Manuel Pégourié-Gonnard
11331fc25b
First working dirty version
...
- uses too much resources
- wrong API
2015-09-08 10:39:06 +02:00
Manuel Pégourié-Gonnard
9650205df7
Start detecting epoch 0 ClientHellos
2015-09-08 10:39:06 +02:00
Manuel Pégourié-Gonnard
7f2f062a5d
Fix possible client crash on API misuse
2015-09-07 12:27:24 +02:00
Manuel Pégourié-Gonnard
aac5502553
Bump version to 2.1.0
2015-09-04 14:33:31 +02:00
Manuel Pégourié-Gonnard
37ff14062e
Change main license to Apache 2.0
2015-09-04 14:21:07 +02:00
Simon Butcher
52754594b6
Merging iotssl-457-badtail with development branch
2015-09-03 13:06:01 +01:00
Manuel Pégourié-Gonnard
fdbdd72b8b
Skip to trusted certs early in the chain
...
This helps in the case where an intermediate certificate is directly trusted.
In that case we want to ignore what comes after it in the chain, not only for
performance but also to avoid false negatives (eg an old root being no longer
trusted while the newer intermediate is directly trusted).
closes #220
2015-09-01 17:24:42 +02:00
Manuel Pégourié-Gonnard
4d04cdcd12
Fix RSA mutex fix
...
Once the mutex is acquired, we must goto cleanup rather that return.
Since cleanup adjusts the return value, adjust that in test cases.
Also, at cleanup we don't want to overwrite 'ret', or we'll loose track of
errors.
see #257
2015-08-31 09:31:55 +02:00
Manuel Pégourié-Gonnard
1385a289f4
Fix possible mutex lock/unlock mismatch
...
fixes #257
2015-08-27 11:30:58 +02:00
Manuel Pégourié-Gonnard
e578b1c79a
Relax timing_self_test for windows idiosyncrasies
2015-08-18 20:11:48 +02:00
Manuel Pégourié-Gonnard
c98204e68f
Fix missing break in switch for SSL presets
...
closes #235
2015-08-11 04:21:01 +02:00
Manuel Pégourié-Gonnard
91bbfb6fb7
Make timing selftest less sensitive
...
- allow up to 12.5% security/error margin
- use larger delays
- this avoid the security/error margin being too low
The test used to fail about 1 out of 6 times on some buildbots VMs, but never
failed on the physical machines used for development.
2015-08-10 14:33:12 +02:00
Manuel Pégourié-Gonnard
ed46c436c0
Fix error when loading libmbedtls.so
2015-08-10 10:17:32 +02:00
Manuel Pégourié-Gonnard
111ce9f735
Fix build error with shared libraries for windows
2015-08-07 12:07:16 +02:00
Manuel Pégourié-Gonnard
8018c28600
Add -static-libgcc for Windows dll builds
2015-08-07 11:55:56 +02:00
Manuel Pégourié-Gonnard
620ee19823
Fix return of x509_self_test without SHA-1
...
No being able to run the test is not a failure
2015-08-07 10:57:47 +02:00
Manuel Pégourié-Gonnard
d1004f02e6
Fix printed output of some selftests
2015-08-07 10:57:41 +02:00
Manuel Pégourié-Gonnard
0a8857435c
DTLS: treat bad MAC on Finished as an error
...
This is not required nor recommended by the protocol, and it's a layering
violation, but it's a know flaw in the protocol that you can't detect a PSK
auth error in any other way, so it is probably the right thing to do.
closes #227
2015-08-04 12:11:17 +02:00
Manuel Pégourié-Gonnard
052d10c9d5
Accept a trailing space at end of PEM lines
...
With certs being copy-pasted from webmails and all, this will probably become
more and more common.
closes #226
2015-07-31 11:11:26 +02:00
Manuel Pégourié-Gonnard
6fb8187279
Update date in copyright line
2015-07-28 17:11:58 +02:00
Simon Butcher
10a6f02f83
Merge branch 'development' into IOTSSL-442-hello-noext
...
Conflicts:
ChangeLog
2015-07-27 13:45:40 +01:00
Manuel Pégourié-Gonnard
6f42417ba8
Fix typo in that broke installation in cmake
...
closes #221
2015-07-24 16:55:22 +02:00
Manuel Pégourié-Gonnard
4cc8c63226
Add test for extensionless ClientHello
2015-07-23 12:24:03 +02:00
Manuel Pégourié-Gonnard
a6e5bd5654
Fix bug with extension-less ServerHello
...
https://tls.mbed.org/discussions/bug-report-issues/server-hello-parsing-bug
in_hslen include the length of the handshake header. (We might want to change
that in the future, as it is a bit annoying.)
