Manuel Pégourié-Gonnard
47229c7cbb
Disable MD5 in handshake signatures by default
2015-12-04 15:02:56 +01:00
Manuel Pégourié-Gonnard
e2e25e7427
DTLS: avoid dropping too many records
...
When the peer retransmits a flight with many record in the same datagram, and
we already saw one of the records in that datagram, we used to drop the whole
datagram, resulting in interoperability failure (spurious handshake timeouts,
due to ignoring record retransmitted by the peer) with some implementations
(issues with Chrome were reported).
So in those cases, we want to only drop the current record, and look at the
following records (if any) in the same datagram. OTOH, this is not something
we always want to do, as sometime the header of the current record is not
reliable enough.
This commit introduces a new return code for ssl_parse_header() that allows to
distinguish if we should drop only the current record or the whole datagram,
and uses it in mbedtls_ssl_read_record()
fixes #345
2015-12-03 16:13:17 +01:00
Manuel Pégourié-Gonnard
bd3639852c
Merge branch 'iotssl-519-asn1write-overflows-restricted' into development-restricted
...
* iotssl-519-asn1write-overflows-restricted:
Fix other int casts in bounds checking
Fix other occurrences of same bounds check issue
Fix potential buffer overflow in asn1write
2015-11-02 11:07:30 +09:00
Manuel Pégourié-Gonnard
f8b2442e2f
Merge branch 'iotssl-517-double-free-restricted' into development-restricted
...
* iotssl-517-double-free-restricted:
Fix potential double-free in ssl_conf_psk()
2015-11-02 11:03:32 +09:00
Simon Butcher
204606238c
Merge branch 'development' into misc
2015-10-27 16:57:34 +00:00
Simon Butcher
459a950f31
Fixed typo in comment
2015-10-27 16:09:03 +00:00
Simon Butcher
62aab15085
Merge branch 'development' into iotssl-513-alerts
2015-10-27 16:05:34 +00:00
Simon Butcher
e357a64355
Merge pull request #328 from ARMmbed/iotssl-461-ecjpake-finalization
...
Iotssl 461 ecjpake finalization
2015-10-27 00:08:31 +00:00
Manuel Pégourié-Gonnard
fbdf06c1a4
Fix handling of non-fatal alerts
...
fixes #308
2015-10-23 13:11:31 +02:00
Manuel Pégourié-Gonnard
e5f3072aed
Fix #ifdef inconsistency
...
fixes #310
Actually all key exchanges that use a certificate use signatures too, and
there is no key exchange that uses signatures but no cert, so merge those two
flags.
2015-10-23 08:40:23 +02:00
Manuel Pégourié-Gonnard
bc5e508855
Fix other int casts in bounds checking
...
Not a security issue as here we know the buffer is large enough (unless
something else if badly wrong in the code), and the value cast to int is less
than 2^16 (again, unless issues elsewhere).
Still changing to a more correct check as a matter of principle
2015-10-21 12:51:16 +02:00
Manuel Pégourié-Gonnard
cdea97c1c3
Remove useless code
...
closes #321
2015-10-20 20:06:36 +02:00
Manuel Pégourié-Gonnard
173c790722
Fix potential double-free in ssl_conf_psk()
2015-10-20 19:56:45 +02:00
Manuel Pégourié-Gonnard
fadacb9d0b
Merge branch 'development' into iotssl-461-ecjpake-finalization
...
* development: (73 commits)
Bump yotta dependencies version
Fix typo in documentation
Corrected misleading fn description in ssl_cache.h
Corrected URL/reference to MPI library
Fix yotta dependencies
Fix minor spelling mistake in programs/pkey/gen_key.c
Bump version to 2.1.2
Fix CVE number in ChangeLog
Add 'inline' workaround where needed
Fix references to non-standard SIZE_T_MAX
Fix yotta version dependencies again
Upgrade yotta dependency versions
Fix compile error in net.c with musl libc
Add missing warning in doc
Remove inline workaround when not useful
Fix macroization of inline in C++
Changed attribution for Guido Vranken
Merge of IOTSSL-476 - Random malloc in pem_read()
Fix for IOTSSL-473 Double free error
Fix potential overflow in CertificateRequest
...
