From 9935faf0565c595224455d9633bb67cfab486374 Mon Sep 17 00:00:00 2001 From: Sergey Abramchuk Date: Thu, 3 May 2018 12:14:02 +0300 Subject: [PATCH] Update mbedTLS headers --- .../Vendors/mbedtls/include/mbedtls/cmac.h | 2 +- .../Vendors/mbedtls/include/mbedtls/config.h | 2 +- .../Vendors/mbedtls/include/mbedtls/net.h | 2 +- .../Vendors/mbedtls/include/mbedtls/oid.h | 31 ++++++++++++++++++- .../mbedtls/include/mbedtls/platform.h | 2 +- .../Vendors/mbedtls/include/mbedtls/ssl.h | 24 +++++++++++++- .../mbedtls/include/mbedtls/x509_crt.h | 2 ++ 7 files changed, 59 insertions(+), 6 deletions(-) diff --git a/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/cmac.h b/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/cmac.h index 24839a2..628c9da 100644 --- a/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/cmac.h +++ b/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/cmac.h @@ -26,7 +26,7 @@ #ifndef MBEDTLS_CMAC_H #define MBEDTLS_CMAC_H -#include "cipher.h" +#include "mbedtls/cipher.h" #ifdef __cplusplus extern "C" { diff --git a/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/config.h b/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/config.h index 79eedff..fc4bd16 100644 --- a/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/config.h +++ b/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/config.h @@ -2087,7 +2087,7 @@ * it, and considering stronger message digests instead. * */ -//#define MBEDTLS_MD4_C +#define MBEDTLS_MD4_C /** * \def MBEDTLS_MD5_C diff --git a/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/net.h b/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/net.h index 05d94f0..28ae821 100644 --- a/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/net.h +++ b/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/net.h @@ -25,7 +25,7 @@ */ #if !defined(MBEDTLS_DEPRECATED_REMOVED) -#include "net_sockets.h" +#include "mbedtls/net_sockets.h" #if defined(MBEDTLS_DEPRECATED_WARNING) #warning "Deprecated header file: Superseded by mbedtls/net_sockets.h" #endif /* MBEDTLS_DEPRECATED_WARNING */ diff --git a/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/oid.h b/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/oid.h index bf2ef5e..b116736 100644 --- a/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/oid.h +++ b/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/oid.h @@ -228,6 +228,14 @@ #define MBEDTLS_OID_HMAC_SHA1 MBEDTLS_OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */ +#define MBEDTLS_OID_HMAC_SHA224 MBEDTLS_OID_RSA_COMPANY "\x02\x08" /**< id-hmacWithSHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 8 } */ + +#define MBEDTLS_OID_HMAC_SHA256 MBEDTLS_OID_RSA_COMPANY "\x02\x09" /**< id-hmacWithSHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 9 } */ + +#define MBEDTLS_OID_HMAC_SHA384 MBEDTLS_OID_RSA_COMPANY "\x02\x0A" /**< id-hmacWithSHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 10 } */ + +#define MBEDTLS_OID_HMAC_SHA512 MBEDTLS_OID_RSA_COMPANY "\x02\x0B" /**< id-hmacWithSHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 11 } */ + /* * Encryption algorithms */ @@ -402,7 +410,7 @@ int mbedtls_oid_get_numeric_string( char *buf, size_t size, const mbedtls_asn1_b #if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C) /** - * \brief Translate an X.509 extension OID into local values + * \brief Translate supported X.509 extension OID into local values * * \param oid OID to use * \param ext_type place to store the extension type @@ -410,6 +418,17 @@ int mbedtls_oid_get_numeric_string( char *buf, size_t size, const mbedtls_asn1_b * \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND */ int mbedtls_oid_get_x509_ext_type( const mbedtls_asn1_buf *oid, int *ext_type ); + +/** + * \brief Translate supported and unsupported X.509 extension OID into local values + * + * \param oid OID to use + * \param ext_type place to store the extension type + * \param is_supported place to store flag if extension is supported (1 - supported, 0 otherwise) + * + * \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + */ +int mbedtls_oid_get_x509_ext_type_supported( const mbedtls_asn1_buf *oid, int *ext_type, int *is_supported ); #endif /** @@ -514,6 +533,16 @@ int mbedtls_oid_get_oid_by_sig_alg( mbedtls_pk_type_t pk_alg, mbedtls_md_type_t * \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND */ int mbedtls_oid_get_md_alg( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg ); + +/** + * \brief Translate hmac algorithm OID into md_type + * + * \param oid OID to use + * \param md_hmac place to store message hmac algorithm + * + * \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND + */ +int mbedtls_oid_get_md_hmac( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_hmac ); #endif /* MBEDTLS_MD_C */ /** diff --git a/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/platform.h b/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/platform.h index ed63d4d..ed10775 100644 --- a/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/platform.h +++ b/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/platform.h @@ -31,7 +31,7 @@ #endif #if defined(MBEDTLS_HAVE_TIME) -#include "platform_time.h" +#include "mbedtls/platform_time.h" #endif #ifdef __cplusplus diff --git a/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/ssl.h b/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/ssl.h index eb85d8f..cc3c862 100644 --- a/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/ssl.h +++ b/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/ssl.h @@ -53,7 +53,7 @@ #endif #if defined(MBEDTLS_HAVE_TIME) -#include "platform_time.h" +#include "mbedtls/platform_time.h" #endif /* @@ -696,6 +696,10 @@ struct mbedtls_ssl_config retransmission timeout (ms) */ #endif + uint32_t allowed_unsupported_critical_exts; /*!< Bit flags which represent runtime-enabled + unsupported critical extensions, e.g. + MBEDTLS_X509_EXT_NAME_CONSTRAINTS */ + #if defined(MBEDTLS_SSL_RENEGOTIATION) int renego_max_records; /*!< grace period for renegotiation */ unsigned char renego_period[8]; /*!< value of the record counters @@ -2274,6 +2278,24 @@ void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf, const unsigned char period[8] ); #endif /* MBEDTLS_SSL_RENEGOTIATION */ +/** + * \brief Allows unsupported critical extensions + * + * Without compile-time flag MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION + * mbedTLS fails certificate verification if certificate contains + * unsupported critical extensions. + * + * This method allows to modify behavior in runtime by providing + * bit flags which represent unsupported extensions (for example MBEDTLS_X509_EXT_NAME_CONSTRAINTS) + * which should be allowed despite missing above mentioned compile-time flag. + * + * \param conf SSL configuration + * \param exts Bit flags which represent runtime-enabled unsupported critical extensions, + * e.g. MBEDTLS_X509_EXT_NAME_CONSTRAINTS + * + */ +void mbedtls_ssl_conf_allow_unsupported_critical_exts( mbedtls_ssl_config *conf, uint32_t exts ); + /** * \brief Return the number of data bytes available to read * diff --git a/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/x509_crt.h b/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/x509_crt.h index 2dbb7ec..46780bd 100644 --- a/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/x509_crt.h +++ b/OpenVPN Adapter/Vendors/mbedtls/include/mbedtls/x509_crt.h @@ -90,6 +90,8 @@ typedef struct mbedtls_x509_crt mbedtls_pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ void *sig_opts; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ + uint32_t allowed_unsupported_critical_exts; /**< Optional Bit flags which represent runtime-enabled unsupported critical extensions, e.g. MBEDTLS_X509_EXT_NAME_CONSTRAINTS */ + struct mbedtls_x509_crt *next; /**< Next certificate in the CA-chain. */ } mbedtls_x509_crt;