Commit Graph

867 Commits

Author SHA1 Message Date
Ron Eldor
3a7baf3fa7 Backport 2.1:Remove duplicated def. of PRINT_ERROR
Backport of #1036 to mbed TLS 2.1 branch.
Remove duplicate definition of PRINT_ERROR
in the benchmark sample application
2017-08-20 16:16:39 +03:00
Hanno Becker
093620173b Correct comment and remove empty line 2017-07-28 21:43:19 +01:00
Hanno Becker
66daa68c19 Reliably zeroize sensitive data in AES sample application
The AES sample application programs/aes/aescrypt2 could miss zeroizing
the stack-based key buffer in case of an error during operation. This
commit fixes this and also clears another temporary buffer as well as
all command line arguments (one of which might be the key) before exit.
2017-07-28 21:41:11 +01:00
Hanno Becker
e0c35a6997 Reliably zeroize sensitive data in Crypt-and-Hash sample application
The AES sample application programs/aes/crypt_and_hash could miss
zeroizing the stack-based key buffer in case of an error during
operation. This commit fixes this and also clears all command line
arguments (one of which might be the key) before exit.
2017-07-28 21:40:52 +01:00
Ron Eldor
a905bdc999 Minor: Fix typo in program comments
Fix a typos in some reference program applications
2017-07-19 23:39:59 +02:00
Hanno Becker
46a1629c5f Remove %zu format string from ssl_client2 and ssl_server2 2017-06-09 16:14:49 +01:00
Manuel Pégourié-Gonnard
431c2afe3e Merge remote-tracking branch 'janos/mbedtls-2.1-iotssl-1156-ecdsa-sample-and-doc-clarification' into mbedtls-2.1
* janos/mbedtls-2.1-iotssl-1156-ecdsa-sample-and-doc-clarification:
  Clarify the use of ECDSA API
2017-06-08 10:17:54 +02:00
Janos Follath
5ad678971d Clarify the use of ECDSA API
In the ecdsa.c sample application we don't use hashing, we use ecdsa
directly on a buffer containing plain text. Although the text explains
that it should be the message hash it still can be confusing.

Any misunderstandings here are potentially very dangerous, because ECDSA
truncates the message hash if necessary and this can lead to trivial
signature forgeries if the API is misused and the message is passed
directly to the function without hashing.

This commit adds a hash computation step to the ecdsa.c sample
application and clarification to the doxygen documentation of the
ECDSA functions involved.
2017-06-07 15:59:21 +01:00
Hanno Becker
61c0c70418 Add tests for missing CA chains and bad curves.
This commit adds four tests to tests/ssl-opt.sh:
(1) & (2): Check behaviour of optional/required verification when the
trusted CA chain is empty.
(3) & (4): Check behaviour of optional/required verification when the
client receives a server certificate with an unsupported curve.
2017-06-07 11:36:12 +01:00
Gilles Peskine
db56acae43 Allow SHA-1 in server tests, when the signature_algorithm extension is not used 2017-06-06 19:08:23 +02:00
Gilles Peskine
ae76599686 Test that SHA-1 defaults off
Added tests to validate that certificates signed using SHA-1 are
rejected by default, but accepted if SHA-1 is explicitly enabled.
2017-06-06 19:08:23 +02:00
Gilles Peskine
12c19541a9 Allow SHA-1 in SSL renegotiation tests
In the TLS test client, allow SHA-1 as a signature hash algorithm.
Without this, the renegotation tests failed.

