Simon Butcher
157cb656a9
Clarified mbedtls_ssl_conf_alpn_protocols() doc
...
Clarified the lifetime of the protos parameter passed in the
function mbedtls_ssl_conf_alpn_protocols().
2016-03-09 19:32:08 +00:00
Manuel Pégourié-Gonnard
02049dcbd1
Add links to KB articles
2016-02-22 16:46:34 +00:00
Manuel Pégourié-Gonnard
325ce093f9
Give better error messages for semi-portable parts
...
Previously it was failing with errors about headers not found, which is
suboptimal in terms of clarity. Now give a clean error with pointer to the
documentation.
Do the checks in the .c files rather than check_config.h as it keeps them
closer to the platform-specific implementations.
2016-02-22 10:47:32 +01:00
Manuel Pégourié-Gonnard
d13b9507b3
Improve documentation of some SSL callbacks
...
The previous documentation was not explicit about what was expected of the
callbacks - the user had to infer that from the descriptions in net.h or
timing.h, and it was not clear what was part of the calling convention and
what was specific to our implementation.
2016-02-22 10:13:22 +01:00
Manuel Pégourié-Gonnard
edb1a48397
dtls: improve doc about handshake timeouts
2016-01-29 16:05:55 +01:00
Manuel Pégourié-Gonnard
365f325e03
Make check-names.sh happy
2016-01-08 15:05:11 +01:00
Manuel Pégourié-Gonnard
25caaf36a6
Avoid build errors with -O0 due to assembly
2016-01-08 14:29:11 +01:00
Simon Butcher
bfafadb45d
Change version number to 2.2.1
...
Changed version for library files and yotta module
2016-01-04 22:26:36 +00:00
Manuel Pégourié-Gonnard
76da60c56e
Fix doxygen warnings for generic names in config.h
...
When we use the same documentation for a list of #defines, we used to use a
generic name in the \def command. Use the first name of the list instead so
that doxygen stops complaining, and mention the generic name in the longer
description.
This is not entirely satisfactory as the full list of macros will not be
included in the generated doc, but it's still an improvement as at least the
first macro is documented now, with a hint that there are others.
2016-01-04 13:51:01 +01:00
Manuel Pégourié-Gonnard
ddbb166041
Reintroduce line deleted by accident
2016-01-04 12:40:15 +01:00
Simon Butcher
5b331b9d48
Various fixes to doxygen API generation
...
* Fixed incorrect file definitions
* Fixed accidental tag problems in ecjpake.h
* Corrected function naming in X.509 module definition
2016-01-03 16:14:14 +00:00
Simon Butcher
9803d07a63
Fix for MPI divide on MSVC
...
Resolves multiple platform issues when building bignum.c with Microsoft
Visual Studio.
2016-01-03 00:24:34 +00:00
Simon Butcher
4c2bfdbff6
Merge 'iotssl-558-md5-tls-sigs-restricted'
2015-12-23 18:33:54 +00:00
Simon Butcher
fabce5e137
Merge branch 'misc' into development
...
Fixes github #358 , #362 and IOTSSL-536
2015-12-22 18:56:56 +00:00
James Cowgill
21e402a3ae
Fix segfault on x32 by using better register constraints in bn_mul.h
...
On x32, pointers are only 4-bytes wide and need to be loaded using the "movl"
instruction instead of "movq" to avoid loading garbage into the register.
The MULADDC routines for x86-64 are adjusted to work on x32 as well by getting
gcc to load all the registers for us in advance (and storing them later) by
using better register constraints. The b, c, D and S constraints correspond to
the rbx, rcx, rdi and rsi registers respectively.
2015-12-17 13:08:47 +00:00
Manuel Pégourié-Gonnard
acbb050118
Make documentation more explicit on TLS errors
...
fixes #358
2015-12-10 13:57:27 +01:00
Manuel Pégourié-Gonnard
47229c7cbb
Disable MD5 in handshake signatures by default
2015-12-04 15:02:56 +01:00
Manuel Pégourié-Gonnard
e2e25e7427
DTLS: avoid dropping too many records
...
When the peer retransmits a flight with many record in the same datagram, and
we already saw one of the records in that datagram, we used to drop the whole
datagram, resulting in interoperability failure (spurious handshake timeouts,
due to ignoring record retransmitted by the peer) with some implementations
(issues with Chrome were reported).
So in those cases, we want to only drop the current record, and look at the
following records (if any) in the same datagram. OTOH, this is not something
we always want to do, as sometime the header of the current record is not
reliable enough.
This commit introduces a new return code for ssl_parse_header() that allows to
distinguish if we should drop only the current record or the whole datagram,
and uses it in mbedtls_ssl_read_record()
fixes #345
2015-12-03 16:13:17 +01:00
Simon Butcher
8254ed2a9f
Change version number to 2.2.0
...
Changed for library and yotta module
2015-11-04 19:55:40 +00:00
Manuel Pégourié-Gonnard
ba1d897987
Merge branch 'bugfixes' into development
...
* bugfixes:
Fix typo in an OID name
Disable reportedly broken assembly of Sparc(64)
2015-11-02 05:50:41 +09:00
Manuel Pégourié-Gonnard
fb84d38b45
Try to prevent some misuse of RSA functions
...
fixes #331
2015-10-30 10:56:25 +01:00
Simon Butcher
204606238c
Merge branch 'development' into misc
2015-10-27 16:57:34 +00:00
Simon Butcher
5f7c34b8b0
Merge branch iotssl-521-keylen-check
2015-10-27 15:14:55 +00:00
Manuel Pégourié-Gonnard
65eefc8707
Fix missing check for RSA key length on EE certs
...
