tls: Update to Mbed TLS 2.19.0

2019-09-06 15:02:55 +01:00 · 2019-09-06 15:02:55 +01:00 · fd67fdf70a
parent fc13550647
commit fd67fdf70a
12 changed files with 85 additions and 19 deletions
--- a/features/mbedtls/VERSION.txt
+++ b/features/mbedtls/VERSION.txt
@ -1 +1 @@
-mbedtls-2.19.0d0
+mbedtls-2.19.0
--- a/features/mbedtls/importer/Makefile
+++ b/features/mbedtls/importer/Makefile
@ -27,7 +27,7 @@
 #

 # Set the mbed TLS release to import (this can/should be edited before import)
-MBED_TLS_RELEASE ?= mbedtls-2.19.0d0
+MBED_TLS_RELEASE ?= mbedtls-2.19.0
 MBED_TLS_REPO_URL ?= git@github.com:ARMmbed/mbedtls-restricted.git

 # Translate between mbed TLS namespace and mbed namespace
--- a/features/mbedtls/inc/mbedtls/check_config.h
+++ b/features/mbedtls/inc/mbedtls/check_config.h
@ -130,6 +130,11 @@
 #error "MBEDTLS_ECP_RESTARTABLE defined, but not MBEDTLS_ECDH_LEGACY_CONTEXT"
 #endif

+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)           && \
+    defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+#error "MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED defined, but MBEDTLS_ECDH_LEGACY_CONTEXT not disabled"
+#endif
+
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) && !defined(MBEDTLS_HMAC_DRBG_C)
 #error "MBEDTLS_ECDSA_DETERMINISTIC defined, but not all prerequisites"
 #endif
@ -145,7 +150,9 @@
    !defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)   &&                  \
    !defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) &&                  \
    !defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) &&                  \
-    !defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) ) )
+    !defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) &&                 \
+    !defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) ) )
 #error "MBEDTLS_ECP_C defined, but not all prerequisites"
 #endif

--- a/features/mbedtls/inc/mbedtls/config.h
+++ b/features/mbedtls/inc/mbedtls/config.h
@ -3592,6 +3592,15 @@
 */
 //#define MBEDTLS_PLATFORM_GMTIME_R_ALT

+/**
+ * Enable the verified implementations of ECDH primitives from Project Everest
+ * (currently only Curve25519). This feature changes the layout of ECDH
+ * contexts and therefore is a compatibility break for applications that access
+ * fields of a mbedtls_ecdh_context structure directly. See also
+ * MBEDTLS_ECDH_LEGACY_CONTEXT in include/mbedtls/ecdh.h.
+ */
+//#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
+
 /* \} name SECTION: Customisation configuration options */

 /* Target and application specific configurations
--- a/features/mbedtls/inc/mbedtls/net_sockets.h
+++ b/features/mbedtls/inc/mbedtls/net_sockets.h
@ -257,6 +257,13 @@ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len );
 int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
                      uint32_t timeout );

+/**
+ * \brief          Closes down the connection and free associated data
+ *
+ * \param ctx      The context to close
+ */
+void mbedtls_net_close( mbedtls_net_context *ctx );
+
 /**
 * \brief          Gracefully shutdown the connection and free associated data
 *
--- a/features/mbedtls/inc/mbedtls/version.h
+++ b/features/mbedtls/inc/mbedtls/version.h
@ -39,7 +39,7 @@
 * Major, Minor, Patchlevel
 */
 #define MBEDTLS_VERSION_MAJOR  2
-#define MBEDTLS_VERSION_MINOR  18
+#define MBEDTLS_VERSION_MINOR  19
 #define MBEDTLS_VERSION_PATCH  0

 /**
@ -47,9 +47,9 @@
 *    MMNNPP00
 *    Major version | Minor version | Patch version
 */
-#define MBEDTLS_VERSION_NUMBER         0x02120000
-#define MBEDTLS_VERSION_STRING         "2.18.0"
-#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.18.0"
+#define MBEDTLS_VERSION_NUMBER         0x02130000
+#define MBEDTLS_VERSION_STRING         "2.19.0"
+#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.19.0"

 #if defined(MBEDTLS_VERSION_C)

--- a/features/mbedtls/src/Makefile
+++ b/features/mbedtls/src/Makefile
@ -80,6 +80,12 @@ OBJS_TLS=	debug.o		net_sockets.o		\
 		ssl_srv.o	ssl_ticket.o		\
 		ssl_tls.o

