Commit Graph

251 Commits

Author SHA1 Message Date
Hanno Becker
e4ad3e8803 Allow requests of size larger than 16384 in ssl_client2 2017-09-18 16:11:42 +01:00
Hanno Becker
8651a43e95 Remove %zu format string from ssl_client2 and ssl_server2 2017-06-09 16:13:22 +01:00
Hanno Becker
e6706e62d8 Add tests for missing CA chains and bad curves.
This commit adds four tests to tests/ssl-opt.sh:
(1) & (2): Check behaviour of optional/required verification when the
trusted CA chain is empty.
(3) & (4): Check behaviour of optional/required verification when the
client receives a server certificate with an unsupported curve.
2017-06-07 11:26:59 +01:00
Gilles Peskine
bc70a1836b Test that SHA-1 defaults off
Added tests to validate that certificates signed using SHA-1 are
rejected by default, but accepted if SHA-1 is explicitly enabled.
2017-06-06 18:44:14 +02:00
Gilles Peskine
cd3c845157 Allow SHA-1 in SSL renegotiation tests
In the TLS test client, allow SHA-1 as a signature hash algorithm.
Without this, the renegotation tests failed.

A previous commit had allowed SHA-1 via the certificate profile but
that only applied before the initial negotiation which includes the
signature_algorithms extension.
2017-06-06 18:44:13 +02:00
Gilles Peskine
ef86ab238f Allow SHA-1 in X.509 and TLS tests
SHA-1 is now disabled by default in the X.509 layer. Explicitly enable
it in our tests for now. Updating all the test data to SHA-256 should
be done over time.
2017-06-06 18:44:13 +02:00
Andres AG
788aa4a812 Rename net.{c,h} to net_sockets.{c,h}
The library/net.c and its corresponding include/mbedtls/net.h file are
renamed to library/net_sockets.c and include/mbedtls/net_sockets.h
respectively. This is to avoid naming collisions in projects which also
have files with the common name 'net'.
2016-09-26 23:23:52 +01:00
Simon Butcher
d3138c35c6 Fixes SSL sample apps for non-default configs
Fixes the SSL sample applications to build for the non-default configs
which don't build if MBEDTLS_PLATFORM_C isn't defined.
2016-04-27 01:26:50 +01:00
Manuel Pégourié-Gonnard
fadacb9d0b Merge branch 'development' into iotssl-461-ecjpake-finalization
* development: (73 commits)
  Bump yotta dependencies version
  Fix typo in documentation
  Corrected misleading fn description in ssl_cache.h
  Corrected URL/reference to MPI library
  Fix yotta dependencies
  Fix minor spelling mistake in programs/pkey/gen_key.c
  Bump version to 2.1.2
  Fix CVE number in ChangeLog
  Add 'inline' workaround where needed
  Fix references to non-standard SIZE_T_MAX
  Fix yotta version dependencies again
  Upgrade yotta dependency versions
  Fix compile error in net.c with musl libc
  Add missing warning in doc
  Remove inline workaround when not useful
  Fix macroization of inline in C++
  Changed attribution for Guido Vranken
  Merge of IOTSSL-476 - Random malloc in pem_read()
  Fix for IOTSSL-473 Double free error
  Fix potential overflow in CertificateRequest
  ...

Conflicts:
	include/mbedtls/ssl_internal.h
	library/ssl_cli.c
2015-10-20 15:00:29 +02:00
Manuel Pégourié-Gonnard
70905a7855 Add ecjpake_pw option to ssl_client2/server2 2015-09-16 22:58:29 +02:00
Manuel Pégourié-Gonnard
22311ae62e Improve help message of ssl_*2.c 2015-09-09 11:22:58 +02:00
Manuel Pégourié-Gonnard
dbd23079d0 Add option reconnect_hard to ssl_client2
- interrupt the connection abruptly (no close_notify)
- reconnect from the same port while server sill has an active connection from
  this port.