- also adapt tests to use lesser requirement for compatibility with old
testing material
2015-10-23 16:19:53 +02:00
Manuel Pégourié-Gonnard
e5f3072aed
Fix #ifdef inconsistency
...
fixes #310
Actually all key exchanges that use a certificate use signatures too, and
there is no key exchange that uses signatures but no cert, so merge those two
flags.
2015-10-23 08:40:23 +02:00
Manuel Pégourié-Gonnard
7c5fcdc17a
Disable reportedly broken assembly of Sparc(64)
...
fixes #292
2015-10-21 14:52:24 +02:00
Manuel Pégourié-Gonnard
fadacb9d0b
Merge branch 'development' into iotssl-461-ecjpake-finalization
...
* development: (73 commits)
Bump yotta dependencies version
Fix typo in documentation
Corrected misleading fn description in ssl_cache.h
Corrected URL/reference to MPI library
Fix yotta dependencies
Fix minor spelling mistake in programs/pkey/gen_key.c
Bump version to 2.1.2
Fix CVE number in ChangeLog
Add 'inline' workaround where needed
Fix references to non-standard SIZE_T_MAX
Fix yotta version dependencies again
Upgrade yotta dependency versions
Fix compile error in net.c with musl libc
Add missing warning in doc
Remove inline workaround when not useful
Fix macroization of inline in C++
Changed attribution for Guido Vranken
Merge of IOTSSL-476 - Random malloc in pem_read()
Fix for IOTSSL-473 Double free error
Fix potential overflow in CertificateRequest
...
Conflicts:
include/mbedtls/ssl_internal.h
library/ssl_cli.c
2015-10-20 15:00:29 +02:00
Manuel Pégourié-Gonnard
cf82893411
Disable EC J-PAKE by default (experimental)
2015-10-20 14:57:00 +02:00
Manuel Pégourié-Gonnard
db90c82eb7
Fix typo in documentation
2015-10-20 09:36:39 +02:00
Simon Butcher
e3132a9e5a
Corrected misleading fn description in ssl_cache.h
...
Mistake in comments spotted by Andris Mednis
2015-10-19 19:28:41 +01:00
Manuel Pégourié-Gonnard
024b6df3b1
Improve key export API and documentation
...
- "master secret" is the usual name
- move key block arg closer to the related lengths
- document lengths
Also fix some trailing whitespace while at it
2015-10-19 13:52:53 +02:00
Manuel Pégourié-Gonnard
4104864e54
ECHDE-PSK does not use a certificate
...
fixes #270
2015-10-09 14:50:43 +01:00
Manuel Pégourié-Gonnard
adeb7d8ec9
Move all KEY_EXCHANGE__ definitions in one place
2015-10-09 14:44:47 +01:00
Robert Cragie
4289c0d1fa
Typo in parameter name
2015-10-06 17:20:41 +01:00
Manuel Pégourié-Gonnard
c4e7d8a381
Bump version to 2.1.2
...
Yotta version bumped to 2.1.3, as we had to do one more patch release to the
yotta registry to accommodate for dependencies updates.
2015-10-05 19:13:36 +01:00
Manuel Pégourié-Gonnard
c80a74f734
Merge branch 'development' into development-restricted
...
* development:
Add 'inline' workaround where needed
2015-10-05 16:30:53 +01:00
Manuel Pégourié-Gonnard
2ac9c60838
Add 'inline' workaround where needed
...
Was previously using the workaround from md.h
2015-10-05 16:18:23 +01:00
Manuel Pégourié-Gonnard
a97ab2c8a6
Merge branch 'development' into development-restricted
...
* development:
Remove inline workaround when not useful
Fix macroization of inline in C++
2015-10-05 15:48:09 +01:00
Simon Butcher
7776fc36d3
Fix for #279 macroisation of 'inline' keyword
2015-10-05 15:44:18 +01:00
Manuel Pégourié-Gonnard
2d7083435d
Fix references to non-standard SIZE_T_MAX
...
Turns out C99 doesn't define SIZE_T_MAX, so let's not use it.
2015-10-05 15:23:11 +01:00
Manuel Pégourié-Gonnard
899ac849d0
Merge branch 'development' into development-restricted
...
* development:
Upgrade yotta dependency versions
Fix compile error in net.c with musl libc
Add missing warning in doc
2015-10-05 14:47:43 +01:00
Manuel Pégourié-Gonnard
cb6af00e2a
Add missing warning in doc
...
Found by Nicholas Wilson
fixes #288
2015-10-05 12:12:39 +01:00
Manuel Pégourié-Gonnard
5a2e389811
Remove inline workaround when not useful
...
This header doesn't have nay inline function any more
2015-10-05 11:55:39 +01:00
Manuel Pégourié-Gonnard
0223ab9d38
Fix macroization of inline in C++
...
When compiling as C++, MSVC complains about our macroization of a keyword.
Stop doing that as we know inline is always available in C++
2015-10-05 11:41:36 +01:00
Simon Butcher
6418ffaadb
Merge fix for IOTSSL-480 - base64 overflow issue
2015-10-05 09:54:11 +01:00
Robert Cragie
4feb7ae8c2
Added key export API
2015-10-02 13:33:37 +01:00
Robert Cragie
7cdad7708e
Add point format handling
2015-10-02 13:31:41 +01:00
Manuel Pégourié-Gonnard
ef388f168d
Merge branch 'development' into development-restricted
...
