Merge pull request #3350 from gilles-peskine-arm/error-include-asn1-development
Include asn1.h in error.c
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 7a0d95d..9b02ba5 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -79,4 +79,4 @@
1. Complex parts in the code should include comments.
1. If needed, a Readme file is advised.
1. If a [Knowledge Base (KB)](https://tls.mbed.org/kb) article should be added, write this as a comment in the PR description.
-1. A [ChangeLog](https://github.com/ARMmbed/mbedtls/blob/development/ChangeLog) entry should be added for this contribution.
+1. A [ChangeLog](https://github.com/ARMmbed/mbedtls/blob/development/ChangeLog.d/00README.md) entry should be added for this contribution.
diff --git a/ChangeLog.d/bugfix_PR2855.txt b/ChangeLog.d/bugfix_PR2855.txt
new file mode 100644
index 0000000..a097321
--- /dev/null
+++ b/ChangeLog.d/bugfix_PR2855.txt
@@ -0,0 +1,2 @@
+Bugfix
+ * Remove dead code in X.509 certificate parsing. Contributed by irwir in #2855.
\ No newline at end of file
diff --git a/ChangeLog.d/fix-print-non-ascii-string-in-mbedtls_x509_dn_gets.txt b/ChangeLog.d/fix-print-non-ascii-string-in-mbedtls_x509_dn_gets.txt
new file mode 100644
index 0000000..320b0b8
--- /dev/null
+++ b/ChangeLog.d/fix-print-non-ascii-string-in-mbedtls_x509_dn_gets.txt
@@ -0,0 +1,3 @@
+Changes
+ * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
+ Contributed by Koh M. Nakagawa in #3326.
diff --git a/ChangeLog.d/inline-mbedtls_gcc_group_to_psa.txt b/ChangeLog.d/inline-mbedtls_gcc_group_to_psa.txt
new file mode 100644
index 0000000..d0bd1dc
--- /dev/null
+++ b/ChangeLog.d/inline-mbedtls_gcc_group_to_psa.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * Fix potential linker errors on dual world platforms by inlining
+ mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately
+ from psa_crypto.c. Fixes #3300.
diff --git a/ChangeLog.d/midipix-support.txt b/ChangeLog.d/midipix-support.txt
new file mode 100644
index 0000000..53599ab
--- /dev/null
+++ b/ChangeLog.d/midipix-support.txt
@@ -0,0 +1,2 @@
+Features
+ * Add support for midipix, a POSIX layer for Microsoft Windows.
diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h
index e9fa311..84cc5ab 100644
--- a/include/psa/crypto_extra.h
+++ b/include/psa/crypto_extra.h
@@ -578,8 +578,55 @@
* (`PSA_ECC_CURVE_xxx`).
* \return \c 0 on failure (\p grpid is not recognized).
*/
-psa_ecc_curve_t mbedtls_ecc_group_to_psa( mbedtls_ecp_group_id grpid,
- size_t *bits );
+static inline psa_ecc_curve_t mbedtls_ecc_group_to_psa( mbedtls_ecp_group_id grpid,
+ size_t *bits )
+{
+ switch( grpid )
+ {
+ case MBEDTLS_ECP_DP_SECP192R1:
+ *bits = 192;
+ return( PSA_ECC_CURVE_SECP_R1 );
+ case MBEDTLS_ECP_DP_SECP224R1:
+ *bits = 224;
+ return( PSA_ECC_CURVE_SECP_R1 );
+ case MBEDTLS_ECP_DP_SECP256R1:
+ *bits = 256;
+ return( PSA_ECC_CURVE_SECP_R1 );
+ case MBEDTLS_ECP_DP_SECP384R1:
+ *bits = 384;
+ return( PSA_ECC_CURVE_SECP_R1 );
+ case MBEDTLS_ECP_DP_SECP521R1:
+ *bits = 521;
+ return( PSA_ECC_CURVE_SECP_R1 );
+ case MBEDTLS_ECP_DP_BP256R1:
+ *bits = 256;
+ return( PSA_ECC_CURVE_BRAINPOOL_P_R1 );
+ case MBEDTLS_ECP_DP_BP384R1:
+ *bits = 384;
+ return( PSA_ECC_CURVE_BRAINPOOL_P_R1 );
+ case MBEDTLS_ECP_DP_BP512R1:
+ *bits = 512;
+ return( PSA_ECC_CURVE_BRAINPOOL_P_R1 );
+ case MBEDTLS_ECP_DP_CURVE25519:
+ *bits = 255;
+ return( PSA_ECC_CURVE_MONTGOMERY );
+ case MBEDTLS_ECP_DP_SECP192K1:
+ *bits = 192;
+ return( PSA_ECC_CURVE_SECP_K1 );
+ case MBEDTLS_ECP_DP_SECP224K1:
+ *bits = 224;
+ return( PSA_ECC_CURVE_SECP_K1 );
+ case MBEDTLS_ECP_DP_SECP256K1:
+ *bits = 256;
+ return( PSA_ECC_CURVE_SECP_K1 );
+ case MBEDTLS_ECP_DP_CURVE448:
+ *bits = 448;
+ return( PSA_ECC_CURVE_MONTGOMERY );
+ default:
+ *bits = 0;
+ return( 0 );
+ }
+}
/** Convert an ECC curve identifier from the PSA encoding to Mbed TLS.