+INCLUDING_FROM_MBEDTLS:=1
+include ../crypto/3rdparty/Makefile.inc
+LOCAL_CFLAGS += $(patsubst -I../3rdparty/%, -I../crypto/3rdparty/%, $(THIRDPARTY_INCLUDES))
+OBJS_CRYPTO  += $(patsubst ../3rdparty/%, ../crypto/3rdparty/%, $(THIRDPARTY_CRYPTO_OBJECTS))
+
+
 .SILENT:

 .PHONY: all static shared clean
@ -153,11 +159,13 @@ libmbedcrypto.%:

 .c.o:
 	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -c $<
+	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -o $@ -c $<

 clean:
 ifndef WINDOWS
-	rm -f *.o libmbed*
+	rm -f *.o libmbed* $(OBJS_CRYPTO)
 else
-	del /Q /F *.o libmbed*
+	if exist *.o del /Q /F *.o
+	if exist libmbed* del /Q /F libmbed*
+	if exist $(OBJS_CRYPTO) del /Q /F $(OBJS_CRYPTO)
 endif
--- a/features/mbedtls/src/net_sockets.c
+++ b/features/mbedtls/src/net_sockets.c
@ -651,6 +651,19 @@ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len )
    return( ret );
 }

+/*
+ * Close the connection
+ */
+void mbedtls_net_close( mbedtls_net_context *ctx )
+{
+    if( ctx->fd == -1 )
+        return;
+
+    close( ctx->fd );
+
+    ctx->fd = -1;
+}
+
 /*
 * Gracefully close the connection
 */
--- a/features/mbedtls/src/ssl_tls.c
+++ b/features/mbedtls/src/ssl_tls.c
@ -11950,6 +11950,10 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
    ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
    ssl->minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;

+    /* Adjust pointers for header fields of outgoing records to
+     * the given transform, accounting for explicit IV and CID. */
+    ssl_update_out_pointers( ssl, ssl->transform );
+
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
    ssl->in_epoch = 1;
 #endif
--- a/features/mbedtls/src/x509_crt.c
+++ b/features/mbedtls/src/x509_crt.c
@ -2611,15 +2611,13 @@ check_signature:
            continue;
        }

+        *r_parent = parent;
+        *r_signature_is_good = signature_is_good;
+
        break;
    }

-    if( parent != NULL )
-    {
-        *r_parent = parent;
-        *r_signature_is_good = signature_is_good;
-    }
-    else
+    if( parent == NULL )
    {
        *r_parent = fallback_parent;
        *r_signature_is_good = fallback_signature_is_good;
--- a/features/mbedtls/src/x509write_crt.c
+++ b/features/mbedtls/src/x509write_crt.c
@ -45,6 +45,16 @@
 #include "mbedtls/pem.h"
 #endif /* MBEDTLS_PEM_WRITE_C */

+/*
+ * For the currently used signature algorithms the buffer to store any signature
+ * must be at least of size MAX(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)
+ */
+#if MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_MPI_MAX_SIZE
+#define SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
+#else
+#define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
+#endif
+
 void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx )
 {
    memset( ctx, 0, sizeof( mbedtls_x509write_cert ) );
@ -337,7 +347,7 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx,
    size_t sig_oid_len = 0;
    unsigned char *c, *c2;
    unsigned char hash[64];
-    unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
+    unsigned char sig[SIGNATURE_MAX_SIZE];
    size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
    size_t len = 0;
    mbedtls_pk_type_t pk_alg;
--- a/features/mbedtls/src/x509write_csr.c
+++ b/features/mbedtls/src/x509write_csr.c
@ -49,6 +49,16 @@
 #include "mbedtls/pem.h"
 #endif

+/*
+ * For the currently used signature algorithms the buffer to store any signature
+ * must be at least of size MAX(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)
+ */
+#if MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_MPI_MAX_SIZE
+#define SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
+#else
+#define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
+#endif
+
 void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx )
 {
    memset( ctx, 0, sizeof( mbedtls_x509write_csr ) );
@ -138,7 +148,7 @@ int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, s
    size_t sig_oid_len = 0;
    unsigned char *c, *c2;
    unsigned char hash[64];
-    unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
+    unsigned char sig[SIGNATURE_MAX_SIZE];
    unsigned char tmp_buf[2048];
    size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
    size_t len = 0;