* development:
Updated ChangeLog with credit
Fix a fairly common typo in comments
Make config check include for configs examples more consistent
2015-10-02 12:44:39 +02:00
Manuel Pégourié-Gonnard
0aa45c209a
Fix potential overflow in base64_encode
2015-09-30 16:37:49 +02:00
Simon Butcher
9f81231fb8
Revised hostname length check from review
2015-09-28 19:22:33 +01:00
Simon Butcher
89f77623b8
Added max length checking of hostname
2015-09-27 22:50:49 +01:00
Tillmann Karras
588ad50c5a
Fix a fairly common typo in comments
2015-09-25 04:27:22 +02:00
Manuel Pégourié-Gonnard
77c0646ef2
Add cache for EC J-PAKE client extension
...
Not used yet, just add the variables and cleanup code.
2015-09-17 13:59:49 +02:00
Manuel Pégourié-Gonnard
8cea8ad8b8
Bump version to 2.1.1
2015-09-17 11:58:45 +02:00
Manuel Pégourié-Gonnard
75df902740
Add warning on config options
...
Note to self: actually disable before merging that branch!
2015-09-16 23:21:01 +02:00
Manuel Pégourié-Gonnard
bf57be690e
Add server extension parsing
...
Only accept EC J-PAKE ciphersuite if extension was present and OK (single flag
for both), and ignore extension if we have no password.
2015-09-16 22:58:29 +02:00
Manuel Pégourié-Gonnard
eef142d753
Depend on ECJPAKE key exchange, not module
...
This is more consistent, as it doesn't make any sense for a user to be able to
set up an EC J-PAKE password with TLS if the corresponding key exchange is
disabled.
Arguably this is what we should de for other key exchanges as well instead of
depending on ECDH_C etc, but this is an independent issue, so let's just do
the right thing with the new key exchange and fix the other ones later. (This
is a marginal issue anyway, since people who disable all ECDH key exchange are
likely to also disable ECDH_C in order to minimize footprint.)
2015-09-16 22:58:29 +02:00
Manuel Pégourié-Gonnard
538cb7b0b4
Add the ECJPAKE ciphersuite
2015-09-16 22:58:29 +02:00
Manuel Pégourié-Gonnard
557535d8c4
Add ECJPAKE key exchange
2015-09-16 22:58:29 +02:00
Simon Butcher
5793e7ef01
Merge 'development' into iotssl-411-port-reuse
...
Conflicts:
ChangeLog
2015-09-16 15:25:53 +01:00
Manuel Pégourié-Gonnard
294139b57a
Add client extension writing
2015-09-16 16:10:48 +02:00
Manuel Pégourié-Gonnard
b813accf84
Add mbedtls_ecjpake_check(), tells if set up
...
This will be used in SSL to avoid the computation-heavy processing of EC
J-PAKE hello extensions in case we don't have an EC J-PAKE password
2015-09-16 16:10:48 +02:00
Manuel Pégourié-Gonnard
7002f4a560
Add mbedtls_ssl_set_hs_ecjpake_password()
2015-09-16 16:10:48 +02:00
Manuel Pégourié-Gonnard
76cfd3f97f
Add EC J-PAKE context in handshake structure
2015-09-15 18:24:08 +02:00
Manuel Pégourié-Gonnard
f472179d44
Adjust dependencies for EC extensions
...
The Thread spec says we need those for EC J-PAKE too.
However, we won't be using the information, so we can skip the parsing
functions in an EC J-PAKE only config; keep the writing functions in order to
comply with the spec.
2015-09-15 18:22:00 +02:00
Simon Butcher
1a57af1607
Update ssl.h
...
Typo
2015-09-11 17:14:16 +01:00
Simon Butcher
4f6882a8a3
Update config.h
...
Typo in RFC x-ref comment.
2015-09-11 17:12:46 +01:00
Manuel Pégourié-Gonnard
ddfe5d20d1
Tune dependencies
...
Don't depend on srv.c in config.h, but add explicit checks. This is more
in line with other options that only make sense server-side, and also it
allows to test full config minus srv.c more easily.
2015-09-09 12:46:16 +02:00
Manuel Pégourié-Gonnard
62c74bb78a
Stop wasting resources
...
Use a custom function that minimally parses the message an creates a reply
without the overhead of a full SSL context.
Also fix dependencies: needs DTLS_HELLO_VERIFY for the cookie types, and let's
also depend on SRV_C as is doesn't make sense on client.
2015-09-09 11:22:52 +02:00
Nicholas Wilson
2088e2ebd9
fix const-ness of argument to mbedtls_ssl_conf_cert_profile
...
Otherwise, it's impossible to pass in a pointer to
mbedtls_x509_crt_profile_next!
