Commit Graph

1482 Commits

Author SHA1 Message Date
Simon Butcher
9f81231fb8 Revised hostname length check from review 2015-09-28 19:22:33 +01:00
Simon Butcher
89f77623b8 Added max length checking of hostname 2015-09-27 22:50:49 +01:00
Tillmann Karras
588ad50c5a Fix a fairly common typo in comments 2015-09-25 04:27:22 +02:00
Manuel Pégourié-Gonnard
77c0646ef2 Add cache for EC J-PAKE client extension
Not used yet, just add the variables and cleanup code.
2015-09-17 13:59:49 +02:00
Manuel Pégourié-Gonnard
8cea8ad8b8 Bump version to 2.1.1 2015-09-17 11:58:45 +02:00
Manuel Pégourié-Gonnard
75df902740 Add warning on config options
Note to self: actually disable before merging that branch!
2015-09-16 23:21:01 +02:00
Manuel Pégourié-Gonnard
bf57be690e Add server extension parsing
Only accept EC J-PAKE ciphersuite if extension was present and OK (single flag
for both), and ignore extension if we have no password.
2015-09-16 22:58:29 +02:00
Manuel Pégourié-Gonnard
eef142d753 Depend on ECJPAKE key exchange, not module
This is more consistent, as it doesn't make any sense for a user to be able to
set up an EC J-PAKE password with TLS if the corresponding key exchange is
disabled.

Arguably this is what we should de for other key exchanges as well instead of
depending on ECDH_C etc, but this is an independent issue, so let's just do
the right thing with the new key exchange and fix the other ones later. (This
is a marginal issue anyway, since people who disable all ECDH key exchange are
likely to also disable ECDH_C in order to minimize footprint.)
2015-09-16 22:58:29 +02:00
Manuel Pégourié-Gonnard
538cb7b0b4 Add the ECJPAKE ciphersuite 2015-09-16 22:58:29 +02:00
Manuel Pégourié-Gonnard
557535d8c4 Add ECJPAKE key exchange 2015-09-16 22:58:29 +02:00
Simon Butcher
5793e7ef01 Merge 'development' into iotssl-411-port-reuse
Conflicts:
	ChangeLog
2015-09-16 15:25:53 +01:00
Manuel Pégourié-Gonnard
294139b57a Add client extension writing 2015-09-16 16:10:48 +02:00
Manuel Pégourié-Gonnard
b813accf84 Add mbedtls_ecjpake_check(), tells if set up
This will be used in SSL to avoid the computation-heavy processing of EC
J-PAKE hello extensions in case we don't have an EC J-PAKE password
2015-09-16 16:10:48 +02:00
Manuel Pégourié-Gonnard
7002f4a560 Add mbedtls_ssl_set_hs_ecjpake_password() 2015-09-16 16:10:48 +02:00
Manuel Pégourié-Gonnard
76cfd3f97f Add EC J-PAKE context in handshake structure 2015-09-15 18:24:08 +02:00
Manuel Pégourié-Gonnard
f472179d44 Adjust dependencies for EC extensions
The Thread spec says we need those for EC J-PAKE too.
However, we won't be using the information, so we can skip the parsing
functions in an EC J-PAKE only config; keep the writing functions in order to
comply with the spec.
2015-09-15 18:22:00 +02:00
Simon Butcher
1a57af1607 Update ssl.h
Typo
2015-09-11 17:14:16 +01:00
Simon Butcher
4f6882a8a3 Update config.h
Typo in RFC x-ref comment.
2015-09-11 17:12:46 +01:00
Manuel Pégourié-Gonnard
ddfe5d20d1 Tune dependencies
Don't depend on srv.c in config.h, but add explicit checks. This is more
in line with other options that only make sense server-side, and also it
allows to test full config minus srv.c more easily.
2015-09-09 12:46:16 +02:00
Manuel Pégourié-Gonnard
62c74bb78a Stop wasting resources
Use a custom function that minimally parses the message an creates a reply
without the overhead of a full SSL context.

