Skip to content

Commit f233d8e

Browse files
Merge branch 'virgil-security-development' into virgil-security-master
2 parents cc5932e + bd80b52 commit f233d8e

File tree

135 files changed

+4374
-1038
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

135 files changed

+4374
-1038
lines changed

CMakeLists.txt

+1-1
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ find_package(Perl)
3131
if(PERL_FOUND)
3232

3333
# If NULL Entropy is configured, display an appropriate warning
34-
execute_process(COMMAND ${PERL_EXECUTABLE} scripts/config.pl get MBEDTLS_TEST_NULL_ENTROPY
34+
execute_process(COMMAND ${PERL_EXECUTABLE} ${CMAKE_SOURCE_DIR}/scripts/config.pl -f ${CMAKE_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_TEST_NULL_ENTROPY
3535
RESULT_VARIABLE result)
3636
if(${result} EQUAL 0)
3737
message(WARNING ${NULL_ENTROPY_WARNING})

ChangeLog

+81
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,86 @@
11
mbed TLS ChangeLog (Sorted per branch, date)
22

3+
= mbed TLS 2.4.0 branch released 2016-10-17
4+
5+
Security
6+
* Removed the MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
7+
with RFC-5116 and could lead to session key recovery in very long TLS
8+
sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
9+
TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
10+
https://eprint.iacr.org/2016/475.pdf
11+
* Fixed potential stack corruption in mbedtls_x509write_crt_der() and
12+
mbedtls_x509write_csr_der() when the signature is copied to the buffer
13+
without checking whether there is enough space in the destination. The
14+
issue cannot be triggered remotely. Found by Jethro Beekman.
15+
16+
Features
17+
* Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
18+
NIST SP 800-38B, RFC-4493 and RFC-4615.
19+
* Added hardware entropy selftest to verify that the hardware entropy source
20+
is functioning correctly.
21+
* Added a script to print build environment info for diagnostic use in test
22+
scripts, which is also now called by all.sh.
23+
* Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to
24+
configure the maximum length of a file path that can be buffered when
25+
calling mbedtls_x509_crt_parse_path().
26+
* Added a configuration file config-no-entropy.h that configures the subset of
27+
library features that do not require an entropy source.
28+
* Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users
29+
to configure the minimum number of bytes for entropy sources using the
30+
mbedtls_hardware_poll() function.
31+
32+
Bugfix
33+
* Fix for platform time abstraction to avoid dependency issues where a build
34+
may need time but not the standard C library abstraction, and added
35+
configuration consistency checks to check_config.h
36+
* Fix dependency issue in Makefile to allow parallel builds.
37+
* Fix incorrect handling of block lengths in crypt_and_hash.c sample program,
38+
when GCM is used. Found by udf2457. #441
39+
* Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
40+
enabled unless others were also present. Found by David Fernandez. #428
41+
* Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
42+
a contribution from Tobias Tangemann. #541
43+
* Fixed cert_app.c sample program for debug output and for use when no root
44+
certificates are provided.
45+
* Fix conditional statement that would cause a 1 byte overread in
46+
mbedtls_asn1_get_int(). Found and fixed by Guido Vranken. #599
47+
* Fixed pthread implementation to avoid unintended double initialisations
48+
and double frees. Found by Niklas Amnebratt.
49+
* Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
50+
builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
51+
by inestlerode. #559.
52+
* Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf
53+
data structure until after error checks are successful. Found by
54+
subramanyam-c. #622
55+
* Fix documentation and implementation missmatch for function arguments of
56+
mbedtls_gcm_finish(). Found by cmiatpaar. #602
57+
* Guarantee that P>Q at RSA key generation. Found by inestlerode. #558
58+
* Fix potential byte overread when verifying malformed SERVER_HELLO in
59+
ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken.
60+
* Fix check for validity of date when parsing in mbedtls_x509_get_time().
61+
Found by subramanyam-c. #626
62+
* Fix compatibility issue with Internet Explorer client authentication,
63+
where the limited hash choices prevented the client from sending its
64+
certificate. Found by teumas. #513
65+
* Fix compilation without MBEDTLS_SELF_TEST enabled.
66+
67+
Changes
68+
* Extended test coverage of special cases, and added new timing test suite.
69+
* Removed self-tests from the basic-built-test.sh script, and added all
70+
missing self-tests to the test suites, to ensure self-tests are only
71+
executed once.
72+
* Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len().
73+
* Added support for a Yotta specific configuration file -
74+
through the symbol YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE.
75+
* Added optimization for code space for X.509/OID based on configured
76+
features. Contributed by Aviv Palivoda.
77+
* Renamed source file library/net.c to library/net_sockets.c to avoid
78+
naming collision in projects which also have files with the common name
79+
net.c. For consistency, the corresponding header file, net.h, is marked as
80+
deprecated, and its contents moved to net_sockets.h.
81+
* Changed the strategy for X.509 certificate parsing and validation, to no
82+
longer disregard certificates with unrecognised fields.
83+
384
= mbed TLS 2.3.0 branch released 2016-06-28
485