A previous commit had allowed SHA-1 via the certificate profile but
that only applied before the initial negotiation which includes the
signature_algorithms extension.
2017-06-06 19:08:23 +02:00
Gilles Peskine
dd57d75dfa Allow SHA-1 in X.509 and TLS tests
SHA-1 is now disabled by default in the X.509 layer. Explicitly enable
it in our tests for now. Updating all the test data to SHA-256 should
be done over time.
2017-06-06 19:08:23 +02:00
Andres AG
0ac1392cd8 Remove use of inttypes.h in MSVC from ssl_server2
The sample application programs/ssl/ssl_server2.c was previously
modifies to use inttypes.h to parse a string to a 64-bit integer.
However, MSVC does not support C99, so compilation fails. This
patch modifies the sample app to use the MSVC specific parsing
functions instead of inttypes.h.
2017-03-01 23:33:29 +00:00
Ron Eldor
78011d9656 fix for issue 1101: missing rsa context initialization
added mbedtls_rsa_init in rsa_decrypt sample application
2017-03-01 16:05:25 +00:00
Paul Bakker
c60c31226f Fix default hostname for verification used in ssl_client1 2017-02-28 23:33:28 +00:00
Andres AG
9b1927bf9b Add DTLS test to check 6 byte record ctr is cmp
Add a test to ssl-opt.sh to ensure that in DTLS a 6 byte record counter
is compared in ssl_check_ctr_renegotiate() instead of a 8 byte one as in
the TLS case. Because currently there are no testing facilities to check
that renegotiation routines are triggered after X number of input/output
messages, the test consists on setting a renegotiation period that
cannot be represented in 6 bytes, but whose least-significant byte is 2.
If the library behaves correctly, the renegotiation routines will be
executed after two exchanged.
2017-02-04 23:35:14 +00:00
Andres AG
9d32bd91b0 Fix examples that failed to compile without PEM 2017-02-02 17:08:46 +00:00
Simon Butcher
5214607f75 Add extra compilation conditions to X.509 samples
The sample applications programs/pkey/cert_req.c and
programs/pkey/cert_write.c use the library functions
mbedtls_pk_write_csr_pem() and mbedtls_pk_write_crt_pem() respectively which
are dependent on the configuration option MBEDTLS_PEM_WRITE_C. If the option
isn't defined the build breaks.

This change adds the compilation condition MBEDTLS_PEM_WRITE_C to these
sample application.
2016-10-10 09:45:17 +01:00
Simon Butcher
411fd7c23a Add extra compilation conditions to gen_key.c #559
The sample application programs/pkey/gen_key.c uses the library function
mbedtls_pk_write_key_pem() which is dependent on the configuration option
MBEDTLS_PEM_WRITE_C. If the option isn't defined the build breaks.

This change adds the compilation condition MBEDTLS_PEM_WRITE_C to the gen_key.c
sample application.
2016-10-07 14:17:22 +01:00
Simon Butcher
d7fb3fd4e6 Fix error text and whitespace in crypt_and_hash.c 2016-10-07 14:16:57 +01:00
Paul Bakker
3ef29f6e48 Do not add empty cert / key in cert_app 2016-09-26 20:46:10 +01:00
Paul Bakker
11a7d7cf68 Actually apply debug_level settings in cert_app 2016-09-26 20:45:57 +01:00
Paul Bakker
a9f02c8c21 Fix for #441 - crypt and hash gcm (#546)
* Fix crypt_and_hash to support decrypting GCM encrypted files

* Fix documentation in crypt_and_hash for the generic case

* Remove unused lastn from crypt_and_hash

lastn is not used with the cipher layer as it already provides padding
and understanding of length of the original data.
2016-09-02 22:08:18 +01:00
Simon Butcher
c019035e8e Add missing stdlib.h header to rsa sample programs 2016-05-18 19:36:03 +01:00
Simon Butcher
663638d202 Corrects platform return values in rsa sample programs 2016-05-18 19:36:03 +01:00
Simon Butcher
4529c48c42 Fixes error and exit paths in rsa sample programs 2016-05-18 19:36:03 +01:00
Janos Follath
bffa68d3ca Fix memory leaks in example programs. 2016-05-18 19:36:03 +01:00
Janos Follath
c89a62e809 Improves and makes pretty the ssl_fork_server output 2016-04-28 23:57:42 +01:00
Janos Follath
56a7347841 Fix issue #429 in ssl_fork_server.c 2016-04-28 23:57:28 +01:00
Jonathan Leroy
3dd85ddfdf cert_write : fix "Destination buffer is too small" error
This commit fixes the `Destination buffer is too small` error returned
by `mbedtls_cert_write` command when the values of `subject_name` or
`issuer_name` parameters exceed 128 characters.

I have increased the size of these varaibles from 128 to 256 characters,
but I don't know if it's the best way to solve this issue...

