Commit Graph

10028 Commits

Author SHA1 Message Date
Hanno Becker
9fb3f1eaf2 Add all.sh test for hardcoded SSL version 2019-07-30 16:48:20 +02:00
Hanno Becker
32bbe4a66b Remove unused label in ssl_client2/ssl_server2 2019-07-30 16:33:40 +03:00
Hanno Becker
e29dfb2157 Add missing word in documentation of mbedtls_ssl_check_record() 2019-07-30 16:33:40 +03:00
Hanno Becker
83b8c3b8eb cli/srv ex: Add dbg msg if record checking gives inconsistent result 2019-07-30 16:33:40 +03:00
Hanno Becker
c2b08d1251 Fix minor issues in documentation of mbedtls_ssl_check_record() 2019-07-30 16:33:40 +03:00
Hanno Becker
bec8885b7d State that record checking is DTLS only and doesn't check content type 2019-07-30 16:33:40 +03:00
Hanno Becker
82ff6f1e17 Update version_features.c 2019-07-30 16:33:40 +03:00
Hanno Becker
de9e36e6b3 Pass dgrams to mbedtls_ssl_check_record in ssl_client2/server2 2019-07-30 16:33:40 +03:00
Hanno Becker
fe24b3b269 Add IO wrappers to ssl_server2 as interm's between NET and SSL layer 2019-07-30 16:33:40 +03:00
Hanno Becker
14219feb27 Add IO wrappers to ssl_client2 as interm's between NET and SSL layer 2019-07-30 15:44:43 +03:00
Hanno Becker
02f2609551 Introduce configuration option and API for SSL record checking 2019-07-30 15:38:40 +03:00
Manuel Pégourié-Gonnard
f010eba833
Merge pull request #632 from hanno-arm/baremetal_sh_debug-baremetal
[Baremetal] Add `--debug` option to `baremetal.sh`
2019-07-30 00:07:45 +02:00
Manuel Pégourié-Gonnard
cdb83e7c88
Merge pull request #616 from mpg/context-s11n
[baremetal] Implement context serialization
2019-07-30 00:07:23 +02:00
Manuel Pégourié-Gonnard
69a3e417d8 Improve reability and debugability of large if
Breaking into a series of statements makes things easier when stepping through
the code in a debugger.

Previous comments we stating the opposite or what the code tested for (what we
want vs what we're erroring out on) which was confusing.

Also expand a bit on the reasons for these restrictions.
2019-07-29 12:32:02 +02:00
Manuel Pégourié-Gonnard
18332c5c6c Improve getter for renegotiation enabled 2019-07-29 12:17:52 +02:00
Manuel Pégourié-Gonnard
d04850507d
Merge pull request #634 from hanno-arm/single_ec_doc-baremetal
[Baremetal] Fix single-EC documentation
2019-07-29 11:59:12 +02:00
Manuel Pégourié-Gonnard
7c575d29dc
Merge pull request #605 from ARMmbed/x509_ondemand_remove_unneeded_fields
[Baremetal] Allow removal of unneeded fields in X.509 CRT structures
2019-07-29 11:58:58 +02:00
Manuel Pégourié-Gonnard
7d33b7e2b9
Merge pull request #610 from ARMmbed/delay_alerts-baremetal
[Baremetal] Delay sending alerts
2019-07-29 11:58:44 +02:00
Manuel Pégourié-Gonnard
b3bb31bd90 Introduce getter function for disable_renego 2019-07-26 16:37:45 +02:00
Manuel Pégourié-Gonnard
14e2a8ac06 Fix a typo in a comment 2019-07-26 16:31:53 +02:00
Hanno Becker
fcb721d733 Correct documentation on use of alert pending 2019-07-26 12:47:16 +01:00
Hanno Becker
dd69119b32
Update include/mbedtls/ssl_internal.h
Mention where an internal function is defined instead of just saying that it's internal.

Co-Authored-By: Gilles Peskine <gilles.peskine@arm.com>
2019-07-26 09:59:18 +01:00
Hanno Becker
2736d1983c Fix and improve documentation of MBEDTLS_SSL_CONF_SINGLE_EC 2019-07-26 07:53:39 +01:00
Hanno Becker
42a6b04c4a Don't forget about pending alerts after ssl_get_next_record()
ssl_get_next_record() may pend fatal alerts in response to receiving
invalid records. Previously, however, those were never actually sent
because there was no code-path checking for pending alerts.