*
diff --git a/library/entropy_poll.c b/library/entropy_poll.c
index c9b2c95..8b4a5af 100644
--- a/library/entropy_poll.c
+++ b/library/entropy_poll.c
@@ -52,7 +52,7 @@
#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
!defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
- !defined(__HAIKU__)
+ !defined(__HAIKU__) && !defined(__midipix__)
#error "Platform entropy sources only work on Unix and Windows, see MBEDTLS_NO_PLATFORM_ENTROPY in config.h"
#endif
@@ -95,7 +95,7 @@
* Since there is no wrapper in the libc yet, use the generic syscall wrapper
* available in GNU libc and compatible libc's (eg uClibc).
*/
-#if defined(__linux__) && defined(__GLIBC__)
+#if ((defined(__linux__) && defined(__GLIBC__)) || defined(__midipix__))
#include <unistd.h>
#include <sys/syscall.h>
#if defined(SYS_getrandom)
@@ -113,7 +113,7 @@
return( syscall( SYS_getrandom, buf, buflen, flags ) );
}
#endif /* SYS_getrandom */
-#endif /* __linux__ */
+#endif /* __linux__ || __midipix__ */
#include <stdio.h>
diff --git a/library/net_sockets.c b/library/net_sockets.c
index 5c1e665..8258aea 100644
--- a/library/net_sockets.c
+++ b/library/net_sockets.c
@@ -34,7 +34,7 @@
#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
!defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
- !defined(__HAIKU__)
+ !defined(__HAIKU__) && !defined(__midipix__)
#error "This module only works on Unix and Windows, see MBEDTLS_NET_C in config.h"
#endif
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 733a2e4..6932318 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -375,55 +375,6 @@
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
#if defined(MBEDTLS_ECP_C)
-psa_ecc_curve_t mbedtls_ecc_group_to_psa( mbedtls_ecp_group_id grpid,
- size_t *bits )
-{
- switch( grpid )
- {
- case MBEDTLS_ECP_DP_SECP192R1:
- *bits = 192;
- return( PSA_ECC_CURVE_SECP_R1 );
- case MBEDTLS_ECP_DP_SECP224R1:
- *bits = 224;
- return( PSA_ECC_CURVE_SECP_R1 );
- case MBEDTLS_ECP_DP_SECP256R1:
- *bits = 256;
- return( PSA_ECC_CURVE_SECP_R1 );
- case MBEDTLS_ECP_DP_SECP384R1:
- *bits = 384;
- return( PSA_ECC_CURVE_SECP_R1 );
- case MBEDTLS_ECP_DP_SECP521R1:
- *bits = 521;
- return( PSA_ECC_CURVE_SECP_R1 );
- case MBEDTLS_ECP_DP_BP256R1:
- *bits = 256;
- return( PSA_ECC_CURVE_BRAINPOOL_P_R1 );
- case MBEDTLS_ECP_DP_BP384R1:
- *bits = 384;
- return( PSA_ECC_CURVE_BRAINPOOL_P_R1 );
- case MBEDTLS_ECP_DP_BP512R1:
- *bits = 512;
- return( PSA_ECC_CURVE_BRAINPOOL_P_R1 );
- case MBEDTLS_ECP_DP_CURVE25519:
- *bits = 255;
- return( PSA_ECC_CURVE_MONTGOMERY );
- case MBEDTLS_ECP_DP_SECP192K1:
- *bits = 192;
- return( PSA_ECC_CURVE_SECP_K1 );
- case MBEDTLS_ECP_DP_SECP224K1:
- *bits = 224;
- return( PSA_ECC_CURVE_SECP_K1 );
- case MBEDTLS_ECP_DP_SECP256K1:
- *bits = 256;
- return( PSA_ECC_CURVE_SECP_K1 );
