_CIPHER_MODE_CBC
-#define MBEDTLS_CIPHER_PADDING_PKCS7
-#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
-#define MBEDTLS_ECDSA_DETERMINISTIC
-#define MBEDTLS_PK_PARSE_EC_EXTENDED
-#define MBEDTLS_ERROR_STRERROR_DUMMY
-#define MBEDTLS_FS_IO
-
-/* mbed TLS modules */
-#define MBEDTLS_AESNI_C
-#define MBEDTLS_AES_C
-#define MBEDTLS_ASN1_PARSE_C
-#define MBEDTLS_ASN1_WRITE_C
-#define MBEDTLS_BASE64_C
-#define MBEDTLS_BIGNUM_C
-#define MBEDTLS_ECDSA_C
-#define MBEDTLS_ECP_C
-#define MBEDTLS_ENTROPY_C
-#define MBEDTLS_HMAC_DRBG_C
-#define MBEDTLS_MD_C
-#define MBEDTLS_OID_C
-#define MBEDTLS_PADLOCK_C
-#define MBEDTLS_PK_C
-#define MBEDTLS_PK_PARSE_C
-#define MBEDTLS_PK_WRITE_C
-#define MBEDTLS_RIPEMD160_C
-#define MBEDTLS_SHA1_C
-#define MBEDTLS_SHA256_C
-
-#include "mbedtls/check_config.h"
-
-#endif /* MBEDTLS_CONFIG_H */
diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h
index 5a9ee4a..630b7fd 100644
--- a/include/mbedtls/ccm.h
+++ b/include/mbedtls/ccm.h
@@ -105,7 +105,7 @@
* Must be at least \p length Bytes wide.
* \param tag The buffer holding the tag.
* \param tag_len The length of the tag to generate in Bytes:
- * 4, 6, 8, 10, 14 or 16.
+ * 4, 6, 8, 10, 12, 14 or 16.
*
* \note The tag is written to a separate buffer. To concatenate
* the \p tag with the \p output, as done in <em>RFC-3610:
@@ -131,10 +131,13 @@
* \param iv_len The length of the IV in Bytes: 7, 8, 9, 10, 11, 12, or 13.
* \param add The additional data field.
* \param add_len The length of additional data in Bytes.
+ * Must be less than 2^16 - 2^8.
* \param input The buffer holding the input data.
* \param output The buffer holding the output data.
+ * Must be at least \p length Bytes wide.
* \param tag The buffer holding the tag.
* \param tag_len The length of the tag in Bytes.
+ * 4, 6, 8, 10, 12, 14 or 16.
*
* \return 0 if successful and authenticated, or
* #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h
index da2e66b..00fafd8 100644
--- a/include/mbedtls/dhm.h
+++ b/include/mbedtls/dhm.h
@@ -372,7 +372,7 @@
* in <em>RFC-5114: Additional Diffie-Hellman Groups for Use with
* IETF Standards</em>.
*/
-#define MBEDTLS_DHM_RFC5114_MODP_P \
+#define MBEDTLS_DHM_RFC5114_MODP_2048_P \
MBEDTLS_DEPRECATED_STRING_CONSTANT( \
"AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1" \
"B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15" \
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index c2310cb..ff532a0 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@@ -19,7 +19,7 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
- * The NIST SP 800-90 DRBGs are described in the following publucation.
+ * The NIST SP 800-90 DRBGs are described in the following publication.