2015-09-08 16:53:18 +01:00
Manuel Pégourié-Gonnard
222cb8db22
Tune related documentation while at it
2015-09-08 15:43:59 +02:00
Manuel Pégourié-Gonnard
3a2a4485d4
Update documentation
2015-09-08 15:36:09 +02:00
Manuel Pégourié-Gonnard
be619c1264
Clean up error codes
2015-09-08 11:21:21 +02:00
Manuel Pégourié-Gonnard
26d227ddfc
Add config flag for support of client port reuse
2015-09-08 10:39:06 +02:00
Manuel Pégourié-Gonnard
55f3d84faa
fixup-include
2015-09-07 12:43:11 +02:00
Manuel Pégourié-Gonnard
f7368c983a
Polish API and documentation
2015-09-07 12:43:11 +02:00
Manuel Pégourié-Gonnard
e1927101fb
Unify round two
2015-09-07 12:43:11 +02:00
Manuel Pégourié-Gonnard
d8204a7bea
Provide symmetric API for the first round
2015-09-07 12:43:11 +02:00
Manuel Pégourié-Gonnard
ce4567614b
Rename variable to prepare for cli/srv unification
2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
6b798b9dae
Tune up some comments
2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
e0ad57b0b3
Replace explicit IDs with table look-ups
...
That's a first step towards merging symmetric version of different functions
2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
5f18829609
Add derive_pms, completing first working version
2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
6449391852
Store our role in the context
2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
614bd5e919
Add write_client_params
2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
ec0eece2ba
Add read_client_params
2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
cb7cd03412
Add first draft or read_server_params
2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
23dcbe3f16
Add support for passphrase in the context
2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
4e8bc78ad9
Add context-using functions for Hello extensions
...
Also re-order functions in the header so that they appear in the order they're
use, ie free() last.
2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
7af8bc1007
Start introducing mbedtls_ecjpake_context
2015-09-07 12:43:10 +02:00
Manuel Pégourié-Gonnard
6029a85572
Add ecjpake_zpk_read()
...
Not really tested yet
2015-09-07 12:43:09 +02:00
Manuel Pégourié-Gonnard
d9a3f47ecd
Add mbedtls_ecp_gen_keypair_base()
2015-09-07 12:43:09 +02:00
Manuel Pégourié-Gonnard
4d8685b4ff
Add skeleton for EC J-PAKE module
2015-09-07 12:43:09 +02:00
Manuel Pégourié-Gonnard
aac5502553
Bump version to 2.1.0
2015-09-04 14:33:31 +02:00
Manuel Pégourié-Gonnard
37ff14062e
Change main license to Apache 2.0
2015-09-04 14:21:07 +02:00
Manuel Pégourié-Gonnard
5f5e0ec3f1
Improve mbedtls_ssl_write() documentation
2015-08-31 20:47:04 +02:00
Manuel Pégourié-Gonnard
a2cda6bfaf
Add mbedtls_ssl_get_max_frag_len()
...
This is not very useful for TLS as mbedtls_ssl_write() will automatically
fragment and return the length used, and the application should check for that
anyway, but this is useful for DTLS where mbedtls_ssl_write() returns an
error, and the application needs to be able to query the maximum length
instead of just guessing.
2015-08-31 20:47:04 +02:00
Manuel Pégourié-Gonnard
bb83844a1d
Clarify that there are two SSL I/O buffers
2015-08-31 12:46:01 +02:00
Manuel Pégourié-Gonnard
46c4fa16ab
Fix missing casts on return
...
closes #236
2015-08-12 09:27:55 +02:00
Manuel Pégourié-Gonnard
e2b0efe24b
Separate license from comments in config.h
2015-08-11 10:38:37 +02:00
Manuel Pégourié-Gonnard
ac50fc5e2f
Fix typo in doc
2015-08-10 13:07:09 +02:00
Manuel Pégourié-Gonnard
854dab96fe
Fix the fix for armcc5 --gnu
...
Only exclude armcc5, not armcc6.
2015-08-10 12:11:31 +02:00
Manuel Pégourié-Gonnard
32da9f66a8
Add support for MBEDTLS_USER_CONFIG_FILE
2015-08-06 09:57:54 +02:00
Manuel Pégourié-Gonnard
43569a93cc
Use #ifdef rather than patch for target_config.h
2015-08-06 09:57:54 +02:00
Manuel Pégourié-Gonnard
63e7ebaaa1
Add material for generating yotta module
2015-08-06 09:57:53 +02:00
Manuel Pégourié-Gonnard
e14dec68ea
Fix stupid typo in previous commit
2015-08-04 22:49:33 +02:00
Manuel Pégourié-Gonnard
f659f0c214
Disable Padlock code with ASan
...
We're getting build errors with Clang 3.5.0 on our Debian Jessie buildslave:
library/padlock.c:99:10: error: inline assembly requires more registers than available
2015-08-04 22:19:05 +02:00
Manuel Pégourié-Gonnard
e96ce08a21
Fix compile error with armcc5 --gnu
2015-07-31 10:58:06 +02:00
Manuel Pégourié-Gonnard
6fb8187279
Update date in copyright line
2015-07-28 17:11:58 +02:00
Manuel Pégourié-Gonnard
10c767488b
Adjust rename/compat list
2015-07-15 11:07:26 +02:00
Paul Bakker
4cb87f409d
Prepare for 2.0.0 release
2015-07-10 14:09:43 +01:00
Manuel Pégourié-Gonnard
1409616d9c
Fix one renaming in the list
...
Found by Simon while testing the upgrade guide
2015-07-09 09:17:18 +01:00
Manuel Pégourié-Gonnard
20af64dc2c
Still need to #define inline for MSVC
...
I only tested with VS2015 earlier, but previous versions apparently still
don't know that standard C99 keyword though it's documented on MSDN...
2015-07-07 23:21:30 +02:00
Manuel Pégourié-Gonnard
052a6c9cfe
Add mbedtls_md_clone()
2015-07-06 16:06:02 +02:00
Manuel Pégourié-Gonnard
16d412f465
Add md/shaXXX_clone() API
...