Conflicts:
include/mbedtls/ssl_internal.h
library/ssl_cli.c
2015-10-20 15:00:29 +02:00
Manuel Pégourié-Gonnard
5674a9797a
Fix compilers warnings in reduced configs
2015-10-19 15:14:03 +02:00
Manuel Pégourié-Gonnard
024b6df3b1
Improve key export API and documentation
...
- "master secret" is the usual name
- move key block arg closer to the related lengths
- document lengths
Also fix some trailing whitespace while at it
2015-10-19 13:52:53 +02:00
Simon Butcher
fec73a8eec
Merge of fix for IOTSSL-481 - Double free
...
Potential double free in mbedtls_ssl_conf_psk()
2015-10-05 10:40:31 +01:00
Simon Butcher
5b8d1d65f7
Fix for IOTSSL-473 Double free error
...
Fix potential double-free in mbedtls_ssl_set_hs_psk(.)
2015-10-04 22:06:51 +01:00
Robert Cragie
4feb7ae8c2
Added key export API
2015-10-02 13:33:37 +01:00
Manuel Pégourié-Gonnard
ef388f168d
Merge branch 'development' into development-restricted
...
* development:
Updated ChangeLog with credit
Fix a fairly common typo in comments
Make config check include for configs examples more consistent
2015-10-02 12:44:39 +02:00
Simon Butcher
9f81231fb8
Revised hostname length check from review
2015-09-28 19:22:33 +01:00
Manuel Pégourié-Gonnard
24417f06fe
Fix potential double-free in mbedtls_ssl_conf_psk()
2015-09-28 18:09:45 +02:00
Simon Butcher
89f77623b8
Added max length checking of hostname
2015-09-27 22:50:49 +01:00
Tillmann Karras
588ad50c5a
Fix a fairly common typo in comments
2015-09-25 04:27:22 +02:00
Manuel Pégourié-Gonnard
77c0646ef2
Add cache for EC J-PAKE client extension
...
Not used yet, just add the variables and cleanup code.
2015-09-17 13:59:49 +02:00
Manuel Pégourié-Gonnard
25dbeb002d
Skip certificate-related messages with ECJPAKE
2015-09-16 22:58:29 +02:00
Manuel Pégourié-Gonnard
eef142d753
Depend on ECJPAKE key exchange, not module
...
This is more consistent, as it doesn't make any sense for a user to be able to
set up an EC J-PAKE password with TLS if the corresponding key exchange is
disabled.
Arguably this is what we should de for other key exchanges as well instead of
depending on ECDH_C etc, but this is an independent issue, so let's just do
the right thing with the new key exchange and fix the other ones later. (This
is a marginal issue anyway, since people who disable all ECDH key exchange are
likely to also disable ECDH_C in order to minimize footprint.)
2015-09-16 22:58:29 +02:00
Manuel Pégourié-Gonnard
557535d8c4
Add ECJPAKE key exchange
2015-09-16 22:58:29 +02:00
Simon Butcher
5793e7ef01
Merge 'development' into iotssl-411-port-reuse
...
Conflicts:
ChangeLog
2015-09-16 15:25:53 +01:00
Manuel Pégourié-Gonnard
7002f4a560
Add mbedtls_ssl_set_hs_ecjpake_password()
2015-09-16 16:10:48 +02:00
Manuel Pégourié-Gonnard
76cfd3f97f
Add EC J-PAKE context in handshake structure
2015-09-15 18:24:08 +02:00
Manuel Pégourié-Gonnard
ea5370d4a2
Don't allow reconnect during handshake
...
Especially for resumed handshake, it's entirely possible for an epoch=0
ClientHello to be retransmitted or arrive so late that the server is already
at epoch=1. There is no good way to detect whether it's that or a reconnect.
However:
- a late ClientHello seems more likely that client going down and then up
again in the middle of a handshake
- even if that's the case, we'll time out on that handshake soon enough
- we don't want to break handshake flows that used to work
So the safest option is to not treat that as a reconnect.
