Merge mbedtls-2.1-iotssl-1099-incorrect-renego-utils
Fix an incorrect condition in ssl_check_ctr_renegotiate() that compared
64 bits of record counter instead of 48 bits as described in RFC 6347
Section 4.3.1. This would cause the function's return value to be
occasionally incorrect and the renegotiation routines to be triggered
at unexpected times.
diff --git a/ChangeLog b/ChangeLog
index edb32ae..4578146 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,12 @@
= mbed TLS x.x.x branch released xxxx-xx-xx
Bugfix
+ * Fix the redefinition of macro ssl_set_bio to an undefined symbol
+ mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
+ Found by omlib-lin. #673
+ * Fix unused variable/function compilation warnings in pem.c and x509_csr.c
+ that are reported when building mbed TLS with a config.h that does not
+ define MBEDTLS_PEM_PARSE_C. Found by omnium21. #562
* Fix incorrect renegotiation condition in ssl_check_ctr_renegotiate() that
would compare 64 bits of the record counter instead of 48 bits as indicated
in RFC 6347 Section 4.3.1. This could cause the execution of the
diff --git a/include/mbedtls/compat-1.3.h b/include/mbedtls/compat-1.3.h
index 27abbd9..af51b5f 100644
--- a/include/mbedtls/compat-1.3.h
+++ b/include/mbedtls/compat-1.3.h
@@ -2453,7 +2453,6 @@
#define ssl_set_arc4_support mbedtls_ssl_conf_arc4_support
#define ssl_set_authmode mbedtls_ssl_conf_authmode
#define ssl_set_bio mbedtls_ssl_set_bio
-#define ssl_set_bio mbedtls_ssl_set_bio_timeout
#define ssl_set_ca_chain mbedtls_ssl_conf_ca_chain
#define ssl_set_cbc_record_splitting mbedtls_ssl_conf_cbc_record_splitting
#define ssl_set_ciphersuites mbedtls_ssl_conf_ciphersuites
diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h
index 9c8645d..a324b69 100644
--- a/include/mbedtls/rsa.h
+++ b/include/mbedtls/rsa.h
@@ -206,7 +206,7 @@
* \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
*
* \note This function does NOT take care of message
- * padding. Also, be sure to set input[0] = 0 or assure that
+ * padding. Also, be sure to set input[0] = 0 or ensure that
* input is smaller than N.
*
* \note The input and output buffers must be large
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
index 54dac16..f219bf1 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -157,7 +157,7 @@
#define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY (1 << 13)
#define MBEDTLS_X509_EXT_FRESHEST_CRL (1 << 14)
-#define MBEDTLS_X509_EXT_NS_CERT_TYPE (1 << 16) /* Parsed (and then ?) */
+#define MBEDTLS_X509_EXT_NS_CERT_TYPE (1 << 16)
/*
* Storage format identifiers
diff --git a/library/net.c b/library/net.c
index a77268c..b6b08ed 100644
--- a/library/net.c
+++ b/library/net.c
@@ -228,7 +228,7 @@
}
}
- /* I we ever get there, it's a success */
+ /* Bind was successful */
ret = 0;
break;
}
diff --git a/library/pem.c b/library/pem.c
index 1ee3966..b6ad53b 100644
--- a/library/pem.c
+++ b/library/pem.c
@@ -44,12 +44,12 @@
#define mbedtls_free free
#endif
+#if defined(MBEDTLS_PEM_PARSE_C)
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
volatile unsigned char *p = v; while( n-- ) *p++ = 0;
}
-#if defined(MBEDTLS_PEM_PARSE_C)
void mbedtls_pem_init( mbedtls_pem_context *ctx )
{
memset( ctx, 0, sizeof( mbedtls_pem_context ) );
diff --git a/library/pkparse.c b/library/pkparse.c
index bddcf5d..f0a12f9 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -1186,12 +1186,12 @@
#endif /* MBEDTLS_PEM_PARSE_C */
/*
- * At this point we only know it's not a PEM formatted key. Could be any
- * of the known DER encoded private key formats
- *
- * We try the different DER format parsers to see if one passes without
- * error
- */
+ * At this point we only know it's not a PEM formatted key. Could be any
+ * of the known DER encoded private key formats
+ *
+ * We try the different DER format parsers to see if one passes without
+ * error
+ */
#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk, key, keylen,
pwd, pwdlen ) ) == 0 )
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 0c88d2e..43efe0c 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3413,7 +3413,7 @@
if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
{
- /* Dont check write errors as we can't do anything here.
