Update mbedTLS headers

2024-10-06 17:22:07 +08:00 · 2018-05-03 12:14:02 +03:00 · 2018-05-03 12:14:02 +03:00 · 9935faf056
commit 9935faf056
parent d95f12c99a
7 changed files with 59 additions and 6 deletions
--- a/Adapter/Vendors/mbedtls/include/mbedtls/cmac.h
+++ b/Adapter/Vendors/mbedtls/include/mbedtls/cmac.h
@ -26,7 +26,7 @@
 #ifndef MBEDTLS_CMAC_H
 #define MBEDTLS_CMAC_H

-#include "cipher.h"
+#include "mbedtls/cipher.h"

 #ifdef __cplusplus
 extern "C" {
--- a/Adapter/Vendors/mbedtls/include/mbedtls/config.h
+++ b/Adapter/Vendors/mbedtls/include/mbedtls/config.h
@ -2087,7 +2087,7 @@
 *            it, and considering stronger message digests instead.
 *
 */
-//#define MBEDTLS_MD4_C
+#define MBEDTLS_MD4_C

 /**
 * \def MBEDTLS_MD5_C
--- a/Adapter/Vendors/mbedtls/include/mbedtls/net.h
+++ b/Adapter/Vendors/mbedtls/include/mbedtls/net.h
@ -25,7 +25,7 @@
 */

 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#include "net_sockets.h"
+#include "mbedtls/net_sockets.h"
 #if defined(MBEDTLS_DEPRECATED_WARNING)
 #warning "Deprecated header file: Superseded by mbedtls/net_sockets.h"
 #endif /* MBEDTLS_DEPRECATED_WARNING */
--- a/Adapter/Vendors/mbedtls/include/mbedtls/oid.h
+++ b/Adapter/Vendors/mbedtls/include/mbedtls/oid.h
@ -228,6 +228,14 @@

 #define MBEDTLS_OID_HMAC_SHA1                   MBEDTLS_OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */

+#define MBEDTLS_OID_HMAC_SHA224                 MBEDTLS_OID_RSA_COMPANY "\x02\x08" /**< id-hmacWithSHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 8 } */
+
+#define MBEDTLS_OID_HMAC_SHA256                 MBEDTLS_OID_RSA_COMPANY "\x02\x09" /**< id-hmacWithSHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 9 } */
+
+#define MBEDTLS_OID_HMAC_SHA384                 MBEDTLS_OID_RSA_COMPANY "\x02\x0A" /**< id-hmacWithSHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 10 } */
+
+#define MBEDTLS_OID_HMAC_SHA512                 MBEDTLS_OID_RSA_COMPANY "\x02\x0B" /**< id-hmacWithSHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 11 } */
+
 /*
 * Encryption algorithms
 */
@ -402,7 +410,7 @@ int mbedtls_oid_get_numeric_string( char *buf, size_t size, const mbedtls_asn1_b

 #if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
 /**
- * \brief          Translate an X.509 extension OID into local values
+ * \brief          Translate supported X.509 extension OID into local values
 *
 * \param oid      OID to use
 * \param ext_type place to store the extension type
@ -410,6 +418,17 @@ int mbedtls_oid_get_numeric_string( char *buf, size_t size, const mbedtls_asn1_b
 * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
 */
 int mbedtls_oid_get_x509_ext_type( const mbedtls_asn1_buf *oid, int *ext_type );
+
+/**
+ * \brief              Translate supported and unsupported X.509 extension OID into local values
+ *
+ * \param oid          OID to use
+ * \param ext_type     place to store the extension type
+ * \param is_supported place to store flag if extension is supported (1 - supported, 0 otherwise)
+ *
+ * \return             0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_x509_ext_type_supported( const mbedtls_asn1_buf *oid, int *ext_type, int *is_supported );
 #endif

 /**
@ -514,6 +533,16 @@ int mbedtls_oid_get_oid_by_sig_alg( mbedtls_pk_type_t pk_alg, mbedtls_md_type_t
 * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
 */
 int mbedtls_oid_get_md_alg( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg );
+
+/**
+ * \brief          Translate hmac algorithm OID into md_type
+ *
+ * \param oid      OID to use
+ * \param md_hmac  place to store message hmac algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_md_hmac( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_hmac );
 #endif /* MBEDTLS_MD_C */

 /**
--- a/Adapter/Vendors/mbedtls/include/mbedtls/platform.h
+++ b/Adapter/Vendors/mbedtls/include/mbedtls/platform.h
@ -31,7 +31,7 @@
 #endif

 #if defined(MBEDTLS_HAVE_TIME)
-#include "platform_time.h"
+#include "mbedtls/platform_time.h"
 #endif

 #ifdef __cplusplus
--- a/Adapter/Vendors/mbedtls/include/mbedtls/ssl.h
+++ b/Adapter/Vendors/mbedtls/include/mbedtls/ssl.h
@ -53,7 +53,7 @@
 #endif

 #if defined(MBEDTLS_HAVE_TIME)
-#include "platform_time.h"
+#include "mbedtls/platform_time.h"
 #endif

 /*
@ -696,6 +696,10 @@ struct mbedtls_ssl_config
                                         retransmission timeout (ms)        */
 #endif

+    uint32_t allowed_unsupported_critical_exts; /*!< Bit flags which represent runtime-enabled
+                                                     unsupported critical extensions, e.g.
+                                                     MBEDTLS_X509_EXT_NAME_CONSTRAINTS */
+
 #if defined(MBEDTLS_SSL_RENEGOTIATION)
    int renego_max_records;         /*!< grace period for renegotiation     */
    unsigned char renego_period[8]; /*!< value of the record counters
@ -2274,6 +2278,24 @@ void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
                                   const unsigned char period[8] );
 #endif /* MBEDTLS_SSL_RENEGOTIATION */

+/**
+ * \brief          Allows unsupported critical extensions
+ *
+ *                 Without compile-time flag MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+ *                 mbedTLS fails certificate verification if certificate contains
+ *                 unsupported critical extensions.
+ *
+ *                 This method allows to modify behavior in runtime by providing
+ *                 bit flags which represent unsupported extensions (for example MBEDTLS_X509_EXT_NAME_CONSTRAINTS)
+ *                 which should be allowed despite missing above mentioned compile-time flag.
+ *
+ * \param conf     SSL configuration
+ * \param exts     Bit flags which represent runtime-enabled unsupported critical extensions,
+ *                 e.g. MBEDTLS_X509_EXT_NAME_CONSTRAINTS
+ *
+ */
+void mbedtls_ssl_conf_allow_unsupported_critical_exts( mbedtls_ssl_config *conf, uint32_t exts );
+
 /**
 * \brief          Return the number of data bytes available to read
 *
--- a/Adapter/Vendors/mbedtls/include/mbedtls/x509_crt.h
+++ b/Adapter/Vendors/mbedtls/include/mbedtls/x509_crt.h
@ -90,6 +90,8 @@ typedef struct mbedtls_x509_crt
    mbedtls_pk_type_t sig_pk;           /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
    void *sig_opts;             /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */

+    uint32_t allowed_unsupported_critical_exts; /**< Optional Bit flags which represent runtime-enabled unsupported critical extensions, e.g. MBEDTLS_X509_EXT_NAME_CONSTRAINTS */
+
    struct mbedtls_x509_crt *next;     /**< Next certificate in the CA-chain. */
 }
 mbedtls_x509_crt;