Will be used in the SSL/TLS modules
2015-07-06 15:48:34 +02:00
Manuel Pégourié-Gonnard
7893103154
Remove 1024 bits DHM params and add one 4096 bit
2015-07-03 17:06:39 +02:00
Manuel Pégourié-Gonnard
7c3b4ab6f2
Fix typos in comments
2015-07-02 17:59:52 +02:00
Manuel Pégourié-Gonnard
5791109707
Make the hardclock test optional
...
Known to fail on VMs (such as the buildbots), see eg
http://blog.badtrace.com/post/rdtsc-x86-instruction-to-detect-vms/
2015-07-01 19:22:12 +02:00
Manuel Pégourié-Gonnard
9bd0afdb22
Add guards for closed socket in net.c
...
This is particularly problematic when calling FD_SET( -1, ... ), but let's
check it in all functions.
This was introduced with the new API and the fact the net_free() now sets the
internal fd to -1 in order to mark it as closed: now using this information.
2015-07-01 19:03:27 +02:00
Manuel Pégourié-Gonnard
2505528be4
Rm obsolete defines for inline wiht MSVC
...
The "inline" keyword is supported since Visual Studio 2005 according to MSDN,
and we require Visual Studio 2010 or higher.
2015-07-01 17:22:36 +02:00
Manuel Pégourié-Gonnard
abc729e664
Simplify net_accept() with UDP sockets
...
This is made possible by the new API where net_accept() gets a pointer to
bind_ctx, so it can update it.
2015-07-01 01:28:24 +02:00
Manuel Pégourié-Gonnard
3d7d00ad23
Rename mbedtls_net_close() to mbedtls_net_free()
...
close() may be more meaningful, but free() is symmetric with _init(), and more
consistent with all other modules
2015-06-30 16:50:37 +02:00
Manuel Pégourié-Gonnard
91895853ac
Move from naked int to a structure in net.c
...
Provides more flexibility for future changes/extensions.
2015-06-30 15:56:25 +02:00
Manuel Pégourié-Gonnard
a16e7c468c
Rename a debug function
2015-06-29 20:14:19 +02:00
Manuel Pégourié-Gonnard
b74c245a20
Rework debug to not need dynamic alloc
...
But introduces dependency on variadic macros
2015-06-29 20:08:23 +02:00
Manuel Pégourié-Gonnard
9db2887672
Actually enable fixed snprintf on windows
2015-06-26 11:04:08 +02:00
Manuel Pégourié-Gonnard
dc54ff8578
Improve documentation about SSL ticket encryption
2015-06-25 12:44:46 +02:00
Manuel Pégourié-Gonnard
216a1831de
Fix whitespace in CMakeLists.txt
...
- all spaces no tabs
- indent with 4 spaces everywhere
2015-06-25 10:59:57 +02:00
Manuel Pégourié-Gonnard
53585eeb17
Remove test DHM params from certs.c
...
certs.c belongs to the X.509 library, while DHM belongs to the crypto lib.
2015-06-25 10:59:57 +02:00
Manuel Pégourié-Gonnard
0761733c1b
Fix potential NULL dereference
...
We document that either of recv or recv_timeout may be NULL, but for TLS we
always used recv... Thanks Coverity for catching that.
(Not remotely trigerrable: local configuration.)
Also made me notice net_recv_timeout didn't do its job properly.
2015-06-25 10:59:57 +02:00
Manuel Pégourié-Gonnard
fd474233c8
Change SSL debug API in the library
2015-06-23 18:44:11 +02:00
Manuel Pégourié-Gonnard
c0d749418b
Make 'port' a string in NET module
...
- avoids dependency on snprintf
- allows using "smtps" instead of "456" if desired
2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
e244f9ffc0
Improve doc about length of strings written
2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
d23f593737
Avoid static buffer in debug module
...
Caused issues in threading situations
2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
1cd10adc7c
Update prototype of x509write_set_key_usage()
...
Allow for future support of decipherOnly and encipherOnly. Some work will be
required to ensure we still write only one byte when only one is needed.
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
655a964539
Adapt check_key_usage to new weird bits
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
9a702255f4
Add parsing/printing for new X.509 keyUsage flags
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
07894338a0
Rename M255 to Curve25519
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
7320eb46d4
Remove references to some Montgomery curves
...
After all it looks like those won't become standard.
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
e7e89844d6
Fix and document corner-cases of time checking
2015-06-22 23:41:24 +02:00
Manuel Pégourié-Gonnard
cdc26ae099
Add mbedtls_ssl_set_hs_authmode
...
While at it, fix the following:
- on server with RSA_PSK, we don't want to set flags (client auth happens via
the PSK, no cert is expected).
- use safer tests (eg == OPTIONAL vs != REQUIRED)
2015-06-22 14:52:40 +02:00
Manuel Pégourié-Gonnard
1685368408
Rationalize snprintf() usage in X.509 modules
2015-06-22 14:42:04 +02:00
Manuel Pégourié-Gonnard
6c0c8e0d3d
Include fixed snprintf for Windows in platform.c
...
Use _WIN32 to detect it rather that _MSC_VER as it turns out MSYS2 uses the
broken MS version by default too.
2015-06-22 14:42:04 +02:00
Manuel Pégourié-Gonnard
8ba88f0460
Fix stupid typo in documentation
2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
7580ba475d
Add a concept of entropy source strength.
...
The main goal is, we want and error if cycle counter is the only source.
