Hanno Becker
61c0c70418
Add tests for missing CA chains and bad curves.
...
This commit adds four tests to tests/ssl-opt.sh:
(1) & (2): Check behaviour of optional/required verification when the
trusted CA chain is empty.
(3) & (4): Check behaviour of optional/required verification when the
client receives a server certificate with an unsupported curve.
2017-06-07 11:36:12 +01:00
Gilles Peskine
db56acae43
Allow SHA-1 in server tests, when the signature_algorithm extension is not used
2017-06-06 19:08:23 +02:00
Gilles Peskine
ae76599686
Test that SHA-1 defaults off
...
Added tests to validate that certificates signed using SHA-1 are
rejected by default, but accepted if SHA-1 is explicitly enabled.
2017-06-06 19:08:23 +02:00
Gilles Peskine
dd57d75dfa
Allow SHA-1 in X.509 and TLS tests
...
SHA-1 is now disabled by default in the X.509 layer. Explicitly enable
it in our tests for now. Updating all the test data to SHA-256 should
be done over time.
2017-06-06 19:08:23 +02:00
Andres AG
0ac1392cd8
Remove use of inttypes.h in MSVC from ssl_server2
...
The sample application programs/ssl/ssl_server2.c was previously
modifies to use inttypes.h to parse a string to a 64-bit integer.
However, MSVC does not support C99, so compilation fails. This
patch modifies the sample app to use the MSVC specific parsing
functions instead of inttypes.h.
2017-03-01 23:33:29 +00:00
Andres AG
9b1927bf9b
Add DTLS test to check 6 byte record ctr is cmp
...
Add a test to ssl-opt.sh to ensure that in DTLS a 6 byte record counter
is compared in ssl_check_ctr_renegotiate() instead of a 8 byte one as in
the TLS case. Because currently there are no testing facilities to check
that renegotiation routines are triggered after X number of input/output
messages, the test consists on setting a renegotiation period that
cannot be represented in 6 bytes, but whose least-significant byte is 2.
If the library behaves correctly, the renegotiation routines will be
executed after two exchanged.
2017-02-04 23:35:14 +00:00
Manuel Pégourié-Gonnard
22311ae62e
Improve help message of ssl_*2.c
2015-09-09 11:22:58 +02:00
Manuel Pégourié-Gonnard
3f09b6d4c2
Fix API
2015-09-08 11:58:14 +02:00
Manuel Pégourié-Gonnard
37ff14062e
Change main license to Apache 2.0
2015-09-04 14:21:07 +02:00
Simon Butcher
ed51594337
Merge pull request #265 from ARMmbed/iotssl-460-bugfixes
...
Iotssl 460 bugfixes
2015-09-02 23:36:36 +01:00
Manuel Pégourié-Gonnard
a2cda6bfaf
Add mbedtls_ssl_get_max_frag_len()
...
This is not very useful for TLS as mbedtls_ssl_write() will automatically
fragment and return the length used, and the application should check for that
anyway, but this is useful for DTLS where mbedtls_ssl_write() returns an
error, and the application needs to be able to query the maximum length
instead of just guessing.
2015-08-31 20:47:04 +02:00
Manuel Pégourié-Gonnard
ea35666f50
Fix -Wshadow warnings
...
Checked that it is supported by gcc 4.2.1 (FreeBSD 9).
fixes #240
2015-08-31 10:34:26 +02:00
Manuel Pégourié-Gonnard
6fb8187279
Update date in copyright line
2015-07-28 17:11:58 +02:00
Manuel Pégourié-Gonnard
6755717f18
Fix stupid typo in ssl_server2.c
2015-07-02 11:15:48 +02:00
Manuel Pégourié-Gonnard
9de64f5af1
Fix MSVC warnings in library and programs
2015-07-01 16:56:08 +02:00
Manuel Pégourié-Gonnard
052f28853b
Cosmetics in debug in ssl_{client,server}2.c
...
Print only the basename from the file, and print level too.
2015-07-01 12:01:13 +02:00
Manuel Pégourié-Gonnard
abc729e664
Simplify net_accept() with UDP sockets
...
This is made possible by the new API where net_accept() gets a pointer to
bind_ctx, so it can update it.