Fixes #315.
2015-11-02 05:58:30 +09:00
Jonathan Leroy
1f8c20ac9a Fix help message for cert_req/cert_write programs
In cert_req and cert_write programs, "key_certificate_sign" is not an
allowed velue for "key_usage" parameter. The correct value is
"key_cert_sign".

See https://github.com/ARMmbed/mbedtls/blob/development/programs/x509/cert_req.c#L208
and https://github.com/ARMmbed/mbedtls/blob/development/programs/x509/cert_write.c#L323.
2015-10-30 16:56:44 +01:00
James Cowgill
6bfa1d826e Fix minor spelling mistake in programs/pkey/gen_key.c 2015-10-27 10:27:51 +01:00
Manuel Pégourié-Gonnard
2ed05a049a Fix typos 2015-09-09 11:52:28 +02:00
Manuel Pégourié-Gonnard
22311ae62e Improve help message of ssl_*2.c 2015-09-09 11:22:58 +02:00
Manuel Pégourié-Gonnard
3f09b6d4c2 Fix API 2015-09-08 11:58:14 +02:00
Manuel Pégourié-Gonnard
dbd23079d0 Add option reconnect_hard to ssl_client2
- interrupt the connection abruptly (no close_notify)
- reconnect from the same port while server sill has an active connection from
  this port.

Some real-world clients do that, see section 4.2.8 of RFC 6347.
2015-09-08 10:39:06 +02:00
Manuel Pégourié-Gonnard
37ff14062e Change main license to Apache 2.0 2015-09-04 14:21:07 +02:00
Simon Butcher
ed51594337 Merge pull request #265 from ARMmbed/iotssl-460-bugfixes
Iotssl 460 bugfixes
2015-09-02 23:36:36 +01:00
Manuel Pégourié-Gonnard
a2cda6bfaf Add mbedtls_ssl_get_max_frag_len()
This is not very useful for TLS as mbedtls_ssl_write() will automatically
fragment and return the length used, and the application should check for that
anyway, but this is useful for DTLS where mbedtls_ssl_write() returns an
error, and the application needs to be able to query the maximum length
instead of just guessing.
2015-08-31 20:47:04 +02:00
Manuel Pégourié-Gonnard
cf9ab63863 Fix error reporting in pkey/pk_* programs 2015-08-31 10:34:27 +02:00
Manuel Pégourié-Gonnard
ce7a08ba49 Fix more comments/outputs in verify programs 2015-08-31 10:34:27 +02:00
Manuel Pégourié-Gonnard
102a620c9a Fix hash buffer size in pkey programs 2015-08-31 10:34:27 +02:00
Manuel Pégourié-Gonnard
d224ff1f63 Change default RSA key size in rsa_genkey 2015-08-31 10:34:27 +02:00
Manuel Pégourié-Gonnard
1d8f2da7df Fix comments about filenames in some programs 2015-08-31 10:34:27 +02:00
Manuel Pégourié-Gonnard
d74c697035 Fix memory corruption in rsa sign/verify programs
We have no guarantee there is enough room in the argv strings.

Fixes #210
2015-08-31 10:34:27 +02:00
Manuel Pégourié-Gonnard
ea35666f50 Fix -Wshadow warnings
Checked that it is supported by gcc 4.2.1 (FreeBSD 9).

fixes #240
2015-08-31 10:34:26 +02:00
Manuel Pégourié-Gonnard
fa1304a51d Use Unix line endings in wince_main.c too
The compiler needs to accept Unix line endings anyway, as this is what we use
everywhere, and it makes things more consistent.
2015-08-06 19:03:31 +02:00
Manuel Pégourié-Gonnard
d73896581b Fix typos (found by Francesco Pompò)
Manually merging as the pull requests are based on an old branch.