2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
3f77dfbd52
Add MBEDTLS_ENTROPY_HARDWARE_ALT
...
Makes it easier for an external module to plug its hardware entropy collector.
2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
bf82ff0209
Fix entropy thresholds
2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
60c793bdc9
Split HAVE_TIME into HAVE_TIME + HAVE_TIME_DATE
...
First one means we have time() but it may not return the actual wall clock
time, second means it does.
2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
c0696c216b
Rename mbedtls_mpi_msb to mbedtls_mpi_bitlen
2015-06-18 16:49:37 +02:00
Manuel Pégourié-Gonnard
097c7bb05b
Rename relevant global symbols from size to bitlen
...
Just applying rename.pl with this file:
mbedtls_cipher_get_key_size mbedtls_cipher_get_key_bitlen
mbedtls_pk_get_size mbedtls_pk_get_bitlen
MBEDTLS_BLOWFISH_MIN_KEY MBEDTLS_BLOWFISH_MIN_KEY_BITS
MBEDTLS_BLOWFISH_MAX_KEY MBEDTLS_BLOWFISH_MAX_KEY_BITS
2015-06-18 16:43:38 +02:00
Manuel Pégourié-Gonnard
fb317c5221
Rename parameter in a x509 helper
2015-06-18 16:41:13 +02:00
Manuel Pégourié-Gonnard
39a48f4934
Internal renamings in PK
...
+ an unrelated comment in SSL
2015-06-18 16:06:55 +02:00
Manuel Pégourié-Gonnard
12ad798c87
Rename ssl_session.length to id_len
2015-06-18 15:50:37 +02:00
Manuel Pégourié-Gonnard
797f48ace6
Rename ecp_curve_info.size to bit_size
2015-06-18 15:45:05 +02:00
Manuel Pégourié-Gonnard
898e0aa210
Rename key_length in cipher_info
2015-06-18 15:31:10 +02:00
Manuel Pégourié-Gonnard
b8186a5e54
Rename len to bitlen in function parameters
...
Clarify a few comments too.
2015-06-18 14:58:58 +02:00
Manuel Pégourié-Gonnard
b31c5f68b1
Add SSL presets.
...
No need to use a separate profile as in X.509, everything we need is already
in ssl_config. Just load appropriate values.
2015-06-17 14:59:27 +02:00
Manuel Pégourié-Gonnard
7bfc122703
Implement sig_hashes
2015-06-17 14:34:48 +02:00
Manuel Pégourié-Gonnard
36a8b575a9
Create API for mbedtls_ssl_conf_sig_hashes().
...
Not implemented yet.
2015-06-17 14:27:39 +02:00
Manuel Pégourié-Gonnard
9d412d872c
Small internal changes in curve checking
...
- switch from is_acceptable to the more usual check
- add NULL check just in case user screwed up config
2015-06-17 14:27:39 +02:00
Manuel Pégourié-Gonnard
27716cc1da
Clarify a point in the documentation
2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard
b541da6ef3
Fix define for ssl_conf_curves()
...
This is a security feature, it shouldn't be optional.
2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard
6e3ee3ad43
Add mbedtls_ssl_conf_cert_profile()
2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard
f8ea856296
Change data structure of profiles to bitfields
...
- allows to express 'none' or 'all' more easily than lists
- more compact and easier to declare statically
- easier to check too
Only drawback: if we ever have more than 32 curves, we'll need an ABI change to
make that field a uint64_t.
2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard
88db5da117
Add pre-defined profiles for cert verification
2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard
9505164ef4
Create cert profile API (unimplemented yet)
2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard
bd990d6629
Add ssl_conf_dhm_min_bitlen()
2015-06-17 11:37:04 +02:00
Manuel Pégourié-Gonnard
1b1e65f541
Fix typos and other small issues in doc
2015-06-11 13:38:03 +02:00
Manuel Pégourié-Gonnard
7ee5ddd798
Merge branch 'mbedtls-1.3' into development
...
* mbedtls-1.3:
Fix compile errors with NO_STD_FUNCTIONS
Expand config.pl's notion of "full"
Ack external bugfix in Changelog
FIx misplaced Changelog entry (oops)
Fix compile bug: incompatible declaration of polarssl_exit in platform.c
Fix contributor's name in Changelog
2015-06-03 10:33:55 +01:00
Manuel Pégourié-Gonnard
dccb80b7e5
Fix compile errors with NO_STD_FUNCTIONS
2015-06-03 10:20:33 +01:00
Manuel Pégourié-Gonnard
ba56136b5c
Avoid in-out length in base64
2015-06-02 16:30:35 +01:00
Manuel Pégourié-Gonnard
3335205a21
Avoid in-out length in dhm_calc_secret()
2015-06-02 16:17:08 +01:00
Manuel Pégourié-Gonnard
f79b425226
Avoid in-out length parameter in bignum
2015-06-02 15:41:48 +01:00
Manuel Pégourié-Gonnard
77cfe177e1
Remove now-useless typedef in ssl.h
2015-06-02 11:18:35 +01:00
Manuel Pégourié-Gonnard
c730ed3f2d
Rename boolean functions to be clearer
2015-06-02 10:38:50 +01:00
Manuel Pégourié-Gonnard
3eb50fa591
Cosmetics in doxygen doc
2015-06-02 10:28:09 +01:00
Manuel Pégourié-Gonnard
6ca7624952
Mark unused constant as such
2015-06-02 09:55:32 +01:00
Manuel Pégourié-Gonnard
81abefd46c
Fix typos/style in doxygen documentation
2015-05-29 12:53:47 +02:00
Manuel Pégourié-Gonnard
d14acbc31a
Test assumptions we make about the platform
...