2015-07-23 12:23:19 +02:00
Manuel Pégourié-Gonnard
cb0d212c97
Fix level of some debug messages
2015-07-22 11:52:11 +02:00
Manuel Pégourié-Gonnard
b076116e14
Fix one debug message
2015-07-22 11:39:23 +02:00
Manuel Pégourié-Gonnard
1bab7d7064
Fix blank line in comments
2015-07-13 09:06:18 +01:00
Paul Bakker
4cb87f409d
Prepare for 2.0.0 release
2015-07-10 14:09:43 +01:00
Manuel Pégourié-Gonnard
fc2ccfe72c
Fix missing comma with ENTROPY_HARDWARE_ALT
2015-07-10 11:15:50 +01:00
Manuel Pégourié-Gonnard
a4f055fe0c
Some windows environments don't have _snprint_s
...
Do an alternative version for them.
That happens for example with our windows buildbot with mingw32-make.
2015-07-08 17:35:37 +02:00
Manuel Pégourié-Gonnard
20af64dc2c
Still need to #define inline for MSVC
...
I only tested with VS2015 earlier, but previous versions apparently still
don't know that standard C99 keyword though it's documented on MSDN...
2015-07-07 23:21:30 +02:00
Manuel Pégourié-Gonnard
e540b49a3f
Add one more debug message
2015-07-07 12:44:38 +02:00
Manuel Pégourié-Gonnard
b4b19f395f
Add a debug message
2015-07-07 11:41:21 +02:00
Manuel Pégourié-Gonnard
001f2b6246
Use xxx_clone() instead of memcpy() in SSL
2015-07-06 16:54:51 +02:00
Manuel Pégourié-Gonnard
c0bf01e8d2
Undo overzealous renaming of internal variables
...
The rename script couldn't know it was a local variable with the same name as
on of the global functions
2015-07-06 16:26:23 +02:00
Manuel Pégourié-Gonnard
052a6c9cfe
Add mbedtls_md_clone()
2015-07-06 16:06:02 +02:00
Manuel Pégourié-Gonnard
16d412f465
Add md/shaXXX_clone() API
...
Will be used in the SSL/TLS modules
2015-07-06 15:48:34 +02:00
Manuel Pégourié-Gonnard
b9d64e5bbe
Fix missing calls to md/shaxxx_free()
2015-07-06 14:18:56 +02:00
Manuel Pégourié-Gonnard
71d296a15d
Add missing calls to _free() in md_wrap
...
We can't just assume xxx_free() will only zeroize, because of alternative
implementations
2015-07-06 11:36:25 +02:00
Manuel Pégourié-Gonnard
5791109707
Make the hardclock test optional
...
Known to fail on VMs (such as the buildbots), see eg
http://blog.badtrace.com/post/rdtsc-x86-instruction-to-detect-vms/
2015-07-01 19:22:12 +02:00
Manuel Pégourié-Gonnard
9bd0afdb22
Add guards for closed socket in net.c
...
This is particularly problematic when calling FD_SET( -1, ... ), but let's
check it in all functions.
This was introduced with the new API and the fact the net_free() now sets the
internal fd to -1 in order to mark it as closed: now using this information.
2015-07-01 19:03:27 +02:00
Manuel Pégourié-Gonnard
2505528be4
Rm obsolete defines for inline wiht MSVC
...
The "inline" keyword is supported since Visual Studio 2005 according to MSDN,
and we require Visual Studio 2010 or higher.
2015-07-01 17:22:36 +02:00
Manuel Pégourié-Gonnard
636741b176
Remove obsolete hacks for uin32_t
...
We now require support for stdint.h from the compiler.
2015-07-01 17:13:05 +02:00
Manuel Pégourié-Gonnard
9de64f5af1
Fix MSVC warnings in library and programs
2015-07-01 16:56:08 +02:00
Manuel Pégourié-Gonnard
acecb653d5
Fix mbedtls_net_usleep() on Windows
...
For some reason select() doesn't seem to work.
2015-07-01 12:00:56 +02:00
Manuel Pégourié-Gonnard
abc729e664
Simplify net_accept() with UDP sockets
...
This is made possible by the new API where net_accept() gets a pointer to
bind_ctx, so it can update it.
2015-07-01 01:28:24 +02:00
Manuel Pégourié-Gonnard
db2468d7aa
Update old comment
2015-06-30 17:19:48 +02:00
Manuel Pégourié-Gonnard
3d7d00ad23
Rename mbedtls_net_close() to mbedtls_net_free()
...
close() may be more meaningful, but free() is symmetric with _init(), and more
consistent with all other modules
2015-06-30 16:50:37 +02:00
Manuel Pégourié-Gonnard
91895853ac
Move from naked int to a structure in net.c
...