+ /* Don't check write errors as we can't do anything here.
* If the error is permanent we'll catch it later,
* if it's not, then hopefully it'll work next time. */
(void) ssl->f_send( ssl->p_bio, ssl->out_buf, len );
@@ -5914,8 +5914,9 @@
const char **p;
/*
- * "Empty strings MUST NOT be included and byte strings MUST NOT be
- * truncated". Check lengths now rather than later.
+ * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
+ * MUST NOT be truncated."
+ * We check lengths now rather than later.
*/
tot_len = 0;
for( p = protos; *p != NULL; p++ )
@@ -7480,7 +7481,7 @@
* and, for DTLS, to/from TLS equivalent.
*
* For TLS this is the identity.
- * For DTLS, use one complement (v -> 255 - v, and then map as follows:
+ * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
* 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)
* 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
*/
diff --git a/library/x509.c b/library/x509.c
index 33bcb9e..b063a19 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -656,7 +656,7 @@
/*
* X.509 Extensions (No parsing of extensions, pointer should
- * be either manually updated or extensions should be parsed!
+ * be either manually updated or extensions should be parsed!)
*/
int mbedtls_x509_get_ext( unsigned char **p, const unsigned char *end,
mbedtls_x509_buf *ext, int tag )
diff --git a/library/x509_csr.c b/library/x509_csr.c
index dbf659b..60f66b3 100644
--- a/library/x509_csr.c
+++ b/library/x509_csr.c
@@ -259,8 +259,8 @@
*/
int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen )
{
- int ret;
#if defined(MBEDTLS_PEM_PARSE_C)
+ int ret;
size_t use_len;
mbedtls_pem_context pem;
#endif
diff --git a/scripts/config.pl b/scripts/config.pl
index d4c32fd..d8d6a20 100755
--- a/scripts/config.pl
+++ b/scripts/config.pl
@@ -5,9 +5,28 @@
use warnings;
use strict;
+my $config_file = "include/mbedtls/config.h";
my $usage = <<EOU;
-$0 [-f <file>] unset <name>
-$0 [-f <file>] set <name> [<value>]
+$0 [-f <file>] [set <symbol> <value> | unset <symbol> | full | realfull]
+
+Commands
+ set <symbol> [<value>] - Uncomments or adds a #define for the <symbol> to
+ the configuration file, and optionally making it
+ of <value>.
+ If the symbol isn't present in the file an error
+ is returned.
+ unset <symbol> - Comments out the #define for the given symbol if
+ present in the configuration file.
+ full - Uncomments all #define's in the configuration file
+ excluding some reserved symbols, until the
+ 'Module configuration options' section
+ realfull - Uncomments all #define's with no exclusions
+
+Options
+ -f <filename> - The file or file path for the configuration file
+ to edit. When omitted, the following default is
+ used:
+ $config_file
EOU
# for our eyes only:
# $0 [-f <file>] full|realfull
@@ -40,8 +59,6 @@
PLATFORM_[A-Z0-9]+_ALT
);
-my $config_file = "include/mbedtls/config.h";
-
# get -f option
if (@ARGV >= 2 && $ARGV[0] eq "-f") {
shift; # -f
diff --git a/scripts/data_files/rename-1.3-2.0.txt b/scripts/data_files/rename-1.3-2.0.txt
index 397f6be..cb3381a 100644
--- a/scripts/data_files/rename-1.3-2.0.txt
+++ b/scripts/data_files/rename-1.3-2.0.txt
@@ -1996,7 +1996,6 @@
ssl_set_arc4_support mbedtls_ssl_conf_arc4_support
ssl_set_authmode mbedtls_ssl_conf_authmode
ssl_set_bio mbedtls_ssl_set_bio
-ssl_set_bio_timeout mbedtls_ssl_set_bio_timeout
ssl_set_ca_chain mbedtls_ssl_conf_ca_chain
ssl_set_cbc_record_splitting mbedtls_ssl_conf_cbc_record_splitting
ssl_set_ciphersuites mbedtls_ssl_conf_ciphersuites