- case MBEDTLS_ECP_DP_CURVE448:
- *bits = 448;
- return( PSA_ECC_CURVE_MONTGOMERY );
- default:
- return( 0 );
- }
-}
-
mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_curve_t curve,
size_t byte_length )
{
diff --git a/library/timing.c b/library/timing.c
index 009516a..4a65422 100644
--- a/library/timing.c
+++ b/library/timing.c
@@ -40,7 +40,7 @@
#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
!defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
- !defined(__HAIKU__)
+ !defined(__HAIKU__) && !defined(__midipix__)
#error "This module only works on Unix and Windows, see MBEDTLS_TIMING_C in config.h"
#endif
diff --git a/library/x509.c b/library/x509.c
index 4c2f721..e969b8d 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -787,7 +787,7 @@
break;
c = name->val.p[i];
- if( c < 32 || c == 127 || ( c > 128 && c < 160 ) )
+ if( c < 32 || c >= 127 )
s[i] = '?';
else s[i] = c;
}
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 1e62ed5..51e6aac 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -652,10 +652,6 @@
mbedtls_x509_subject_alternative_name dummy_san_buf;
memset( &dummy_san_buf, 0, sizeof( dummy_san_buf ) );
- if( ( end - *p ) < 1 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_OUT_OF_DATA );
-
tag = **p;
(*p)++;
if( ( ret = mbedtls_asn1_get_len( p, end, &tag_len ) ) != 0 )
@@ -669,7 +665,7 @@
}
/*
- * Check that the SAN are structured correct.
+ * Check that the SAN is structured correctly.
*/
ret = mbedtls_x509_parse_subject_alt_name( &(cur->buf), &dummy_san_buf );
/*
diff --git a/scripts/output_env.sh b/scripts/output_env.sh
index 04edc38..3545279 100755
--- a/scripts/output_env.sh
+++ b/scripts/output_env.sh
@@ -13,6 +13,7 @@
# This includes:
# - architecture of the system
# - type and version of the operating system
+# - version of make and cmake
# - version of armcc, clang, gcc-arm and gcc compilers
# - version of libc, clang, asan and valgrind if installed
# - version of gnuTLS and OpenSSL
@@ -71,6 +72,12 @@
echo "** Tool Versions:"
echo
+print_version "make" "--version" "" "head -n 1"
+echo
+
+print_version "cmake" "--version" "" "head -n 1"
+echo
+
if [ "${RUN_ARMCC:-1}" -ne 0 ]; then
: "${ARMC5_CC:=armcc}"
print_version "$ARMC5_CC" "--vsn" "" "head -n 2"
@@ -105,6 +112,9 @@
print_version "python" "--version" "" "head -n 1"
echo
+print_version "python3" "--version" "" "head -n 1"
+echo
+
# Find the installed version of Pylint. Installed as a distro package this can
# be pylint3 and as a PEP egg, pylint. In test scripts We prefer pylint over
# pylint3
diff --git a/tests/data_files/non-ascii-string-in-issuer.crt b/tests/data_files/non-ascii-string-in-issuer.crt
new file mode 100644
index 0000000..99db871
--- /dev/null
+++ b/tests/data_files/non-ascii-string-in-issuer.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDnTCCAoWgAwIBAgIUBeZT5xt08LXThG0Mbdz6P6RaK+AwDQYJKoZIhvcNAQEL
+BQAwXjELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMR8wHQYDVQQKDBbDo8KD
+wobDo8KCwrnDo8KDwoggTHRkMR4wHAYDVQQDDBXDo8KDwobDo8KCwrnDo8KDwogg
+Q0EwHhcNMjAwNTIwMTYxNzIzWhcNMjAwNjE5MTYxNzIzWjBeMQswCQYDVQQGEwJK
+UDEOMAwGA1UECAwFVG9reW8xHzAdBgNVBAoMFsOjwoPChsOjwoLCucOjwoPCiCBM
+dGQxHjAcBgNVBAMMFcOjwoPChsOjwoLCucOjwoPCiCBDQTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMkh8YszXqyKsEzm5XMpmLd9WL6ba3QDK0uuePTj
+Uqt6RYjTHMDdu1T/gRUi15++6VAl2vUEcUKI4Lxarb9TuypsHfWLGDlioC4xo/5X
+63fbvIEK6qeluY43v3/dXVLoak4E5C3i9hGpcCVUrawlFKQeuEoNgpxtAy4cA0HV
+RhGK6cEddIo9lRksvO1jD2Xmi90+7STRYmyTVkHyj966f3xEr+8/VKcz2mG1PZgw
+x2kYwv7JZ0F+vbjU2S1OATCS4lqEPJT0ggotIJCmxdv1XorPbYn3uNjT8Lp/UHgW
++4+K0OxdlD0GS7AxffCcq0ltVeUyHq9s2cG2AiP8603aeAUCAwEAAaNTMFEwHQYD
+VR0OBBYEFKT8qVhvMaptyhJMcvz+c3Q0fkzDMB8GA1UdIwQYMBaAFKT8qVhvMapt
+yhJMcvz+c3Q0fkzDMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
+AHR6U3p2DdhwdqhY73vAxtdmAML157cYoZSQiEfpp/Kr3MWoBods6VKHS6flv+T3
+TEf4G0oyEqKoJk3liIyTvUO5CiwXmiiJlYhQmWkEb3zcYVSSFXKvyEQYKLR3ggD/
+C4sCTohfYGB924vI619u6mjnNEBX7yiyZbfJ0uHd7BpOimFVeAos8hJ8Z5T+gESa
+Tiv6EJPK+m3vKTK2w45M/xLEmGMrwxEB1IZnRz19in/Iqe5/sfMfEVXJSQ052tuO
+GLl6reeMaHlbflB/HyoBRo1xM7Av6zy3TIM55Z3C6ry3pcTH6Y+U7Sz9Lw9MyYCX
+b1QAPqg1U0lZZaSNUMsiAjI=
+-----END CERTIFICATE-----
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 23a9932..831e0ab 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -174,6 +174,10 @@
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n <unsupported>\next key usage \: TLS Web Client Authentication\n"
+X509 CRT information Non-ASCII string in issuer name and subject name
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509_cert_info:"data_files/non-ascii-string-in-issuer.crt":"cert. version \: 3\nserial number \: 05\:E6\:53\:E7\:1B\:74\:F0\:B5\:D3\:84\:6D\:0C\:6D\:DC\:FA\:3F\:A4\:5A\:2B\:E0\nissuer name \: C=JP, ST=Tokyo, O=?????????????????? Ltd, CN=?????????????????? CA\nsubject name \: C=JP, ST=Tokyo, O=?????????????????? Ltd, CN=?????????????????? CA\nissued on \: 2020-05-20 16\:17\:23\nexpires on \: 2020-06-19 16\:17\:23\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\n"
+
X509 certificate v1 with extension
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_SHA1_C
x509_cert_info:"data_files/cert_v1_with_ext.crt":"cert. version \: 1\nserial number \: BD\:ED\:44\:C7\:D2\:3E\:C2\:A4\nissuer name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nsubject name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nissued on \: 2013-07-04 16\:17\:02\nexpires on \: 2014-07-04 16\:17\:02\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nsubject alt name \:\n dNSName \: identity-check.org\n dNSName \: www.identity-check.org\n <unsupported>\n"