Provides more flexibility for future changes/extensions.
2015-06-30 15:56:25 +02:00
Manuel Pégourié-Gonnard
16a17a496c
Fix net_accept() for UDP sockets on Windows
...
On Windows, recvfrom() returns an error code if the destination buffer is too
small to hold the next datagram.
2015-06-30 11:31:10 +02:00
Manuel Pégourié-Gonnard
a16e7c468c
Rename a debug function
2015-06-29 20:14:19 +02:00
Manuel Pégourié-Gonnard
80d627a5ae
Remove now useless function
2015-06-29 20:12:51 +02:00
Manuel Pégourié-Gonnard
b74c245a20
Rework debug to not need dynamic alloc
...
But introduces dependency on variadic macros
2015-06-29 20:08:23 +02:00
Manuel Pégourié-Gonnard
fa67ebaebb
Fix X.509 keysize check with multiple CAs
...
Assume we have two trusted CAs with the same name, the first uses ECDSA 256
bits, the second RSA 2048; cert is signed by the second. If we do the keysize
check before we checked the key types match, we'll raise the badkey flags when
checking the EC-256 CA and it will remain up even when we finally find the
correct CA. So, move the check for the key size after signature verification,
which implicitly checks the key type.
2015-06-27 14:41:38 +02:00
Manuel Pégourié-Gonnard
f659d2cd40
Tune up Windows snprintf() support
...
When we build with Visual Studio in debug mode, the invalid parameter handler
aborts the application (and offers to debug it) when n is 0. We want to
just return -1 instead (as calls with n == 0 are expected and happen in our
tests).
2015-06-26 17:45:00 +02:00
Manuel Pégourié-Gonnard
e1d34d1707
cmake: add shortcut 'lib' for all libraries
...
Name chosen to match the existing make target.
2015-06-25 14:53:13 +02:00
Manuel Pégourié-Gonnard
574ae18088
Fix stupid typo that broke make SHARED=1
2015-06-25 14:30:51 +02:00
Manuel Pégourié-Gonnard
147be4f315
Rm old variable from (c)make files
2015-06-25 11:57:13 +02:00
Manuel Pégourié-Gonnard
752c501126
One soversion per library
2015-06-25 11:56:17 +02:00
Manuel Pégourié-Gonnard
c7781addcb
Split library in CMake
2015-06-25 10:59:57 +02:00
Manuel Pégourié-Gonnard
ba2c8763b6
cmake: adjust libraries linking
2015-06-25 10:59:57 +02:00
Manuel Pégourié-Gonnard
216a1831de
Fix whitespace in CMakeLists.txt
...
- all spaces no tabs
- indent with 4 spaces everywhere
2015-06-25 10:59:57 +02:00
Manuel Pégourié-Gonnard
cde2aba0af
Do no test net_usleep in timing_selftest
...
Timing belongs in libcrypto (due to havege depending on it)
while net.c was put in libtls (only test ssl servers use it)
2015-06-25 10:59:57 +02:00
Manuel Pégourié-Gonnard
53585eeb17
Remove test DHM params from certs.c
...
certs.c belongs to the X.509 library, while DHM belongs to the crypto lib.
2015-06-25 10:59:57 +02:00
Manuel Pégourié-Gonnard
0761733c1b
Fix potential NULL dereference
...
We document that either of recv or recv_timeout may be NULL, but for TLS we
always used recv... Thanks Coverity for catching that.
(Not remotely trigerrable: local configuration.)
Also made me notice net_recv_timeout didn't do its job properly.
2015-06-25 10:59:57 +02:00
Manuel Pégourié-Gonnard
dba460f2f3
Add SSL "assertion" to help static analysis
2015-06-25 10:59:57 +02:00
Manuel Pégourié-Gonnard
1cf7b30dc8
Rewrite test to make Coverity happier
...
With the default config, it noticed the accept_comp was always 0, so the rest
of the test was dead code.
2015-06-25 10:59:56 +02:00
Manuel Pégourié-Gonnard
5c59a4fea5
Split libs with make + general make cleanups
2015-06-25 10:59:56 +02:00
Manuel Pégourié-Gonnard
21dcc1e748
fixup
2015-06-25 10:59:56 +02:00
Manuel Pégourié-Gonnard
463e09d64b
Prepare library split
2015-06-24 12:05:33 +02:00
Manuel Pégourié-Gonnard
bae389b4d4
Fix uninitialized access
...
Found using Codenomicon Defensics.
2015-06-24 10:47:33 +02:00
Manuel Pégourié-Gonnard
bcc030849a
Avoid fclose( NULL )
...