*
* http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
*/
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index b559af8..d5fc12d 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -653,34 +653,39 @@
cleanup
make CC=gcc CFLAGS='-Werror -Wall -Wextra -m32'
- msg "build: gcc, force 32-bit compilation"
- cleanup
- cp "$CONFIG_H" "$CONFIG_BAK"
- scripts/config.pl unset MBEDTLS_HAVE_ASM
- scripts/config.pl unset MBEDTLS_AESNI_C
- scripts/config.pl unset MBEDTLS_PADLOCK_C
- make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32'
-
- msg "build: gcc, force 64-bit compilation"
- cleanup
- cp "$CONFIG_H" "$CONFIG_BAK"
- scripts/config.pl unset MBEDTLS_HAVE_ASM
- scripts/config.pl unset MBEDTLS_AESNI_C
- scripts/config.pl unset MBEDTLS_PADLOCK_C
- make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT64'
-
- msg "test: gcc, force 64-bit compilation"
+ msg "test: i386, make, gcc"
make test
- msg "build: gcc, force 64-bit compilation"
+ msg "build: 64-bit ILP32, make, gcc" # ~ 30s
cleanup
- cp "$CONFIG_H" "$CONFIG_BAK"
- scripts/config.pl unset MBEDTLS_HAVE_ASM
- scripts/config.pl unset MBEDTLS_AESNI_C
- scripts/config.pl unset MBEDTLS_PADLOCK_C
- make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT64'
+ make CC=gcc CFLAGS='-Werror -Wall -Wextra -mx32'
+
+ msg "test: 64-bit ILP32, make, gcc"
+ make test
fi # x86_64
+msg "build: gcc, force 32-bit bignum limbs"
+cleanup
+cp "$CONFIG_H" "$CONFIG_BAK"
+scripts/config.pl unset MBEDTLS_HAVE_ASM
+scripts/config.pl unset MBEDTLS_AESNI_C
+scripts/config.pl unset MBEDTLS_PADLOCK_C
+make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32'
+
+msg "test: gcc, force 32-bit bignum limbs"
+make test
+
+msg "build: gcc, force 64-bit bignum limbs"
+cleanup
+cp "$CONFIG_H" "$CONFIG_BAK"
+scripts/config.pl unset MBEDTLS_HAVE_ASM
+scripts/config.pl unset MBEDTLS_AESNI_C
+scripts/config.pl unset MBEDTLS_PADLOCK_C
+make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT64'
+
+msg "test: gcc, force 64-bit bignum limbs"
+make test
+
msg "build: arm-none-eabi-gcc, make" # ~ 10s
cleanup
cp "$CONFIG_H" "$CONFIG_BAK"
diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl
index a9a89f1..79bacd4 100755
--- a/tests/scripts/test-ref-configs.pl
+++ b/tests/scripts/test-ref-configs.pl
@@ -23,8 +23,6 @@
'config-suite-b.h' => {
'compat' => "-m tls1_2 -f 'ECDHE-ECDSA.*AES.*GCM' -p mbedTLS",
},
- 'config-picocoin.h' => {
- },
'config-ccm-psk-tls1_2.h' => {
'compat' => '-m tls1_2 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'',
},
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index e847836..2180f5c 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -5,8 +5,8 @@
#include "mbedtls/ecp.h"
#include "mbedtls/rsa.h"
-/* For detecting 64-bit compilation */
-#include "mbedtls/bignum.h"
+#include <limits.h>
+#include <stdint.h>
static int rnd_std_rand( void *rng_state, unsigned char *output, size_t len );
@@ -413,11 +413,14 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_RSA_C:MBEDTLS_HAVE_INT64 */
+/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */
void pk_rsa_overflow( )
{
mbedtls_pk_context pk;
- size_t hash_len = (size_t)-1;
+ size_t hash_len = SIZE_MAX;
+
+ if( SIZE_MAX <= UINT_MAX )
+ return;
mbedtls_pk_init( &pk );
@@ -486,13 +489,13 @@
TEST_ASSERT( strcmp( mbedtls_pk_get_name( &alt ), "RSA-alt" ) == 0 );
/* Test signature */
- TEST_ASSERT( mbedtls_pk_sign( &alt, MBEDTLS_MD_NONE, hash, sizeof hash,
- sig, &sig_len, rnd_std_rand, NULL ) == 0 );
-#if defined(MBEDTLS_HAVE_INT64)
- TEST_ASSERT( mbedtls_pk_sign( &alt, MBEDTLS_MD_NONE, hash, (size_t)-1,
- NULL, NULL, rnd_std_rand, NULL ) ==
+#if SIZE_MAX > UINT_MAX
+ TEST_ASSERT( mbedtls_pk_sign( &alt, MBEDTLS_MD_NONE, hash, SIZE_MAX,
+ sig, &sig_len, rnd_std_rand, NULL ) ==
MBEDTLS_ERR_PK_BAD_INPUT_DATA );
-#endif /* MBEDTLS_HAVE_INT64 */
+#endif /* SIZE_MAX > UINT_MAX */
+ TEST_ASSERT( mbedtls_pk_sign( &alt, MBEDTLS_MD_NONE, hash, sizeof hash,
+ sig, &sig_len, rnd_std_rand, NULL ) == 0 );
TEST_ASSERT( sig_len == RSA_KEY_LEN );
TEST_ASSERT( mbedtls_pk_verify( &rsa, MBEDTLS_MD_NONE,
hash, sizeof hash, sig, sig_len ) == 0 );