586
Security

Makefile

+4-3
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,8 @@ PREFIX=mbedtls_
66

77
.PHONY: all no_test programs lib tests install uninstall clean test check covtest lcov apidoc apidoc_clean
88

9-
all: programs tests post_build
9+
all: programs tests
10+
$(MAKE) post_build
1011

1112
no_test: programs
1213

@@ -73,10 +74,10 @@ clean:
7374
$(MAKE) -C programs clean
7475
$(MAKE) -C tests clean
7576
ifndef WINDOWS
76-
find . \( -name \*.gcno -o -name \*.gcda -o -name *.info \) -exec rm {} +
77+
find . \( -name \*.gcno -o -name \*.gcda -o -name \*.info \) -exec rm {} +
7778
endif
7879

79-
check: lib
80+
check: lib tests
8081
$(MAKE) -C tests check
8182

8283
test: check

README.md

+22-19
Original file line numberDiff line numberDiff line change
@@ -4,59 +4,59 @@ README for mbed TLS
44
Configuration
55
-------------
66

7-
mbed TLS should build out of the box on most systems. Some platform specific options are available in the fully-documented configuration file `include/mbedtls/config.h`, which is also the place where features can be selected. This file can be edited manually, or in a more programmatic way using the Perl script `scripts/config.pl` (use `--help` for usage instructions).
7+
mbed TLS should build out of the box on most systems. Some platform specific options are available in the fully documented configuration file `include/mbedtls/config.h`, which is also the place where features can be selected. This file can be edited manually, or in a more programmatic way using the Perl script `scripts/config.pl` (use `--help` for usage instructions).
88

9-
Compiler options can be set using standard variables such as `CC` and `CFLAGS` when using the Make and CMake build system (see below).
9+
Compiler options can be set using conventional environment variables such as `CC` and `CFLAGS` when using the Make and CMake build system (see below).
1010

1111
Compiling
1212
---------
1313

14-
There are currently four active build systems within the mbed TLS releases:
14+
There are currently four active build systems used within mbed TLS releases:
1515

1616
- yotta
1717
- Make
1818
- CMake
1919
- Microsoft Visual Studio (Visual Studio 6 and Visual Studio 2010)
2020

21-
The main systems used for development are CMake and yotta. Those systems are always complete and up-to-date. The others should reflect all changes present in the CMake and yotta build system, but some features are not ported there by default.
21+
The main systems used for development are CMake and Make. Those systems are always complete and up-to-date. The others should reflect all changes present in the CMake and Make build system, although features may not be ported there automatically.
2222

23-
Please note that the yotta option is slightly different from the other build systems:
23+
Yotta, as a build system, is slightly different from the other build systems:
2424

25-
- a more minimalistic configuration file is used by default
26-
- depending on the yotta target, features of mbed OS will be used in examples and tests
25+
- it provides a minimalistic configuration file by default
26+
- depending on the yotta target, features of mbed OS may be used in examples and tests
2727

2828
The Make and CMake build systems create three libraries: libmbedcrypto, libmbedx509, and libmbedtls. Note that libmbedtls depends on libmbedx509 and libmbedcrypto, and libmbedx509 depends on libmbedcrypto. As a result, some linkers will expect flags to be in a specific order, for example the GNU linker wants `-lmbedtls -lmbedx509 -lmbedcrypto`. Also, when loading shared libraries using dlopen(), you'll need to load libmbedcrypto first, then libmbedx509, before you can load libmbedtls.
2929