2015-09-15 15:17:54 +02:00
Simon Butcher
d0bf6a3891
Update ssl_tls.c
...
Clarification in comments
2015-09-11 17:34:49 +01:00
Simon Butcher
74ca8d07ad
Update ssl_tls.c
...
Clarification in comments to ssl_handle_possible_reconnect()
2015-09-11 17:22:40 +01:00
Simon Butcher
0789aed39d
Update ssl_tls.c
...
Typo
2015-09-11 17:15:17 +01:00
Manuel Pégourié-Gonnard
ddfe5d20d1
Tune dependencies
...
Don't depend on srv.c in config.h, but add explicit checks. This is more
in line with other options that only make sense server-side, and also it
allows to test full config minus srv.c more easily.
2015-09-09 12:46:16 +02:00
Manuel Pégourié-Gonnard
2ed05a049a
Fix typos
2015-09-09 11:52:28 +02:00
Manuel Pégourié-Gonnard
62c74bb78a
Stop wasting resources
...
Use a custom function that minimally parses the message an creates a reply
without the overhead of a full SSL context.
Also fix dependencies: needs DTLS_HELLO_VERIFY for the cookie types, and let's
also depend on SRV_C as is doesn't make sense on client.
2015-09-09 11:22:52 +02:00
Nicholas Wilson
2088e2ebd9
fix const-ness of argument to mbedtls_ssl_conf_cert_profile
...
Otherwise, it's impossible to pass in a pointer to
mbedtls_x509_crt_profile_next!
2015-09-08 16:53:18 +01:00
Manuel Pégourié-Gonnard
3f09b6d4c2
Fix API
2015-09-08 11:58:14 +02:00
Manuel Pégourié-Gonnard
be619c1264
Clean up error codes
2015-09-08 11:21:21 +02:00
Manuel Pégourié-Gonnard
11331fc25b
First working dirty version
...
- uses too much resources
- wrong API
2015-09-08 10:39:06 +02:00
Manuel Pégourié-Gonnard
9650205df7
Start detecting epoch 0 ClientHellos
2015-09-08 10:39:06 +02:00
Manuel Pégourié-Gonnard
37ff14062e
Change main license to Apache 2.0
2015-09-04 14:21:07 +02:00
Simon Butcher
ed51594337
Merge pull request #265 from ARMmbed/iotssl-460-bugfixes
...
Iotssl 460 bugfixes
2015-09-02 23:36:36 +01:00
Manuel Pégourié-Gonnard
f81ee2eba8
Add NULL checks to top-level SSL functions
...
On normal use these should never be useful, but if the application has issues,
it's best for us to return an error than to crash.
2015-09-01 17:43:40 +02:00
Manuel Pégourié-Gonnard
a2cda6bfaf
Add mbedtls_ssl_get_max_frag_len()
...
This is not very useful for TLS as mbedtls_ssl_write() will automatically
fragment and return the length used, and the application should check for that
anyway, but this is useful for DTLS where mbedtls_ssl_write() returns an
error, and the application needs to be able to query the maximum length
instead of just guessing.
2015-08-31 20:47:04 +02:00
Manuel Pégourié-Gonnard
c6b5d833ec
Fix handling of long PSK identities
...
fixes #238
2015-08-31 10:34:26 +02:00
Manuel Pégourié-Gonnard
ea35666f50
Fix -Wshadow warnings
...
Checked that it is supported by gcc 4.2.1 (FreeBSD 9).
fixes #240
2015-08-31 10:34:26 +02:00
Manuel Pégourié-Gonnard
c98204e68f
Fix missing break in switch for SSL presets
...
closes #235
2015-08-11 04:21:01 +02:00
Manuel Pégourié-Gonnard
0a8857435c
DTLS: treat bad MAC on Finished as an error
...