Also fix dependencies: needs DTLS_HELLO_VERIFY for the cookie types, and let's
also depend on SRV_C as is doesn't make sense on client.
2015-09-09 11:22:52 +02:00
Nicholas Wilson
2088e2ebd9 fix const-ness of argument to mbedtls_ssl_conf_cert_profile
Otherwise, it's impossible to pass in a pointer to
mbedtls_x509_crt_profile_next!
2015-09-08 16:53:18 +01:00
Manuel Pégourié-Gonnard
222cb8db22 Tune related documentation while at it 2015-09-08 15:43:59 +02:00
Manuel Pégourié-Gonnard
3a2a4485d4 Update documentation 2015-09-08 15:36:09 +02:00
Manuel Pégourié-Gonnard
be619c1264 Clean up error codes 2015-09-08 11:21:21 +02:00
Manuel Pégourié-Gonnard
26d227ddfc Add config flag for support of client port reuse 2015-09-08 10:39:06 +02:00
Manuel Pégourié-Gonnard
55f3d84faa fixup-include 2015-09-07 12:43:11 +02:00
Manuel Pégourié-Gonnard
f7368c983a Polish API and documentation 2015-09-07 12:43:11 +02:00
Manuel Pégourié-Gonnard
e1927101fb Unify round two 2015-09-07 12:43:11 +02:00
Manuel Pégourié-Gonnard
d8204a7bea Provide symmetric API for the first round 2015-09-07 12:43:11 +02:00
Manuel Pégourié-Gonnard
ce4567614b Rename variable to prepare for cli/srv unification 2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
6b798b9dae Tune up some comments 2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
e0ad57b0b3 Replace explicit IDs with table look-ups
That's a first step towards merging symmetric version of different functions
2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
5f18829609 Add derive_pms, completing first working version 2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
6449391852 Store our role in the context 2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
614bd5e919 Add write_client_params 2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
ec0eece2ba Add read_client_params 2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
cb7cd03412 Add first draft or read_server_params 2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
23dcbe3f16 Add support for passphrase in the context 2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
4e8bc78ad9 Add context-using functions for Hello extensions
Also re-order functions in the header so that they appear in the order they're
use, ie free() last.
2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
7af8bc1007 Start introducing mbedtls_ecjpake_context 2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
6029a85572 Add ecjpake_zpk_read()
Not really tested yet
2015-09-07 12:43:09 +02:00
Manuel Pégourié-Gonnard
d9a3f47ecd Add mbedtls_ecp_gen_keypair_base() 2015-09-07 12:43:09 +02:00
Manuel Pégourié-Gonnard
4d8685b4ff Add skeleton for EC J-PAKE module 2015-09-07 12:43:09 +02:00
Manuel Pégourié-Gonnard
aac5502553 Bump version to 2.1.0 2015-09-04 14:33:31 +02:00
Manuel Pégourié-Gonnard
37ff14062e Change main license to Apache 2.0 2015-09-04 14:21:07 +02:00
Manuel Pégourié-Gonnard
5f5e0ec3f1 Improve mbedtls_ssl_write() documentation 2015-08-31 20:47:04 +02:00
Manuel Pégourié-Gonnard
a2cda6bfaf Add mbedtls_ssl_get_max_frag_len()
This is not very useful for TLS as mbedtls_ssl_write() will automatically
fragment and return the length used, and the application should check for that
anyway, but this is useful for DTLS where mbedtls_ssl_write() returns an
error, and the application needs to be able to query the maximum length
instead of just guessing.
2015-08-31 20:47:04 +02:00
Manuel Pégourié-Gonnard
bb83844a1d Clarify that there are two SSL I/O buffers 2015-08-31 12:46:01 +02:00
Manuel Pégourié-Gonnard
46c4fa16ab Fix missing casts on return
closes #236
2015-08-12 09:27:55 +02:00
Manuel Pégourié-Gonnard
e2b0efe24b Separate license from comments in config.h 2015-08-11 10:38:37 +02:00
Manuel Pégourié-Gonnard
ac50fc5e2f Fix typo in doc 2015-08-10 13:07:09 +02:00
Manuel Pégourié-Gonnard
854dab96fe Fix the fix for armcc5 --gnu
Only exclude armcc5, not armcc6.
2015-08-10 12:11:31 +02:00
Manuel Pégourié-Gonnard
32da9f66a8 Add support for MBEDTLS_USER_CONFIG_FILE 2015-08-06 09:57:54 +02:00
Manuel Pégourié-Gonnard
43569a93cc Use #ifdef rather than patch for target_config.h 2015-08-06 09:57:54 +02:00
Manuel Pégourié-Gonnard
63e7ebaaa1 Add material for generating yotta module 2015-08-06 09:57:53 +02:00
Manuel Pégourié-Gonnard
e14dec68ea Fix stupid typo in previous commit 2015-08-04 22:49:33 +02:00
Manuel Pégourié-Gonnard
f659f0c214 Disable Padlock code with ASan
We're getting build errors with Clang 3.5.0 on our Debian Jessie buildslave:

library/padlock.c:99:10: error: inline assembly requires more registers than available
2015-08-04 22:19:05 +02:00
Manuel Pégourié-Gonnard
e96ce08a21 Fix compile error with armcc5 --gnu 2015-07-31 10:58:06 +02:00
Manuel Pégourié-Gonnard
6fb8187279 Update date in copyright line 2015-07-28 17:11:58 +02:00
Manuel Pégourié-Gonnard
10c767488b Adjust rename/compat list 2015-07-15 11:07:26 +02:00
Paul Bakker
4cb87f409d Prepare for 2.0.0 release 2015-07-10 14:09:43 +01:00
Manuel Pégourié-Gonnard
1409616d9c Fix one renaming in the list
Found by Simon while testing the upgrade guide
2015-07-09 09:17:18 +01:00
Manuel Pégourié-Gonnard
20af64dc2c Still need to #define inline for MSVC
I only tested with VS2015 earlier, but previous versions apparently still
don't know that standard C99 keyword though it's documented on MSDN...
2015-07-07 23:21:30 +02:00
Manuel Pégourié-Gonnard
052a6c9cfe Add mbedtls_md_clone() 2015-07-06 16:06:02 +02:00
Manuel Pégourié-Gonnard
16d412f465 Add md/shaXXX_clone() API
Will be used in the SSL/TLS modules
2015-07-06 15:48:34 +02:00
Manuel Pégourié-Gonnard
7893103154 Remove 1024 bits DHM params and add one 4096 bit 2015-07-03 17:06:39 +02:00
Manuel Pégourié-Gonnard
7c3b4ab6f2 Fix typos in comments 2015-07-02 17:59:52 +02:00
Manuel Pégourié-Gonnard
5791109707 Make the hardclock test optional
Known to fail on VMs (such as the buildbots), see eg
http://blog.badtrace.com/post/rdtsc-x86-instruction-to-detect-vms/
2015-07-01 19:22:12 +02:00
Manuel Pégourié-Gonnard
9bd0afdb22 Add guards for closed socket in net.c
This is particularly problematic when calling FD_SET( -1, ... ), but let's
check it in all functions.

This was introduced with the new API and the fact the net_free() now sets the
internal fd to -1 in order to mark it as closed: now using this information.
2015-07-01 19:03:27 +02:00
Manuel Pégourié-Gonnard
2505528be4 Rm obsolete defines for inline wiht MSVC
The "inline" keyword is supported since Visual Studio 2005 according to MSDN,
and we require Visual Studio 2010 or higher.
2015-07-01 17:22:36 +02:00
Manuel Pégourié-Gonnard
abc729e664 Simplify net_accept() with UDP sockets
This is made possible by the new API where net_accept() gets a pointer to
bind_ctx, so it can update it.
2015-07-01 01:28:24 +02:00
Manuel Pégourié-Gonnard
3d7d00ad23 Rename mbedtls_net_close() to mbedtls_net_free()
close() may be more meaningful, but free() is symmetric with _init(), and more
consistent with all other modules
2015-06-30 16:50:37 +02:00
Manuel Pégourié-Gonnard
91895853ac Move from naked int to a structure in net.c
Provides more flexibility for future changes/extensions.
2015-06-30 15:56:25 +02:00
Manuel Pégourié-Gonnard
a16e7c468c Rename a debug function 2015-06-29 20:14:19 +02:00
Manuel Pégourié-Gonnard
b74c245a20 Rework debug to not need dynamic alloc
But introduces dependency on variadic macros
2015-06-29 20:08:23 +02:00
Manuel Pégourié-Gonnard
9db2887672 Actually enable fixed snprintf on windows 2015-06-26 11:04:08 +02:00
Manuel Pégourié-Gonnard
dc54ff8578 Improve documentation about SSL ticket encryption 2015-06-25 12:44:46 +02:00
Manuel Pégourié-Gonnard
216a1831de Fix whitespace in CMakeLists.txt
- all spaces no tabs
- indent with 4 spaces everywhere
2015-06-25 10:59:57 +02:00
Manuel Pégourié-Gonnard
53585eeb17 Remove test DHM params from certs.c
certs.c belongs to the X.509 library, while DHM belongs to the crypto lib.
2015-06-25 10:59:57 +02:00
Manuel Pégourié-Gonnard
0761733c1b Fix potential NULL dereference
We document that either of recv or recv_timeout may be NULL, but for TLS we
always used recv... Thanks Coverity for catching that.
(Not remotely trigerrable: local configuration.)