3030
### Yotta
3131

32-
[yotta](http://yottabuild.org) is a package manager and build system developed by mbed; it is the build system of mbed OS. To install it on your platform, please follow the yotta [installation instructions](http://docs.yottabuild.org/#installing).
32+
[yotta](http://yottabuild.org) is a package manager and build system developed by mbed, and is the build system of mbed OS 16.03. To install it on your platform, please follow the yotta [installation instructions](http://docs.yottabuild.org/#installing).
3333

34-
Once yotta is installed, you can use it to download the latest version of mbed TLS form the yotta registry with:
34+
Once yotta is installed, you can use it to download the latest version of mbed TLS from the yotta registry with:
3535

3636
yotta install mbedtls
3737

3838
and build it with:
3939

4040
yotta build
4141

42-
If, on the other hand, you already have a copy of mbed TLS from a source other than the yotta registry, for example from cloning our GitHub repository, or from downloading a tarball of the standalone edition, then you'll need first need to generate the yotta module by running:
42+
If, on the other hand, you already have a copy of mbed TLS from a source other than the yotta registry, for example from cloning our GitHub repository, or from downloading a tarball of the standalone edition, then you'll first need to generate the yotta module by running:
4343

4444
yotta/create-module.sh
4545

46-
from the mbed TLS root directory. This will create the yotta module in the `yotta/module` directory. You can then change to that directory and build as usual:
46+
This should be executed from the root mbed TLS project directory. This will create the yotta module in the `yotta/module` directory within it. You can then change to that directory and build as usual:
4747

4848
cd yotta/module
4949
yotta build
5050

51-
In any case, you'll probably want to set the yotta target before building unless it's already set globally; for more information on using yotta, please consult the [yotta documentation](http://docs.yottabuild.org/).
51+
In any case, you'll probably want to set the yotta target before building unless it has already been set globally. For more information on using yotta, please consult the [yotta documentation](http://docs.yottabuild.org/).
5252

5353
For more details on the yotta/mbed OS edition of mbed TLS, including example programs, please consult the [Readme at the root of the yotta module](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/README.md).
5454

5555
### Make
5656

57-
We intentionally only use the absolute minimum of `Make` functionality, as a lot of `Make` features are not supported on all different implementations of Make on different platforms. As such, the Makefiles sometimes require some handwork or export statements in order to work for your platform.
57+
We intentionally only use the minimum of `Make` functionality, as a lot of `Make` features are not supported on all different implementations of Make or on different platforms. As such, the Makefiles sometimes require some manual changes or export statements in order to work for your platform.
5858

59-
In order to build the source using Make, just enter at the command line:
59+
In order to build from the source code using Make, just enter at the command line:
6060

6161
make
6262

@@ -78,7 +78,7 @@ Setting the variable `SHARED` in your environment will build shared libraries in
7878

7979
Depending on your platform, you might run into some issues. Please check the Makefiles in `library/`, `programs/` and `tests/` for options to manually add or remove for specific platforms. You can also check [the mbed TLS Knowledge Base](https://tls.mbed.org/kb) for articles on your platform or issue.
8080

81-
In case you find that you need to do something else as well, please let us know what, so we can add it to the KB.
81+
In case you find that you need to do something else as well, please let us know what, so we can add it to the [mbed TLS knowledge base](https://tls.mbed.org/kb).
8282

8383
### CMake
8484

@@ -161,13 +161,16 @@ Contributing
161161

162162
We gratefully accept bug reports and contributions from the community. There are some requirements we need to fulfill in order to be able to integrate contributions:
163163

164-
- Simple bug fixes to existing code do not contain copyright themselves and we can integrate without issue. The same is true of trivial contributions.
165-
- For larger contributions, such as a new feature, the code can possibly fall under copyright law. We then need your consent to share in the ownership of the copyright. We have a form for this, which we will send to you in case you submit a contribution or pull request that we deem this necessary for.
164+
- All contributions, whether large or small require a Contributor's License Agreement (CLA) to be accepted. This is because source code can possibly fall under copyright law and we need your consent to share in the ownership of the copyright.
165+
- We would ask that contributions conform to [our coding standards](https://tls.mbed.org/kb/development/mbedtls-coding-standards), and that contributions should be fully tested before submission.
166+
- As with any open source project, contributions will be reviewed by the project team and community and may need some modifications to be accepted.
166167