Things that are not guaranteed by the standard but should be true of all
platforms of interest to us:
- 8-bit chars
- NULL pointers represented by all-bits-zero
2015-05-29 12:25:40 +02:00
Manuel Pégourié-Gonnard
f78e4de6f4
Fix warnings from -pedantic
2015-05-29 10:52:14 +02:00
Manuel Pégourié-Gonnard
864108daab
Move from gmtime_r to gmtime + mutexes
...
* gmtime_r is not standard so -std=c99 warns about it
* Anyway we need global mutexes in the threading layer, so better depend only
on that, rather that global mutexes + some _r functions
2015-05-29 10:18:09 +02:00
Manuel Pégourié-Gonnard
ba19432d2e
Move from asm to __asm by default
...
- GCC with -std=c99 warns about asm but likes __asm
_ armcc5 has __asm but not asm
2015-05-29 10:18:09 +02:00
Manuel Pégourié-Gonnard
2a84dfd747
Make ssl_cookie.c thread-safe
2015-05-28 17:28:39 +02:00
Manuel Pégourié-Gonnard
b48ef9cce9
Improve documentation about HelloVerifyRequest
2015-05-28 17:28:39 +02:00
Manuel Pégourié-Gonnard
398b206ff0
Update doc for ssl_conf_renegotiation
2015-05-28 17:28:38 +02:00
Manuel Pégourié-Gonnard
41b9c2b418
Remove individual mdX_file() and shaX_file()
2015-05-28 17:28:38 +02:00
Manuel Pégourié-Gonnard
bfffa908a6
Implement md_file in the MD layer
2015-05-28 17:28:38 +02:00
Manuel Pégourié-Gonnard
eb0d8706ce
Add option for even smaller SHA-256
2015-05-28 16:45:23 +02:00
Manuel Pégourié-Gonnard
6a8ca33fa5
Rename ERR_xxx_MALLOC_FAILED to ..._ALLOC_FAILED
2015-05-28 16:25:05 +02:00
Manuel Pégourié-Gonnard
160e384360
Fix bad name choice
2015-05-27 20:27:06 +02:00
Manuel Pégourié-Gonnard
a7f8033fa4
Fix oversights in s/malloc/calloc/
2015-05-27 20:26:40 +02:00
Manuel Pégourié-Gonnard
944cfe8899
Allow use of global mutexes with threading_alt
2015-05-27 20:12:05 +02:00
Manuel Pégourié-Gonnard
f7c2eebfcf
Remove unused struct member in ssl_context
...
Actually belongs to ssl_session
2015-05-27 18:06:02 +02:00
Manuel Pégourié-Gonnard
200e73179e
Adapt memory_buffer_alloc to calloc
2015-05-27 16:58:55 +02:00
Manuel Pégourié-Gonnard
b9ef1182f3
Adapt the platform layer from malloc to calloc
2015-05-27 16:58:55 +02:00
Manuel Pégourié-Gonnard
7551cb9ee9
Replace malloc with calloc
...
- platform layer currently broken (not adapted yet)
- memmory_buffer_alloc too
2015-05-26 16:04:06 +02:00
Manuel Pégourié-Gonnard
065122cfe9
Move some defines to ssl_internal.h
2015-05-26 15:01:37 +02:00
Manuel Pégourié-Gonnard
56273daea0
Move some includes to ssl_internal.h
...
Also removed one from ssl.h and add it in programs where it belongs
2015-05-26 15:01:37 +02:00
Manuel Pégourié-Gonnard
cd4fcc6c8b
Move some structures to ssl_internal.h
2015-05-26 15:01:37 +02:00
Manuel Pégourié-Gonnard
5e94ddebbc
Create ssl_internal.h and move some functions
2015-05-26 11:57:05 +02:00
Manuel Pégourié-Gonnard
50518f4195
Rename _wrap headers to _internal
...
Makes it clearer that the user is not supposed to include them
2015-05-26 11:06:12 +02:00
Manuel Pégourié-Gonnard
4214e3a0eb
Update dependencies and documentation
2015-05-25 19:42:14 +02:00
Manuel Pégourié-Gonnard
1e9c4db524
Implement key rotation
2015-05-25 19:42:14 +02:00
Manuel Pégourié-Gonnard
887674a33b
Internal changes in preparation for key rotation
...
- two sets of keys
- separate function for key generation/update
2015-05-25 12:19:00 +02:00
Manuel Pégourié-Gonnard
a0adc1bbe4
Make cipher used in ssl tickets configurable
2015-05-25 10:35:16 +02:00
Manuel Pégourié-Gonnard
1041a39338
Use AES-GCM-256 for session ticket protection
2015-05-20 20:19:42 +02:00
Manuel Pégourié-Gonnard
0849a0a910
Make ssl ticket functions thread-safe
2015-05-20 11:34:54 +02:00
Manuel Pégourié-Gonnard
e057d3bf6b
Relax some dependencies
...
- DTLS_HELLO_VERIFY no longer depends on SRV_C
- SSL_COOKIE_C no longer depends on DTLS_HELLO_VERIFY
Not that much work for us, and easier on users (esp. since it allows just
disabling SRV_C alone).
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
b596abfdc0
Refine cli/srv ifdefs for session tickets
...