This is not required nor recommended by the protocol, and it's a layering
violation, but it's a know flaw in the protocol that you can't detect a PSK
auth error in any other way, so it is probably the right thing to do.
closes #227
2015-08-04 12:11:17 +02:00
Manuel Pégourié-Gonnard
6fb8187279
Update date in copyright line
2015-07-28 17:11:58 +02:00
Manuel Pégourié-Gonnard
cb0d212c97
Fix level of some debug messages
2015-07-22 11:52:11 +02:00
Manuel Pégourié-Gonnard
001f2b6246
Use xxx_clone() instead of memcpy() in SSL
2015-07-06 16:54:51 +02:00
Manuel Pégourié-Gonnard
c0bf01e8d2
Undo overzealous renaming of internal variables
...
The rename script couldn't know it was a local variable with the same name as
on of the global functions
2015-07-06 16:26:23 +02:00
Manuel Pégourié-Gonnard
b9d64e5bbe
Fix missing calls to md/shaxxx_free()
2015-07-06 14:18:56 +02:00
Manuel Pégourié-Gonnard
9de64f5af1
Fix MSVC warnings in library and programs
2015-07-01 16:56:08 +02:00
Manuel Pégourié-Gonnard
0761733c1b
Fix potential NULL dereference
...
We document that either of recv or recv_timeout may be NULL, but for TLS we
always used recv... Thanks Coverity for catching that.
(Not remotely trigerrable: local configuration.)
Also made me notice net_recv_timeout didn't do its job properly.
2015-06-25 10:59:57 +02:00
Manuel Pégourié-Gonnard
fd474233c8
Change SSL debug API in the library
2015-06-23 18:44:11 +02:00
Manuel Pégourié-Gonnard
79c4e3ee59
Rm obsolete comments
2015-06-23 18:44:10 +02:00
Manuel Pégourié-Gonnard
14bf7063b9
Add SSL "assertions" to help static analyzers
...
scan-build was reporting NULL dereferences
2015-06-23 18:44:10 +02:00
Manuel Pégourié-Gonnard
cdc26ae099
Add mbedtls_ssl_set_hs_authmode
...
While at it, fix the following:
- on server with RSA_PSK, we don't want to set flags (client auth happens via
the PSK, no cert is expected).
- use safer tests (eg == OPTIONAL vs != REQUIRED)
2015-06-22 14:52:40 +02:00
Manuel Pégourié-Gonnard
12ad798c87
Rename ssl_session.length to id_len
2015-06-18 15:50:37 +02:00
Manuel Pégourié-Gonnard
898e0aa210
Rename key_length in cipher_info
2015-06-18 15:31:10 +02:00
Manuel Pégourié-Gonnard
b31c5f68b1
Add SSL presets.
...
No need to use a separate profile as in X.509, everything we need is already
in ssl_config. Just load appropriate values.
2015-06-17 14:59:27 +02:00
Manuel Pégourié-Gonnard
7bfc122703
Implement sig_hashes
2015-06-17 14:34:48 +02:00
Manuel Pégourié-Gonnard
36a8b575a9
Create API for mbedtls_ssl_conf_sig_hashes().
...
Not implemented yet.
2015-06-17 14:27:39 +02:00
Manuel Pégourié-Gonnard
9d412d872c
Small internal changes in curve checking
...
- switch from is_acceptable to the more usual check
- add NULL check just in case user screwed up config
2015-06-17 14:27:39 +02:00
Manuel Pégourié-Gonnard
b541da6ef3
Fix define for ssl_conf_curves()
...
This is a security feature, it shouldn't be optional.
2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard
6e3ee3ad43
Add mbedtls_ssl_conf_cert_profile()
2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard
bd990d6629
Add ssl_conf_dhm_min_bitlen()
2015-06-17 11:37:04 +02:00
Manuel Pégourié-Gonnard
3335205a21
Avoid in-out length in dhm_calc_secret()
2015-06-02 16:17:08 +01:00
Manuel Pégourié-Gonnard
cb46fd8216
Avoid non-standard strcasecmp()
2015-05-29 10:18:09 +02:00
Manuel Pégourié-Gonnard
6a8ca33fa5
Rename ERR_xxx_MALLOC_FAILED to ..._ALLOC_FAILED
2015-05-28 16:25:05 +02:00
Manuel Pégourié-Gonnard
1b8de57827
Remove a few redundant memset after calloc.