167-
### Process
168+
To accept the Contributor’s Licence Agreement (CLA), individual contributors can do this by creating an mbed account and [accepting the online agreement here with a click through](https://developer.mbed.org/contributor_agreement/). Alternatively, for contributions from corporations, or those that do not wish to create an mbed account, a slightly different agreeement can be found [here](https://www.mbed.com/en/about-mbed/contributor-license-agreements/). This agreement should be signed and returned to ARM as described in the instructions given.
169+
170+
### Making a Contribution
168171

169172
1. [Check for open issues](https://github.com/ARMmbed/mbedtls/issues) or [start a discussion](https://tls.mbed.org/discussions) around a feature idea or a bug.
170173
2. Fork the [mbed TLS repository on GitHub](https://github.com/ARMmbed/mbedtls) to start making your changes. As a general rule, you should use the "development" branch as a basis.
171174
3. Write a test which shows that the bug was fixed or that the feature works as expected.
172-
4. Send a pull request and bug us until it gets merged and published. We will include your name in the ChangeLog :)
175+
4. Send a pull request and bug us until it gets merged and published. Contributions may need some modifications, so work with us to get your change accepted. We will include your name in the ChangeLog :)
173176

VirgilChangeLog

+8
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,13 @@
11
Virgil Security ChangeLog (Sorted per version, date)
22

3+
= Virgil Security 2.0.1 released 2016-12-07
4+
5+
Changes
6+
* Update to mbed TLS version 2.4.0
7+
* Replace custom implementation of support ASN.1 encoding of negative integers and integers larger than 255,
8+
by applying commit https://github.com/sg2342/mbedtls/commit/b684c0ee0746c05a8e8896283ef90a09d1d0bf9d
9+
10+
311
= Virgil Security 2.0.0 released 2016-09-30
412

513
Features

circle.yml

+44
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
# Purpose:
2+
# - To test and prove that a new commit in the mbed TLS repository builds
3+
# and integrates with mbed-os properly.
4+
# AND
5+
# - To test and prove that the current development head of mbed TLS builds
6+
# and integrates with the current mbed-os master branch.
7+
#
8+
# The script fetches all the prerequisites and builds the mbed TLS 'tls-client'
9+
# example. This script is triggered by every commit and once each night and the
10+
# exact behaviour depends on how it was triggered:
11+
# - If it is a nightly build then it builds the mbed TLS development head with
12+
# mbed-os master.
13+
# - If it was triggered by the commit, then it builds the example with mbed TLS
14+
# at that commit and mbed-os at the commit pointed by mbed-os.lib in the
15+
# example repository.
16+
17+
test:
18+
override:
19+
- cd ../mbed-os-example-tls/tls-client/ && mbed compile -m K64F -t GCC_ARM -c
20+
21+
dependencies:
22+
pre:
23+
# Install gcc-arm
24+
- cd .. && wget "https://launchpad.net/gcc-arm-embedded/4.9/4.9-2015-q3-update/+download/gcc-arm-none-eabi-4_9-2015q3-20150921-linux.tar.bz2"
25+
- cd .. && tar -xvjf gcc-arm-none-eabi-4_9-2015q3-20150921-linux.tar.bz2
26+
- ln -s ../gcc-arm-none-eabi-4_9-2015q3/bin/* ../bin/
27+
# Install mbed-cli
28+
- cd ../ && git clone https://github.com/ARMmbed/mbed-cli.git
29+
- cd ../mbed-cli && sudo -H pip install -e .
30+
# Get the sample application
31+
- cd ../ && git clone git@github.com:ARMmbed/mbed-os-example-tls.git
32+
# Get mbed-os
33+
- cd ../mbed-os-example-tls/tls-client && mbed deploy
34+
# Update mbed-os to master only if it is a nightly build
35+
- >
36+
if [ -n "${RUN_NIGHTLY_BUILD}" ]; then
37+
cd ../mbed-os-example-tls/tls-client/mbed-os/ && mbed update master;
38+
fi
39+
# Import mbedtls current revision
40+
- ln -s ../../../../../../../mbedtls/ ../mbed-os-example-tls/tls-client/mbed-os/features/mbedtls/importer/TARGET_IGNORE/mbedtls
41+
- cd ../mbed-os-example-tls/tls-client/mbed-os/features/mbedtls/importer/ && make
42+
override:
43+
# Install the missing python packages
44+
- cd ../mbed-os-example-tls/tls-client/mbed-os/ && sudo -H pip install -r requirements.txt

0 commit comments

Comments
 (0)