diff --git a/external/include/mbedtls/mbedtls_config.h b/external/include/mbedtls/mbedtls_config.h index 0071e39555..bb11d74151 100644 --- a/external/include/mbedtls/mbedtls_config.h +++ b/external/include/mbedtls/mbedtls_config.h @@ -3962,5 +3962,3 @@ //#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED /** \} name SECTION: Module configuration options */ - -// #define MBEDTLS_SSL_CONF_EKU_PATCH \ No newline at end of file diff --git a/external/include/mbedtls/mbedtls_tizenrt_config.h b/external/include/mbedtls/mbedtls_tizenrt_config.h index 8bc10320d4..3594c00919 100644 --- a/external/include/mbedtls/mbedtls_tizenrt_config.h +++ b/external/include/mbedtls/mbedtls_tizenrt_config.h @@ -18,10 +18,6 @@ /** * \file mbedtls_tizenrt_config.h */ -#undef MBEDTLS_NO_PLATFORM_ENTROPY -#if !defined(CONFIG_DEV_URANDOM) -#define MBEDTLS_NO_PLATFORM_ENTROPY -#endif /* * Tizenrt mbedtls 2.7.8 uses below option. need to check whether it is really requires @@ -162,6 +158,7 @@ * Uncomment to use your own hardware entropy collector. */ #if defined(CONFIG_TLS_HW_RNG) +#define MBEDTLS_NO_PLATFORM_ENTROPY #define MBEDTLS_ENTROPY_HARDWARE_ALT #endif @@ -205,8 +202,3 @@ #endif /* CONFIG_TLS_HW_AES_ENC */ #endif /* CONFIG_SE */ - -#if defined(CONFIG_MBEDTLS_PKCS5_C) -/* MBEDTLS_PKCS5_C should be enabled to encrypt TASH password with PBKDF2 */ -#define MBEDTLS_PKCS5_C -#endif /* CONFIG_MBEDTLS_PKCS5_C */ diff --git a/external/include/mbedtls/ssl.h b/external/include/mbedtls/ssl.h index f65358b310..90f58e9981 100644 --- a/external/include/mbedtls/ssl.h +++ b/external/include/mbedtls/ssl.h @@ -1483,12 +1483,6 @@ struct mbedtls_ssl_config { mbedtls_ssl_key_cert *MBEDTLS_PRIVATE(key_cert); /*!< own certificate/key pair(s) */ mbedtls_x509_crt *MBEDTLS_PRIVATE(ca_chain); /*!< trusted CAs */ mbedtls_x509_crl *MBEDTLS_PRIVATE(ca_crl); /*!< trusted CAs CRLs */ -#if defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_SSL_CONF_EKU_PATCH) - const char *MBEDTLS_PRIVATE(client_oid); /*!< OID to check on client certs */ - size_t MBEDTLS_PRIVATE(client_oid_len); /*!< length of client OID */ - const char *MBEDTLS_PRIVATE(server_oid); /*!< OID to check on server certs */ - size_t MBEDTLS_PRIVATE(server_oid_len); /*!< length of server OID */ -#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) mbedtls_x509_crt_ca_cb_t MBEDTLS_PRIVATE(f_ca_cb); void *MBEDTLS_PRIVATE(p_ca_cb); @@ -3439,79 +3433,7 @@ void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf, */ int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf, mbedtls_x509_crt *own_cert, - mbedtls_pk_context *pk_key); -#if defined(MBEDTLS_OCF_PATCH) -/** - * \brief The type of certificate chain and private key callback. - * - * \note The callback will be invoked by \c mbedtls_ssl_conf_iterate_own_certs for - * each certificate chain and private key pair added to configuration - * by \c mbedtls_ssl_conf_own_cert. - * - * \param ctx An opaque context passed to the callback. - * \param own_cert own public certificate chain - * \param pk_key own private key - * - * \return \c 0 to continue iteration. - * \return A non-zero value to stop iteration. - */ -typedef int (*mbedtls_ssl_conf_iterate_own_certs_cb_t)( void *ctx, - const mbedtls_x509_crt *own_cert, - const mbedtls_pk_context *pk_key ); - -/** - * \brief Iterate over configured certificate and key pairs and invoke provided - * callback with each pair. - * - * \param conf SSL configuration - * \param cert_cb The callback to use with each certificate key pair - * \param ctx The context to be passed to \p cert_cb -*/ -void mbedtls_ssl_conf_iterate_own_certs( const mbedtls_ssl_config *conf, - mbedtls_ssl_conf_iterate_own_certs_cb_t cert_cb, - void *ctx ); - -#if defined(MBEDTLS_SSL_CONF_EKU_PATCH) -/** - * \brief Set custom EKU OIDs to be checked on certificates during TLS negotiation, - * and for selecting suitable certificates for TLS negotation. - * - * \note By default, if this function is not called, clients will - * check for the server authentication EKU (1.3.6.1.5.5.7.3.1) in - * a server's certificate, and servers will check for the - * client authentication EKU (1.3.6.1.5.5.7.3.2) if a client - * presents a certificate. - * - * \param