This commit adds a call to ssl_send_pending_fatal_alert() after
the invocation of ssl_get_next_record() to fix this.
2019-07-26 07:25:20 +01:00
Hanno Becker
b82350b25f Introduce helper function to send pending fatal alerts 2019-07-26 07:25:02 +01:00
Hanno Becker
0a4c78f7c2 Add --debug option to baremetal.sh 2019-07-25 15:49:17 +01:00
Darryl Green
64b4b6e35e Change worktree_rev to HEAD for rev-parse
Due to how the checking script is run in docker, worktree_rev is
ambiguous when running rev-parse. We're running it in the checked
out worktree, so we can use HEAD instead, which is unambiguous.
2019-07-25 14:38:55 +01:00
Hanno Becker
50d53212ef Document mbedtls_ssl_context::pending_fatal_alert_msg 2019-07-25 12:59:24 +01:00
Hanno Becker
c8f529995f Rename pend_alert_msg -> pending_fatal_alert_msg 2019-07-25 12:59:24 +01:00
Hanno Becker
d829d0fbd0 Remove return value from mbedtls_ssl_pend_fatal_alert()
This function is often called when there's already an error code to handle,
and one of the reasons to introduce the pending of alerts was to _not_ have
another potential error code to take care of. Reflect this by making `void`
the return type of `mbedtls_ssl_pend_fatal_alert()`.
2019-07-25 12:59:24 +01:00
Hanno Becker
eeabfa460c Note that mbedtls_ssl_pend_fatal_alert() must only be called once 2019-07-25 12:59:17 +01:00
Hanno Becker
2e8d133ebf Reintroduce return code checking when sending NoRenego alert 2019-07-25 12:58:48 +01:00
Hanno Becker
3caf7189f9 Remove field to store level of pending alert
Pending alerts is so far only used for fatal alerts.
2019-07-25 12:58:44 +01:00
Hanno Becker
de62da9d3c Use separate functions to pend fatal and non-fatal alerts 2019-07-24 13:45:35 +01:00
Hanno Becker
1f5a793124 Use attribute always_inline only for GCC and ARM compiler 2019-07-24 13:20:42 +01:00
Hanno Becker
1facd552fc Replace xxx_send_alert by xxx_pend_alert to save code 2019-07-24 13:20:27 +01:00
Hanno Becker
f46e1ce812 Introduce SSL helper function to mark pending alerts 2019-07-24 13:20:27 +01:00
Manuel Pégourié-Gonnard
7af7375473 Fix MSVC warning
We know the length of the ALPN string is always less than 255, so the cast to
uint8_t is safe.
2019-07-24 00:58:27 +02:00
Manuel Pégourié-Gonnard
2cc9223a3b Fix compile error in reduced configurations
Found by running scripts/baremetal.h --rom --gcc --check after adding
MBEDTLS_SSL_CONTEXT_SERIALIZATION to baremetal.h
2019-07-23 17:22:39 +02:00
Simon Butcher
3b014fc23a Merge remote-tracking branch 'origin/pr/604' into baremetal 2019-07-23 16:16:24 +01:00
Simon Butcher
6fe6b437da Merge remote-tracking branch 'origin/pr/589' into baremetal 2019-07-23 16:10:56 +01:00
Simon Butcher
c0b3633194 Merge remote-tracking branch 'origin/pr/627' into baremetal 2019-07-23 16:06:07 +01:00
Simon Butcher
25b5579a09 Merge remote-tracking branch 'origin/pr/626' into baremetal 2019-07-23 16:03:21 +01:00
Manuel Pégourié-Gonnard
7ce9446e4c Avoid duplication of session format header 2019-07-23 17:02:11 +02:00
Manuel Pégourié-Gonnard
a7cd4830ee Implement config-checking header to context s11n
Modelled after the config-checking header from session s11n.

The list of relevant config flags was established by manually checking the
fields serialized in the format, and which config.h flags they depend on.
This probably deserves double-checking by reviewers.
2019-07-23 17:02:10 +02:00
Manuel Pégourié-Gonnard
4c1d06e429 Provide serialisation API only if it's enabled 2019-07-23 17:02:10 +02:00
Manuel Pégourié-Gonnard
73a4636ca4 Adapt to hardcoded single version 2019-07-23 17:02:10 +02:00
Manuel Pégourié-Gonnard
2f3fa62a0a Fix compiler warning: comparing signed to unsigned
Since the type of cid_len is unsigned but shorter than int, it gets
"promoted" to int (which is also the type of the result), unless we make the
other operand an unsigned int which then forces the expression to unsigned int
as well.
2019-07-23 17:02:10 +02:00
Manuel Pégourié-Gonnard
bc847caa33 Actually reset the context on save as advertised
Also fix some wording in the documentation while at it.
2019-07-23 17:02:10 +02:00
Manuel Pégourié-Gonnard
ff22200fab Re-use buffer allocated by handshake_init()
This fixes a memory leak as well (found by running ssl-opt.sh in an Asan
build).
2019-07-23 17:02:10 +02:00