Found by Coverity Scan.
2015-06-24 00:09:29 +02:00
Manuel Pégourié-Gonnard
fd474233c8
Change SSL debug API in the library
2015-06-23 18:44:11 +02:00
Manuel Pégourié-Gonnard
79c4e3ee59
Rm obsolete comments
2015-06-23 18:44:10 +02:00
Manuel Pégourié-Gonnard
b86145e6cd
Avoid potential NULL dereference.
...
May happen with a faulty configuration (eg no allowed curve but trying to use
ECDHE key exchange), but not trigger able remotely.
(Found with Clang's scan-build.)
2015-06-23 18:44:10 +02:00
Manuel Pégourié-Gonnard
14bf7063b9
Add SSL "assertions" to help static analyzers
...
scan-build was reporting NULL dereferences
2015-06-23 18:44:10 +02:00
Manuel Pégourié-Gonnard
b9c93d0d0a
Fix earlier incomplete change in RSA PMS reading
...
Probably a bad merge from the 1.3 branch
2015-06-23 18:43:53 +02:00
Manuel Pégourié-Gonnard
19389753c8
Avoid dead stores (makes scan-build happier)
2015-06-23 13:46:44 +02:00
Manuel Pégourié-Gonnard
c0d749418b
Make 'port' a string in NET module
...
- avoids dependency on snprintf
- allows using "smtps" instead of "456" if desired
2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
d23f593737
Avoid static buffer in debug module
...
Caused issues in threading situations
2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
96fb685e31
Some more init calls
2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
496f24e949
Deduplicate SHA-2 wrappers
2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
ab5932192a
Call init functions in MD alloc wrappers
...
When someone defines MBEDTLS_MD5_ALT for example, the init function may need
to do more that just zeroizing the context
2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
1cd10adc7c
Update prototype of x509write_set_key_usage()
...
Allow for future support of decipherOnly and encipherOnly. Some work will be
required to ensure we still write only one byte when only one is needed.
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
655a964539
Adapt check_key_usage to new weird bits
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
9a702255f4
Add parsing/printing for new X.509 keyUsage flags
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
b80d16d171
Fix return convention of x509_wildcard_verify()
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
07894338a0
Rename M255 to Curve25519
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
7320eb46d4
Remove references to some Montgomery curves
...
After all it looks like those won't become standard.
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
9386664543
Move from inttypes.h to stdint.h
...
Some toolchains do not have inttypes.h, and we only need stdint.h which is a
subset of it.
2015-06-22 23:41:26 +02:00
Manuel Pégourié-Gonnard
e7e89844d6
Fix and document corner-cases of time checking
2015-06-22 23:41:24 +02:00
Manuel Pégourié-Gonnard
57e10d71be
Fix potential NULL dereference.
...
Introduced when moving from gmtime_r() to gmtime().
Found with fbinfer.
2015-06-22 23:40:44 +02:00
Manuel Pégourié-Gonnard
f9b85d96a9
Fix potential resource leak in X.509 parse dir
...
Found with fbinfer.
2015-06-22 18:39:57 +02:00
Manuel Pégourié-Gonnard
bcf13bab5d
Fix issue with MemSan and entropy
...
Due to the recent change about entropy sources strength, it is no longer
acceptable to just disable the platform source. So, instead "fix" it so that
it is clear to MemSan that memory is initialized.
I tried __attribute__((no_sanitize_memory)) and MemSan's blacklist file, but
couldn't seem to get them to work.
2015-06-22 18:25:41 +02:00
Manuel Pégourié-Gonnard
cdc26ae099
Add mbedtls_ssl_set_hs_authmode
...
While at it, fix the following:
- on server with RSA_PSK, we don't want to set flags (client auth happens via
the PSK, no cert is expected).
- use safer tests (eg == OPTIONAL vs != REQUIRED)
2015-06-22 14:52:40 +02:00
Manuel Pégourié-Gonnard
9dbaf400ef
Rationalize other snprintf() uses
2015-06-22 14:42:04 +02:00
Manuel Pégourié-Gonnard
1685368408
Rationalize snprintf() usage in X.509 modules
2015-06-22 14:42:04 +02:00
Manuel Pégourié-Gonnard
6c0c8e0d3d
Include fixed snprintf for Windows in platform.c
...
Use _WIN32 to detect it rather that _MSC_VER as it turns out MSYS2 uses the
broken MS version by default too.
2015-06-22 14:42:04 +02:00
Manuel Pégourié-Gonnard
f9cbd73191
Update generated files
2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
7580ba475d
Add a concept of entropy source strength.
...
The main goal is, we want and error if cycle counter is the only source.
2015-06-22 14:40:56 +02:00