- Only the server needs to generate/parse tickets
- Only the client needs to store them
Also adjust prototype of ssl_conf_session_tickets() while at it.
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
cf141ca7e7
Fix #ifdefs on ssl_cli.c or ssl_srv.c
...
Nothing to do with the current branch except I'm going to refine such #ifdefs
for tickets next and I want to start from a clean state
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
0c0f11f4b3
Update dependencies & includes for session tickets
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
d59675d92c
Move to callback for session tickets
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
2ff873c0fa
Fix SSL_DEBUG macros
...
Avoid doubled semicolon on usage, which would be bad in non-braced "if"
branches for example.
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
b0394bebdb
Further adapt prototypes of ticket functions
...
Moving everything in ticket_keys structure, that will soon become
ticket_context.
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
69f17280d3
Adapt prototypes of ticket handling functions
...
This is an intermediate step. The ssl_config argument will be replace by a
ticket context next.
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
a4a473516e
Rename & move ticket functions to ticket module
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
fd6d8978f9
Add new submodule ssl_ticket
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
53ebe138c6
Fix copyright lines still mentioning Brainspark
2015-05-15 12:01:12 +02:00
Manuel Pégourié-Gonnard
dad1ad739d
Doc tune-ups
2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
0b104b056b
Adapt prototype of net_accept() for explicit size
2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
d9e6a3ac10
Rename pk_init_ctx() -> pk_setup()
2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
d4f04dba42
net.c now depends on select() unconditionally
2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
a63bc94a2d
Remove timing_m_sleep() -> net_usleep()
2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
151dc77732
Fix some old names that remained
...
- most in doxygen doc that was never renamed
- some re-introduced in comments/doc/strings by me
2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
8473f87984
Rename cipher_init_ctx() to cipher_setup()
2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
66dc5555f0
mbedtls_ssl_conf_arc4_support() depends on ARC4_C
2015-05-14 12:31:10 +02:00
Manuel Pégourié-Gonnard
e391c8deda
Doc tune-up
2015-05-13 20:34:24 +02:00
Manuel Pégourié-Gonnard
70860adccc
SSL timers are no longer just for DTLS
...
Also, clean up leftover temporary stuff... embarassing
2015-05-13 10:25:28 +02:00
Manuel Pégourié-Gonnard
bbd28f7bcc
Improve SSL doc about I/O and timeouts
2015-05-13 10:21:42 +02:00
Manuel Pégourié-Gonnard
5a8d56d3a3
Rm hard dependency of DTLS on TIMING_C
2015-05-13 10:10:00 +02:00
Manuel Pégourié-Gonnard
2e01291739
Prepare the SSL modules for using timer callbacks
2015-05-13 09:43:39 +02:00
Manuel Pégourié-Gonnard
ca3bdc5632
Add mbedtls_timing_set/get_delay()
2015-05-12 20:45:34 +02:00
Manuel Pégourié-Gonnard
8903fe0fd3
Define timing_selftest() even with TIMING_ALT
2015-05-12 19:30:45 +02:00
Manuel Pégourié-Gonnard
31993f271d
Add per-function override for AES
2015-05-12 15:41:08 +02:00
Manuel Pégourié-Gonnard
70a5010783
Create function-level MBETLS_DES_xxx_ALT
2015-05-12 15:17:15 +02:00
Manuel Pégourié-Gonnard
e45dba47b5
Remove unused member in des_context
2015-05-12 14:54:15 +02:00
Manuel Pégourié-Gonnard
d1a82603ad
Tune comments in config.h
2015-05-12 14:20:23 +02:00
Manuel Pégourié-Gonnard
eecb43cf0b
Manually merge doc fixes from 1.3
2015-05-12 12:56:41 +02:00
Manuel Pégourié-Gonnard
48647b9255
Merge remote-tracking branch 'nw/misc' into mbedtls-1.3
...
* nw/misc:
Typos and doc additions
2015-05-12 12:48:12 +02:00
Manuel Pégourié-Gonnard
43b37cbc92
Fix use of pem_read_buffer() in PK, DHM and X509
2015-05-12 11:26:43 +02:00
Manuel Pégourié-Gonnard
e6ef16f98c
Change X.509 verify flags to uint32_t
2015-05-11 19:54:43 +02:00
Manuel Pégourié-Gonnard
e3a062ba1f
Rename ecp_use_known_dp -> mbedtls_ecp_group_load()
2015-05-11 18:46:47 +02:00
Manuel Pégourié-Gonnard
56cc88a796
Rm ecp_add() and add ecp_muladd()
2015-05-11 18:40:45 +02:00
Manuel Pégourié-Gonnard
6dde596a03
Remove ecp_sub()
2015-05-11 18:18:32 +02:00
Manuel Pégourié-Gonnard
aff37e5aa1
Remove ecp_group_read_string()
2015-05-11 18:11:57 +02:00
Manuel Pégourié-Gonnard
06939cebef
Fix order of ssl_conf vs ssl_setup in programs
...
Except ssl_phtread_server that will be done later
2015-05-11 14:35:42 +02:00
Manuel Pégourié-Gonnard
01e5e8c1f8
Change a few ssl_conf return types to void
2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
6729e79482
Rename ssl_set_xxx() to ssl_conf_xxx()
2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
22bfa4bb53
Add ssl_set_hs_ca_chain()
2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
1897af9e93
Make conf const inside ssl_context (finally)
2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
17a40cd255
Change ssl_own_cert to work on ssl_config
2015-05-11 14:35:41 +02:00