Some real-world clients do that, see section 4.2.8 of RFC 6347.
2015-09-08 10:39:06 +02:00
Manuel Pégourié-Gonnard
37ff14062e Change main license to Apache 2.0 2015-09-04 14:21:07 +02:00
Manuel Pégourié-Gonnard
a2cda6bfaf Add mbedtls_ssl_get_max_frag_len()
This is not very useful for TLS as mbedtls_ssl_write() will automatically
fragment and return the length used, and the application should check for that
anyway, but this is useful for DTLS where mbedtls_ssl_write() returns an
error, and the application needs to be able to query the maximum length
instead of just guessing.
2015-08-31 20:47:04 +02:00
Manuel Pégourié-Gonnard
6fb8187279 Update date in copyright line 2015-07-28 17:11:58 +02:00
Manuel Pégourié-Gonnard
046589e424 Rm obsolete defines for snprintf in programs
Now centralized in the platform layer
2015-07-01 17:26:20 +02:00
Manuel Pégourié-Gonnard
9de64f5af1 Fix MSVC warnings in library and programs 2015-07-01 16:56:08 +02:00
Manuel Pégourié-Gonnard
052f28853b Cosmetics in debug in ssl_{client,server}2.c
Print only the basename from the file, and print level too.
2015-07-01 12:01:13 +02:00
Manuel Pégourié-Gonnard
3d7d00ad23 Rename mbedtls_net_close() to mbedtls_net_free()
close() may be more meaningful, but free() is symmetric with _init(), and more
consistent with all other modules
2015-06-30 16:50:37 +02:00
Manuel Pégourié-Gonnard
5db64328ab Adapt programs to the new NET API 2015-06-30 16:48:17 +02:00
Manuel Pégourié-Gonnard
61ee351af4 Adapt programs to the new debug API 2015-06-23 23:30:16 +02:00
Manuel Pégourié-Gonnard
c0d749418b Make 'port' a string in NET module
- avoids dependency on snprintf
- allows using "smtps" instead of "456" if desired
2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
b31c5f68b1 Add SSL presets.
No need to use a separate profile as in X.509, everything we need is already
in ssl_config. Just load appropriate values.
2015-06-17 14:59:27 +02:00
Manuel Pégourié-Gonnard
9096682352 Add dhmlen option in ssl_client2.c 2015-06-17 11:37:04 +02:00
Manuel Pégourié-Gonnard
bf27eaac79 Fix help string in ssl_client2.c 2015-06-12 11:22:02 +02:00
Manuel Pégourié-Gonnard
b596abfdc0 Refine cli/srv ifdefs for session tickets
- Only the server needs to generate/parse tickets
- Only the client needs to store them