2015-07-01 01:28:24 +02:00
Manuel Pégourié-Gonnard
3d7d00ad23
Rename mbedtls_net_close() to mbedtls_net_free()
...
close() may be more meaningful, but free() is symmetric with _init(), and more
consistent with all other modules
2015-06-30 16:50:37 +02:00
Manuel Pégourié-Gonnard
5db64328ab
Adapt programs to the new NET API
2015-06-30 16:48:17 +02:00
Manuel Pégourié-Gonnard
1c5b9fc19f
Avoid truncating peer cert info in ssl_server2
2015-06-27 14:38:51 +02:00
Manuel Pégourié-Gonnard
61ee351af4
Adapt programs to the new debug API
2015-06-23 23:30:16 +02:00
Manuel Pégourié-Gonnard
c0d749418b
Make 'port' a string in NET module
...
- avoids dependency on snprintf
- allows using "smtps" instead of "456" if desired
2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
6ea831dcf4
Add tests for mbedtls_set_hs_ca_chain()
2015-06-22 17:30:18 +02:00
Manuel Pégourié-Gonnard
4d6f178376
Add support for SNI CA and authmode in ssl_server2
2015-06-22 14:52:40 +02:00
Manuel Pégourié-Gonnard
b31c5f68b1
Add SSL presets.
...
No need to use a separate profile as in X.509, everything we need is already
in ssl_config. Just load appropriate values.
2015-06-17 14:59:27 +02:00
Manuel Pégourié-Gonnard
7551cb9ee9
Replace malloc with calloc
...
- platform layer currently broken (not adapted yet)
- memmory_buffer_alloc too
2015-05-26 16:04:06 +02:00
Manuel Pégourié-Gonnard
56273daea0
Move some includes to ssl_internal.h
...
Also removed one from ssl.h and add it in programs where it belongs
2015-05-26 15:01:37 +02:00
Manuel Pégourié-Gonnard
a0adc1bbe4
Make cipher used in ssl tickets configurable
2015-05-25 10:35:16 +02:00
Manuel Pégourié-Gonnard
d59675d92c
Move to callback for session tickets
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
0b104b056b
Adapt prototype of net_accept() for explicit size
2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
d4f04dba42
net.c now depends on select() unconditionally
2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
151dc77732
Fix some old names that remained
...
- most in doxygen doc that was never renamed
- some re-introduced in comments/doc/strings by me
2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
66dc5555f0
mbedtls_ssl_conf_arc4_support() depends on ARC4_C
2015-05-14 12:31:10 +02:00
Manuel Pégourié-Gonnard
d2377e7e78
ssl_client/server2 shouln't depend on timing.c
...
Would break test-ref-configs.pl.
2015-05-13 13:58:56 +02:00
Manuel Pégourié-Gonnard
e3c41ad8a4
Use the new timer callback API in programs
2015-05-13 10:04:32 +02:00
Manuel Pégourié-Gonnard
db1cc76091
Fix depend issue in program/ssl/ssl_*2.c
2015-05-12 11:27:25 +02:00
Manuel Pégourié-Gonnard
e6ef16f98c
Change X.509 verify flags to uint32_t
2015-05-11 19:54:43 +02:00
Manuel Pégourié-Gonnard
06939cebef
Fix order of ssl_conf vs ssl_setup in programs
...
Except ssl_phtread_server that will be done later
2015-05-11 14:35:42 +02:00
Manuel Pégourié-Gonnard
01e5e8c1f8
Change a few ssl_conf return types to void
2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
6729e79482
Rename ssl_set_xxx() to ssl_conf_xxx()
2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
17a40cd255
Change ssl_own_cert to work on ssl_config
2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
1af6c8500b
Add ssl_set_hs_own_cert()
2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
120fdbdb3d
Change ssl_set_psk() to act on ssl_config
2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
4b68296626
Use a specific function in the PSK callback
2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
750e4d7769
Move ssl_set_rng() to act on config
2015-05-11 12:33:27 +02:00
Manuel Pégourié-Gonnard
5cb3308e5f
Merge contexts for session cache
2015-05-11 12:33:27 +02:00
Manuel Pégourié-Gonnard
ae31914990
Rename ssl_legacy_renegotiation() to ssl_set_...
2015-05-11 12:33:27 +02:00
Manuel Pégourié-Gonnard
1028b74cff
Upgrade default DHM params size
2015-05-11 12:33:27 +02:00
Manuel Pégourié-Gonnard
8836994f6b
Move WANT_READ/WANT_WRITE codes to SSL
2015-05-11 12:33:26 +02:00
Manuel Pégourié-Gonnard
1b511f93c6
Rename ssl_set_bio_timeout() to set_bio()
...
Initially thought it was best to keep the old function around and add a new
one, but this so many ssl_set_xxx() functions are changing anyway...
2015-05-11 12:33:26 +02:00