closes #215
closes #216
2015-08-06 18:22:26 +02:00
Manuel Pégourié-Gonnard
6fb8187279 Update date in copyright line 2015-07-28 17:11:58 +02:00
Manuel Pégourié-Gonnard
4f3368e31e Fix bug in benchmark.c with DHM params 2015-07-19 15:01:28 +02:00
Manuel Pégourié-Gonnard
78ec2b049c Cosmetics in Makefiles 2015-07-08 22:12:06 +01:00
Manuel Pégourié-Gonnard
a6dbddce0c Fix benchmark.c for removal of small DH params 2015-07-06 11:20:33 +02:00
Manuel Pégourié-Gonnard
77c656217b Update dh_genprime program
- default size 2048 bits
- make size a command-line argument
- remove warning about using own params
2015-07-03 16:57:52 +02:00
Manuel Pégourié-Gonnard
6755717f18 Fix stupid typo in ssl_server2.c 2015-07-02 11:15:48 +02:00
Manuel Pégourié-Gonnard
046589e424 Rm obsolete defines for snprintf in programs
Now centralized in the platform layer
2015-07-01 17:26:20 +02:00
Manuel Pégourié-Gonnard
9de64f5af1 Fix MSVC warnings in library and programs 2015-07-01 16:56:08 +02:00
Manuel Pégourié-Gonnard
052f28853b Cosmetics in debug in ssl_{client,server}2.c
Print only the basename from the file, and print level too.
2015-07-01 12:01:13 +02:00
Manuel Pégourié-Gonnard
abc729e664 Simplify net_accept() with UDP sockets
This is made possible by the new API where net_accept() gets a pointer to
bind_ctx, so it can update it.
2015-07-01 01:28:24 +02:00
Manuel Pégourié-Gonnard
3d7d00ad23 Rename mbedtls_net_close() to mbedtls_net_free()
close() may be more meaningful, but free() is symmetric with _init(), and more
consistent with all other modules
2015-06-30 16:50:37 +02:00
Manuel Pégourié-Gonnard
5db64328ab Adapt programs to the new NET API 2015-06-30 16:48:17 +02:00
Manuel Pégourié-Gonnard
a7c8903ca6 Add missing programs to Makefile 2015-06-29 19:14:04 +02:00
Manuel Pégourié-Gonnard
1c5b9fc19f Avoid truncating peer cert info in ssl_server2 2015-06-27 14:38:51 +02:00
Manuel Pégourié-Gonnard
fc36708697 Use $(MAKE), not make
For the sake of systems where we want gmake.
2015-06-26 16:50:24 +02:00
Manuel Pégourié-Gonnard
633c6b6485 Run timing selftest on all platforms
Used to fail on our FreeBSD and Windows buildbots. Seems to be working at
least on my Darwin physical machine and on my Windows VM with MSYS2 now.
2015-06-26 16:17:30 +02:00
Manuel Pégourié-Gonnard
4b00f08e20 Fix snprintf test
Our Windows implementation based on vsnprintf_s( ..., _TRUNCATE ) sometimes
writes *two* terminating NULLs. Allow for that, but obviously bytes past the
end of the buffer mustn't be touched.
2015-06-26 14:10:13 +02:00
Manuel Pégourié-Gonnard
ea9556a76e Fix mistaken changes in Makefile's clean target
I was a bit too trigger-happy with copy-pasting in a previous commit...
2015-06-25 14:19:25 +02:00
Manuel Pégourié-Gonnard
216a1831de Fix whitespace in CMakeLists.txt
- all spaces no tabs
- indent with 4 spaces everywhere
2015-06-25 10:59:57 +02:00
Manuel Pégourié-Gonnard
21e1ac205e Fix linking order with make
GNU ld cares about the order in which static libs are mentioned on the command
line: if A depends on B then A must com first.
2015-06-25 10:59:57 +02:00
Manuel Pégourié-Gonnard
5c59a4fea5 Split libs with make + general make cleanups 2015-06-25 10:59:56 +02:00
Manuel Pégourié-Gonnard
8d4a613cc5 Small Makefile improvements
- fix old build commands still using OFLAGS
- make everything work with --warn-undefined-variables, which can be useful
  for debugging typos
2015-06-25 10:59:56 +02:00
Manuel Pégourié-Gonnard
61ee351af4 Adapt programs to the new debug API 2015-06-23 23:30:16 +02:00
Manuel Pégourié-Gonnard
c0d749418b Make 'port' a string in NET module
- avoids dependency on snprintf
- allows using "smtps" instead of "456" if desired
2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
07894338a0 Rename M255 to Curve25519 2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
6ea831dcf4 Add tests for mbedtls_set_hs_ca_chain() 2015-06-22 17:30:18 +02:00
Manuel Pégourié-Gonnard
4d6f178376 Add support for SNI CA and authmode in ssl_server2 2015-06-22 14:52:40 +02:00
Manuel Pégourié-Gonnard
7b6dcbe993 Add tests for snprintf
- Added in each tests program to be sure they are run (putting them in a test
  suite/function specific to the platform layer would cause them to be skipped
when PLATFORM_C is not defined).
- Platforms have already moved from a standard to a broken snprintf in the
  past [1], so make sure to catch that if it ever happens again.