conf SSL configuration - * \param client_oid OID to check for when verifying client certificates as a server. - * This must be an MBEDTLS_OID_* constant from oid.h, or a custom OID - * supplied by the caller. If a custom OID is used, it must be provided in - * its ASN.1 encoding; human-readable dotted numeric strings are not supported. - * Additionally, callers using custom OID buffers must ensure those buffers remain - * live while this SSL configuration is live. Passing NULL will - * disable EKU checking of client certificates. - * \param client_oid_len The length of client_oid, not counting a terminating NULL if present; for constants - * from oid.h, this can be obtained with MBEDTLS_OID_SIZE(x) where x is the OID constant. - * If client_oid is NULL, this must be zero. - * \param server_oid OID to check for when verifying server certificates as a client. - * This must be an MBEDTLS_OID_* constant from oid.h, or a custom OID - * supplied by the caller. If a custom OID is used, it must be provided in - * its ASN.1 encoding; human-readable dotted numeric strings are not supported. - * Additionally, callers using custom OID buffers must ensure those buffers remain - * live while this SSL configuration is live. Passing NULL will - * disable EKU checking of server certificates. - * \param server_oid_len The length of server_oid not counting a terminating NULL if present; for constants - * from oid.h, this can be obtained with MBEDTLS_OID_SIZE(x) where x is the OID constant. - * If client_oid is NULL, this must be zero. - * - * \return 0 on success or MBEDTLS_ERR_SSL_BAD_INPUT_DATA for invalid arguments. - * On failure, existing behavior is unchanged. - */ -int mbedtls_ssl_conf_ekus( mbedtls_ssl_config *conf, - const char *client_oid, size_t client_oid_len, - const char *server_oid, size_t server_oid_len ); -#endif /* MBEDTLS_SSL_CONF_EKU_PATCH */ -#endif /* MBEDTLS_OCF_PATCH */ + mbedtls_pk_context *pk_key); #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) diff --git a/external/include/mbedtls/ssl_misc.h b/external/include/mbedtls/ssl_misc.h index 4d55f2cc6c..2b062db0fe 100644 --- a/external/include/mbedtls/ssl_misc.h +++ b/external/include/mbedtls/ssl_misc.h @@ -1685,11 +1685,7 @@ static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl) MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, const mbedtls_ssl_ciphersuite_t *ciphersuite, - int cert_endpoint, -#if defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_SSL_CONF_EKU_PATCH) - const char *client_oid, size_t client_oid_len, - const char *server_oid, size_t server_oid_len, -#endif + int cert_endpoint, uint32_t *flags); #endif /* MBEDTLS_X509_CRT_PARSE_C */ diff --git a/external/include/mbedtls/x509_crt.h b/external/include/mbedtls/x509_crt.h index 1af2c3f8bf..bf5595e8ee 100644 --- a/external/include/mbedtls/x509_crt.h +++ b/external/include/mbedtls/x509_crt.h @@ -1151,21 +1151,6 @@ int mbedtls_x509write_crt_set_ext_key_usage(mbedtls_x509write_cert *ctx, int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx, unsigned char ns_cert_type); - -#if defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT) -/** - * \brief Set the subject alternative name extension - * - * \param ctx CRT context to use - * \param names subject alternative names. For each dNSName element, the tag field of the dns_name - * member does not need to be set and will be ignored. - * - * \return 0 if successful, or a specific error code - */ -int mbedtls_x509write_crt_set_subject_alt_names( mbedtls_x509write_cert *ctx, - const mbedtls_x509_general_names *names ); -#endif /* MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT */ - /** * \brief Free the contents of a CRT write context * diff --git a/external/mbedtls/entropy_poll.c b/external/mbedtls/entropy_poll.c index 539cf5e2f7..20a5c078df 100644 --- a/external/mbedtls/entropy_poll.c +++ b/external/mbedtls/entropy_poll.c @@ -56,15 +56,12 @@ #if !defined(MBEDTLS_NO_PLATFORM_ENTROPY) -#if defined(MBED_TIZENRT) -#else #if !defined(unix) && !defined(__unix__) && !defined(__unix) && \ !