...
Using the following semantic patch provided by Mansour Moufid:
@@
expression x;
@@
x = mbedtls_calloc(...)
...
- memset(x, 0, ...);
2015-05-27 16:58:55 +02:00
Manuel Pégourié-Gonnard
b2a18a2a98
Remove references to malloc in strings/names
2015-05-27 16:58:55 +02:00
Manuel Pégourié-Gonnard
7551cb9ee9
Replace malloc with calloc
...
- platform layer currently broken (not adapted yet)
- memmory_buffer_alloc too
2015-05-26 16:04:06 +02:00
Manuel Pégourié-Gonnard
5e94ddebbc
Create ssl_internal.h and move some functions
2015-05-26 11:57:05 +02:00
Manuel Pégourié-Gonnard
e057d3bf6b
Relax some dependencies
...
- DTLS_HELLO_VERIFY no longer depends on SRV_C
- SSL_COOKIE_C no longer depends on DTLS_HELLO_VERIFY
Not that much work for us, and easier on users (esp. since it allows just
disabling SRV_C alone).
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
b596abfdc0
Refine cli/srv ifdefs for session tickets
...
- Only the server needs to generate/parse tickets
- Only the client needs to store them
Also adjust prototype of ssl_conf_session_tickets() while at it.
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
cf141ca7e7
Fix #ifdefs on ssl_cli.c or ssl_srv.c
...
Nothing to do with the current branch except I'm going to refine such #ifdefs
for tickets next and I want to start from a clean state
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
d59675d92c
Move to callback for session tickets
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
b0394bebdb
Further adapt prototypes of ticket functions
...
Moving everything in ticket_keys structure, that will soon become
ticket_context.
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
151dc77732
Fix some old names that remained
...
- most in doxygen doc that was never renamed
- some re-introduced in comments/doc/strings by me
2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
8473f87984
Rename cipher_init_ctx() to cipher_setup()
2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
0de074fbc1
Use rarely used conf function to cover them
2015-05-14 12:58:01 +02:00
Manuel Pégourié-Gonnard
66dc5555f0
mbedtls_ssl_conf_arc4_support() depends on ARC4_C
2015-05-14 12:31:10 +02:00
Manuel Pégourié-Gonnard
6ab9b009cd
Fix warnings from armcc
2015-05-14 11:37:52 +02:00
Manuel Pégourié-Gonnard
545102ef1d
No timer -> to timeout (optional for TLS)
2015-05-13 17:31:48 +02:00
Manuel Pégourié-Gonnard
286a136e63
SSL timer fixes: not DTLS only, start cancelled
2015-05-13 17:18:59 +02:00
Manuel Pégourié-Gonnard
e3c41ad8a4
Use the new timer callback API in programs
2015-05-13 10:04:32 +02:00
Manuel Pégourié-Gonnard
2e01291739
Prepare the SSL modules for using timer callbacks
2015-05-13 09:43:39 +02:00
Manuel Pégourié-Gonnard
ec4b08957f
Fix issue in ssl_free() vs ssl_config_free()
...
Just an overlook from moving things recently
2015-05-12 12:22:36 +02:00
Manuel Pégourié-Gonnard
e6ef16f98c
Change X.509 verify flags to uint32_t
2015-05-11 19:54:43 +02:00
Manuel Pégourié-Gonnard
55fab2de5d
Fix a few more #ifdef's
2015-05-11 17:54:38 +02:00
Manuel Pégourié-Gonnard
8b431fbbec
Fix dependency issues
2015-05-11 14:35:42 +02:00
Manuel Pégourié-Gonnard
06939cebef
Fix order of ssl_conf vs ssl_setup in programs
...