[1]: http://sourceforge.net/p/mingw-w64/mailman/message/31241434/
2015-06-22 14:42:04 +02:00
Manuel Pégourié-Gonnard
7580ba475d Add a concept of entropy source strength.
The main goal is, we want and error if cycle counter is the only source.
2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
c0696c216b Rename mbedtls_mpi_msb to mbedtls_mpi_bitlen 2015-06-18 16:49:37 +02:00
Manuel Pégourié-Gonnard
797f48ace6 Rename ecp_curve_info.size to bit_size 2015-06-18 15:45:05 +02:00
Manuel Pégourié-Gonnard
898e0aa210 Rename key_length in cipher_info 2015-06-18 15:31:10 +02:00
Manuel Pégourié-Gonnard
b31c5f68b1 Add SSL presets.
No need to use a separate profile as in X.509, everything we need is already
in ssl_config. Just load appropriate values.
2015-06-17 14:59:27 +02:00
Manuel Pégourié-Gonnard
9096682352 Add dhmlen option in ssl_client2.c 2015-06-17 11:37:04 +02:00
Manuel Pégourié-Gonnard
bf27eaac79 Fix help string in ssl_client2.c 2015-06-12 11:22:02 +02:00
Manuel Pégourié-Gonnard
ba56136b5c Avoid in-out length in base64 2015-06-02 16:30:35 +01:00
Manuel Pégourié-Gonnard
3335205a21 Avoid in-out length in dhm_calc_secret() 2015-06-02 16:17:08 +01:00
Manuel Pégourié-Gonnard
d14acbc31a Test assumptions we make about the platform
Things that are not guaranteed by the standard but should be true of all
platforms of interest to us:
- 8-bit chars
- NULL pointers represented by all-bits-zero
2015-05-29 12:25:40 +02:00
Manuel Pégourié-Gonnard
06d5d61302 Adapt programs to generic md_file() 2015-05-28 17:28:38 +02:00
Manuel Pégourié-Gonnard
b327168e22 Remove non-generic md_file() programs 2015-05-28 17:28:38 +02:00
Manuel Pégourié-Gonnard
b2a18a2a98 Remove references to malloc in strings/names 2015-05-27 16:58:55 +02:00
Manuel Pégourié-Gonnard
7551cb9ee9 Replace malloc with calloc
- platform layer currently broken (not adapted yet)
- memmory_buffer_alloc too
2015-05-26 16:04:06 +02:00
Manuel Pégourié-Gonnard
56273daea0 Move some includes to ssl_internal.h
Also removed one from ssl.h and add it in programs where it belongs
2015-05-26 15:01:37 +02:00
Manuel Pégourié-Gonnard
a0adc1bbe4 Make cipher used in ssl tickets configurable 2015-05-25 10:35:16 +02:00
Manuel Pégourié-Gonnard
b596abfdc0 Refine cli/srv ifdefs for session tickets
- Only the server needs to generate/parse tickets
- Only the client needs to store them

Also adjust prototype of ssl_conf_session_tickets() while at it.
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
d59675d92c Move to callback for session tickets 2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
53ebe138c6 Fix copyright lines still mentioning Brainspark 2015-05-15 12:01:12 +02:00
Manuel Pégourié-Gonnard
0b104b056b Adapt prototype of net_accept() for explicit size 2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
d9e6a3ac10 Rename pk_init_ctx() -> pk_setup() 2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
d4f04dba42 net.c now depends on select() unconditionally 2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
a63bc94a2d Remove timing_m_sleep() -> net_usleep() 2015-05-14 21:58:34 +02:00