Also adjust prototype of ssl_conf_session_tickets() while at it.
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
d4f04dba42 net.c now depends on select() unconditionally 2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
a63bc94a2d Remove timing_m_sleep() -> net_usleep() 2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
66dc5555f0 mbedtls_ssl_conf_arc4_support() depends on ARC4_C 2015-05-14 12:31:10 +02:00
Manuel Pégourié-Gonnard
d2377e7e78 ssl_client/server2 shouln't depend on timing.c
Would break test-ref-configs.pl.
2015-05-13 13:58:56 +02:00
Manuel Pégourié-Gonnard
e3c41ad8a4 Use the new timer callback API in programs 2015-05-13 10:04:32 +02:00
Manuel Pégourié-Gonnard
db1cc76091 Fix depend issue in program/ssl/ssl_*2.c 2015-05-12 11:27:25 +02:00
Manuel Pégourié-Gonnard
e6ef16f98c Change X.509 verify flags to uint32_t 2015-05-11 19:54:43 +02:00
Manuel Pégourié-Gonnard
159c82ecc6 Fix ssl_set_hostname usage (duplication, ifdef) 2015-05-11 17:59:14 +02:00
Manuel Pégourié-Gonnard
06939cebef Fix order of ssl_conf vs ssl_setup in programs
Except ssl_phtread_server that will be done later
2015-05-11 14:35:42 +02:00
Manuel Pégourié-Gonnard
01e5e8c1f8 Change a few ssl_conf return types to void 2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
6729e79482 Rename ssl_set_xxx() to ssl_conf_xxx() 2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
17a40cd255 Change ssl_own_cert to work on ssl_config 2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
120fdbdb3d Change ssl_set_psk() to act on ssl_config 2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
750e4d7769 Move ssl_set_rng() to act on config 2015-05-11 12:33:27 +02:00
Manuel Pégourié-Gonnard
ae31914990 Rename ssl_legacy_renegotiation() to ssl_set_... 2015-05-11 12:33:27 +02:00
Manuel Pégourié-Gonnard
8836994f6b Move WANT_READ/WANT_WRITE codes to SSL 2015-05-11 12:33:26 +02:00
Manuel Pégourié-Gonnard
1b511f93c6 Rename ssl_set_bio_timeout() to set_bio()
Initially thought it was best to keep the old function around and add a new
one, but this so many ssl_set_xxx() functions are changing anyway...
2015-05-11 12:33:26 +02:00
Manuel Pégourié-Gonnard
97fd52c529 Split ssl_set_read_timeout() out of bio_timeout() 2015-05-11 12:33:26 +02:00
Manuel Pégourié-Gonnard
bc2b771af4 Move ssl_set_ca_chain() to work on config 2015-05-11 12:33:26 +02:00
Manuel Pégourié-Gonnard
2b49445876 Move session ticket keys to conf
This is temporary, they will soon be replaced by callbacks.
!!! In this intermediate step security is removed !!!
2015-05-07 10:19:13 +01:00
Manuel Pégourié-Gonnard
684b0592cb Move ssl_set_fallback() to work on conf
Initially thought it would be per-connection, but since max_version is in conf
too, and you need to lower that for a fallback connection, the fallback flag
should be in the same place
2015-05-07 10:19:13 +01:00
Manuel Pégourié-Gonnard
6bf89d6ad9 Move ssl_set_max_fragment_len to work on conf 2015-05-07 10:19:13 +01:00
Manuel Pégourié-Gonnard
17eab2b65c Move set_cbc_record_splitting() to conf 2015-05-07 10:19:13 +01:00
Manuel Pégourié-Gonnard
d36e33fc07 Move easy ssl_set_xxx() functions to work on conf
mbedtls_ssl_set_alpn_protocols
mbedtls_ssl_set_arc4_support
mbedtls_ssl_set_authmode
mbedtls_ssl_set_ciphersuites
mbedtls_ssl_set_ciphersuites_for_version
mbedtls_ssl_set_curves
mbedtls_ssl_set_dbg
mbedtls_ssl_set_dh_param
mbedtls_ssl_set_dh_param_ctx
mbedtls_ssl_set_dtls_anti_replay
mbedtls_ssl_set_dtls_badmac_limit
mbedtls_ssl_set_dtls_cookies
mbedtls_ssl_set_encrypt_then_mac
mbedtls_ssl_set_endpoint
mbedtls_ssl_set_extended_master_secret
mbedtls_ssl_set_handshake_timeout
mbedtls_ssl_legacy_renegotiation
mbedtls_ssl_set_max_version
mbedtls_ssl_set_min_version
mbedtls_ssl_set_psk_cb
mbedtls_ssl_set_renegotiation
mbedtls_ssl_set_renegotiation_enforced
mbedtls_ssl_set_renegotiation_period
mbedtls_ssl_set_session_cache
mbedtls_ssl_set_session_ticket_lifetime
mbedtls_ssl_set_sni
mbedtls_ssl_set_transport
mbedtls_ssl_set_truncated_hmac
mbedtls_ssl_set_verify
2015-05-07 10:19:13 +01:00