Except ssl_phtread_server that will be done later
2015-05-11 14:35:42 +02:00
Manuel Pégourié-Gonnard
01e5e8c1f8
Change a few ssl_conf return types to void
2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
6729e79482
Rename ssl_set_xxx() to ssl_conf_xxx()
2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
22bfa4bb53
Add ssl_set_hs_ca_chain()
2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
1897af9e93
Make conf const inside ssl_context (finally)
2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
17a40cd255
Change ssl_own_cert to work on ssl_config
2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
1af6c8500b
Add ssl_set_hs_own_cert()
2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
8f618a8e65
Rework ssl_set_own_cert() internals
2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
120fdbdb3d
Change ssl_set_psk() to act on ssl_config
2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
4b68296626
Use a specific function in the PSK callback
2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
750e4d7769
Move ssl_set_rng() to act on config
2015-05-11 12:33:27 +02:00
Manuel Pégourié-Gonnard
5cb3308e5f
Merge contexts for session cache
2015-05-11 12:33:27 +02:00
Manuel Pégourié-Gonnard
ae31914990
Rename ssl_legacy_renegotiation() to ssl_set_...
2015-05-11 12:33:27 +02:00
Manuel Pégourié-Gonnard
662c6e8cdd
Disable truncated HMAC by default
2015-05-11 12:33:27 +02:00
Manuel Pégourié-Gonnard
1028b74cff
Upgrade default DHM params size
2015-05-11 12:33:27 +02:00
Manuel Pégourié-Gonnard
8836994f6b
Move WANT_READ/WANT_WRITE codes to SSL
2015-05-11 12:33:26 +02:00
Manuel Pégourié-Gonnard
1b511f93c6
Rename ssl_set_bio_timeout() to set_bio()
...
Initially thought it was best to keep the old function around and add a new
one, but this so many ssl_set_xxx() functions are changing anyway...
2015-05-11 12:33:26 +02:00
Manuel Pégourié-Gonnard
97fd52c529
Split ssl_set_read_timeout() out of bio_timeout()
2015-05-11 12:33:26 +02:00
Manuel Pégourié-Gonnard
bc2b771af4
Move ssl_set_ca_chain() to work on config
2015-05-11 12:33:26 +02:00
Manuel Pégourié-Gonnard
ba26c24769
Change how hostname is stored internally
2015-05-07 10:19:14 +01:00
Manuel Pégourié-Gonnard
2b49445876
Move session ticket keys to conf
...
This is temporary, they will soon be replaced by callbacks.
!!! In this intermediate step security is removed !!!
2015-05-07 10:19:13 +01:00
Manuel Pégourié-Gonnard
684b0592cb
Move ssl_set_fallback() to work on conf
...
Initially thought it would be per-connection, but since max_version is in conf
too, and you need to lower that for a fallback connection, the fallback flag
should be in the same place
2015-05-07 10:19:13 +01:00
Manuel Pégourié-Gonnard
6bf89d6ad9
Move ssl_set_max_fragment_len to work on conf
2015-05-07 10:19:13 +01:00
Manuel Pégourié-Gonnard
17eab2b65c
Move set_cbc_record_splitting() to conf
2015-05-07 10:19:13 +01:00
Manuel Pégourié-Gonnard
d36e33fc07
Move easy ssl_set_xxx() functions to work on conf
...