Also made me notice net_recv_timeout didn't do its job properly.
2015-06-25 10:59:57 +02:00
Manuel Pégourié-Gonnard
fd474233c8 Change SSL debug API in the library 2015-06-23 18:44:11 +02:00
Manuel Pégourié-Gonnard
c0d749418b Make 'port' a string in NET module
- avoids dependency on snprintf
- allows using "smtps" instead of "456" if desired
2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
e244f9ffc0 Improve doc about length of strings written 2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
d23f593737 Avoid static buffer in debug module
Caused issues in threading situations
2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
1cd10adc7c Update prototype of x509write_set_key_usage()
Allow for future support of decipherOnly and encipherOnly. Some work will be
required to ensure we still write only one byte when only one is needed.
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
655a964539 Adapt check_key_usage to new weird bits 2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
9a702255f4 Add parsing/printing for new X.509 keyUsage flags 2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
07894338a0 Rename M255 to Curve25519 2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
7320eb46d4 Remove references to some Montgomery curves
After all it looks like those won't become standard.
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
e7e89844d6 Fix and document corner-cases of time checking 2015-06-22 23:41:24 +02:00
Manuel Pégourié-Gonnard
cdc26ae099 Add mbedtls_ssl_set_hs_authmode
While at it, fix the following:
- on server with RSA_PSK, we don't want to set flags (client auth happens via
  the PSK, no cert is expected).
- use safer tests (eg == OPTIONAL vs != REQUIRED)
2015-06-22 14:52:40 +02:00
Manuel Pégourié-Gonnard
1685368408 Rationalize snprintf() usage in X.509 modules 2015-06-22 14:42:04 +02:00
Manuel Pégourié-Gonnard
6c0c8e0d3d Include fixed snprintf for Windows in platform.c
Use _WIN32 to detect it rather that _MSC_VER as it turns out MSYS2 uses the
broken MS version by default too.
2015-06-22 14:42:04 +02:00
Manuel Pégourié-Gonnard
8ba88f0460 Fix stupid typo in documentation 2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
7580ba475d Add a concept of entropy source strength.
The main goal is, we want and error if cycle counter is the only source.
2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
3f77dfbd52 Add MBEDTLS_ENTROPY_HARDWARE_ALT
Makes it easier for an external module to plug its hardware entropy collector.
2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
bf82ff0209 Fix entropy thresholds 2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
60c793bdc9 Split HAVE_TIME into HAVE_TIME + HAVE_TIME_DATE
First one means we have time() but it may not return the actual wall clock
time, second means it does.
2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
c0696c216b Rename mbedtls_mpi_msb to mbedtls_mpi_bitlen 2015-06-18 16:49:37 +02:00
Manuel Pégourié-Gonnard
097c7bb05b Rename relevant global symbols from size to bitlen
Just applying rename.pl with this file:

mbedtls_cipher_get_key_size mbedtls_cipher_get_key_bitlen
mbedtls_pk_get_size mbedtls_pk_get_bitlen
MBEDTLS_BLOWFISH_MIN_KEY MBEDTLS_BLOWFISH_MIN_KEY_BITS
MBEDTLS_BLOWFISH_MAX_KEY MBEDTLS_BLOWFISH_MAX_KEY_BITS
2015-06-18 16:43:38 +02:00