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \ !defined(__HAIKU__) && !defined(__midipix__) #error \ "Platform entropy sources only work on Unix and Windows, see MBEDTLS_NO_PLATFORM_ENTROPY in mbedtls_config.h" #endif -#endif #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) @@ -72,52 +69,28 @@ #define _WIN32_WINNT 0x0400 #endif #include - -#if defined(MBEDTLS_OCF_PATCH) -#include -#else #include -#endif int mbedtls_platform_entropy_poll(void *data, unsigned char *output, size_t len, size_t *olen) { -#if !defined(MBEDTLS_OCF_PATCH) HCRYPTPROV provider; -#endif ((void) data); *olen = 0; -#if defined(MBEDTLS_OCF_PATCH) - /* - * size_t may be 64 bits, but ULONG is always 32. - * If len is larger than the maximum for ULONG, just fail. - * It's unlikely anything ever will want to ask for this much randomness. - */ - if ( len > 0xFFFFFFFFULL ) -#else if (CryptAcquireContext(&provider, NULL, NULL, - PROV_RSA_FULL, CRYPT_VERIFYCONTEXT) == FALSE) -#endif + PROV_RSA_FULL, CRYPT_VERIFYCONTEXT) == FALSE) { return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; } -#if defined(MBEDTLS_OCF_PATCH) - if( !BCRYPT_SUCCESS(BCryptGenRandom(NULL, output, (ULONG) len, BCRYPT_USE_SYSTEM_PREFERRED_RNG)) ) -#else if( CryptGenRandom( provider, (DWORD) len, output ) == FALSE ) -#endif { -#if !defined(MBEDTLS_OCF_PATCH) CryptReleaseContext( provider, 0 ); -#endif return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; } -#if !defined(MBEDTLS_OCF_PATCH) CryptReleaseContext( provider, 0 ); -#endif *olen = len; return 0; diff --git a/external/mbedtls/ssl_tls.c b/external/mbedtls/ssl_tls.c index 17cd307266..f5fb4d9770 100644 --- a/external/mbedtls/ssl_tls.c +++ b/external/mbedtls/ssl_tls.c @@ -1895,43 +1895,6 @@ int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf, return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key); } -#if defined(MBEDTLS_OCF_PATCH) -void mbedtls_ssl_conf_iterate_own_certs( const mbedtls_ssl_config *conf, - mbedtls_ssl_conf_iterate_own_certs_cb_t cert_cb, - void *ctx ) -{ - mbedtls_ssl_key_cert *key_cert = conf->key_cert; - while(key_cert != NULL) - { - if (cert_cb(ctx, key_cert->cert, key_cert->key) != 0) - break; - key_cert = key_cert->next; - } -} - -#if defined(MBEDTLS_SSL_CONF_EKU_PATCH) -int mbedtls_ssl_conf_ekus( mbedtls_ssl_config *conf, - const char *client_oid, size_t client_oid_len, - const char *server_oid, size_t server_oid_len ) -{ - if( ( client_oid_len == 0 && client_oid ) || - ( client_oid_len != 0 && !client_oid ) || - ( server_oid_len == 0 && server_oid ) || - ( server_oid_len != 0 && !server_oid ) ) - { - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - } - - conf->client_oid = client_oid; - conf->client_oid_len = client_oid_len; - conf->server_oid = server_oid; - conf->server_oid_len = server_oid_len; - - return( 0 ); -} - -#endif /*defined(MBEDTLS_SSL_CONF_EKU_PATCH)*/ -#endif /*defined(MBEDTLS_OCF_PATCH)*/ void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf, mbedtls_x509_crt *ca_chain, mbedtls_x509_crl *ca_crl) @@ -5321,15 +5284,6 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf, mbedtls_ssl_conf_endpoint(conf, endpoint); mbedtls_ssl_conf_transport(conf, transport); -#if defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_SSL_CONF_EKU_PATCH) -#if defined(MBEDTLS_X509_CRT_PARSE_C) - conf->client_oid = MBEDTLS_OID_CLIENT_AUTH; - conf->client_oid_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH ); - conf->server_oid = MBEDTLS_OID_SERVER_AUTH; - conf->server_oid_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH ); -#endif -#endif /*defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_SSL_CONF_EKU_PATCH)*/ - /* * Things that are common to all presets */ @@ -5810,11 +5764,7 @@ const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id) #if defined(MBEDTLS_X509_CRT_PARSE_C) int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, const mbedtls_ssl_ciphersuite_t *ciphersuite, - int cert_endpoint, -#if defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_SSL_CONF_EKU_PATCH) - const char *client_oid, size_t client_oid_len, - const char *server_oid, size_t server_oid_len, -#endif + int cert_endpoint, uint32_t *flags) { int ret = 0; @@ -5859,15 +5809,7 @@ int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE; ret = -1; } -#if defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_SSL_CONF_EKU_PATCH) - if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) { - ext_oid = server_oid; - ext_len = server_oid_len; - } else { - ext_oid = client_oid; - ext_len = client_oid_len; - } -#else + if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) { ext_oid = MBEDTLS_OID_SERVER_AUTH; ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH); @@ -5875,7 +5817,6 @@ int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, ext_oid = MBEDTLS_OID_CLIENT_AUTH; ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH); } -#endif /*defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_SSL_CONF_EKU_PATCH)*/ if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) { *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE; @@ -7610,11 +7551,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl, if (mbedtls_ssl_check_cert_usage(chain, ciphersuite_info, - !ssl->conf->endpoint, -#if defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_SSL_CONF_EKU_PATCH) - ssl->conf->client_oid, ssl->conf->client_oid_len, - ssl->conf->server_oid, ssl->conf->server_oid_len, -#endif + !ssl->conf->endpoint, &ssl->session_negotiate->verify_result) != 0) { MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)")); if (ret == 0) { diff --git a/external/mbedtls/ssl_tls12_server.c b/external/mbedtls/ssl_tls12_server.c index ed5f85bf0b..cde8b90e0a 100644 --- a/external/mbedtls/ssl_tls12_server.c +++ b/external/mbedtls/ssl_tls12_server.c @@ -868,11 +868,7 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl, * and decrypting with the same RSA key. */ if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info, - MBEDTLS_SSL_IS_SERVER, -#if defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_SSL_CONF_EKU_PATCH) - ssl->conf->client_oid, ssl->conf->client_oid_len, - ssl->conf->server_oid, ssl->conf->server_oid_len, -#endif + MBEDTLS_SSL_IS_SERVER, &flags) != 0) { MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: " "(extended) key usage extension")); diff --git a/external/mbedtls/x509write_crt.c b/external/mbedtls/x509write_crt.c index 5a220e6728..c599a77a14 100644 --- a/external/mbedtls/x509write_crt.c +++ b/external/mbedtls/x509write_crt.c @@ -405,64 +405,6 @@ int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx, return 0; } -#if defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT) -static int x509write_crt_set_subject_alt_name( unsigned char **c, unsigned char *buf, - const mbedtls_x509_general_name *name ) -{ - int ret; - size_t len = 0; - - switch ( name->name_type ) - { - case MBEDTLS_X509_GENERALNAME_DNSNAME: - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( c, buf, name->name.dns_name.p, name->name.dns_name.len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( c, buf, name->name.dns_name.len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( c, buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | 2 ) ); - break; - - case MBEDTLS_X509_GENERALNAME_DIRECTORYNAME: - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( c, buf, name->name.directory_name ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( c, buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( c, buf, - MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 4 ) ); - break; - - default: - return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); - } - - return( (int)len ); -} - -int mbedtls_x509write_crt_set_subject_alt_names( mbedtls_x509write_cert *ctx, - const mbedtls_x509_general_names *names ) -{ - int ret; - unsigned char buf[2048]; - unsigned char *c = buf + sizeof( buf ); - size_t len = 0; - const mbedtls_x509_general_names *cur; - - for ( cur = names; cur != NULL; cur = cur->next ) - { - MBEDTLS_ASN1_CHK_ADD( len, x509write_crt_set_subject_alt_name( &c, buf, &cur->general_name ) ); - } - - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); - - ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_SUBJECT_ALT_NAME, - MBEDTLS_OID_SIZE( MBEDTLS_OID_SUBJECT_ALT_NAME ), - 0, c, len ); - - if( ret != 0 ) - return( ret ); - - return( 0 ); -} -#endif /* MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT */ - - static int x509_write_time(unsigned char **p, unsigned char *start, const char *t, size_t size) {