mbedtls_ssl_set_alpn_protocols
mbedtls_ssl_set_arc4_support
mbedtls_ssl_set_authmode
mbedtls_ssl_set_ciphersuites
mbedtls_ssl_set_ciphersuites_for_version
mbedtls_ssl_set_curves
mbedtls_ssl_set_dbg
mbedtls_ssl_set_dh_param
mbedtls_ssl_set_dh_param_ctx
mbedtls_ssl_set_dtls_anti_replay
mbedtls_ssl_set_dtls_badmac_limit
mbedtls_ssl_set_dtls_cookies
mbedtls_ssl_set_encrypt_then_mac
mbedtls_ssl_set_endpoint
mbedtls_ssl_set_extended_master_secret
mbedtls_ssl_set_handshake_timeout
mbedtls_ssl_legacy_renegotiation
mbedtls_ssl_set_max_version
mbedtls_ssl_set_min_version
mbedtls_ssl_set_psk_cb
mbedtls_ssl_set_renegotiation
mbedtls_ssl_set_renegotiation_enforced
mbedtls_ssl_set_renegotiation_period
mbedtls_ssl_set_session_cache
mbedtls_ssl_set_session_ticket_lifetime
mbedtls_ssl_set_sni
mbedtls_ssl_set_transport
mbedtls_ssl_set_truncated_hmac
mbedtls_ssl_set_verify
2015-05-07 10:19:13 +01:00
Manuel Pégourié-Gonnard
419d5ae419
Make endpoint+transport args of config_defaults()
2015-05-07 10:19:13 +01:00
Manuel Pégourié-Gonnard
def0bbe3ab
Allocate ssl_config out of ssl_setup()
2015-05-07 10:19:13 +01:00
Manuel Pégourié-Gonnard
cd523e2a5e
Introduce mbedtls_ssl_config_{init,defaults,free}()
2015-05-07 10:19:13 +01:00
Manuel Pégourié-Gonnard
7ca4e4dc79
Move things to conf substructure
...
A simple series of sed invocations.
This is the first step, purely internal changes. The conf substructure is not
ready to be shared between contexts yet.
2015-05-07 10:19:13 +01:00
Manuel Pégourié-Gonnard
8a81e84638
Merge branch 'mbedtls-1.3' into development
...
* mbedtls-1.3:
Add countermeasure against cache-based lucky 13
Conflicts:
library/ssl_tls.c
2015-04-29 02:13:42 +02:00
Manuel Pégourié-Gonnard
41d479e7df
Split ssl_init() -> ssl_setup()
2015-04-29 02:08:34 +02:00
Manuel Pégourié-Gonnard
47fede0d6d
Add countermeasure against cache-based lucky 13
2015-04-29 01:35:48 +02:00
Manuel Pégourié-Gonnard
e6028c93f5
Fix some X509 macro names
...
For some reason, during the great renaming, some names that should have been
prefixed with MBEDTLS_X509_ have only been prefixed with MBEDTLS_
2015-04-20 12:19:02 +01:00
Manuel Pégourié-Gonnard
e6efa6f54e
manually merge 9f98251
make extKeyUsage accessible
2015-04-20 11:23:24 +01:00
Manuel Pégourié-Gonnard
144bc224e9
Merge branch 'mbedtls-1.3' into development
...
* commit 'a2fce21':
Fix potential NULL dereference on bad usage
Conflicts:
library/ssl_tls.c
2015-04-17 20:39:07 +02:00
Manuel Pégourié-Gonnard
9f98251e72
Make results of (ext)KeyUsage accessible
2015-04-17 19:57:21 +02:00
Manuel Pégourié-Gonnard
a2fce21ae5
Fix potential NULL dereference on bad usage
2015-04-15 21:04:19 +02:00
Manuel Pégourié-Gonnard
8408a94969
Remove MBEDTLS_ from internal macros
2015-04-09 13:52:55 +02:00
Manuel Pégourié-Gonnard
2cf5a7c98e
The Great Renaming
...
A simple execution of tmp/invoke-rename.pl
2015-04-08 13:25:31 +02:00
Manuel Pégourié-Gonnard
932e3934bd
Fix typos & Co
2015-04-03 18:46:55 +02:00
Manuel Pégourié-Gonnard
8c8be1ebbb
Change default min TLS version to TLS 1.0
2015-03-31 14:22:30 +02:00
Manuel Pégourié-Gonnard
d16df8f60a
Cleanup unused bit in ssl
...
Became unused when removing deprecated ssl_set_own_cert_xxx() functions
2015-03-31 14:04:51 +02:00
Manuel Pégourié-Gonnard
fa44f20b9f
Change authmode default to Required on client
2015-03-27 17:52:25 +01:00
Manuel Pégourié-Gonnard
e960818735
Check return value of the TLS PRF
2015-03-26 11:47:47 +01:00
Manuel Pégourié-Gonnard
b7fcca33b9
Make tls1_prf and tls12_prf more efficient
...
Repeatedly allocating a context and setting the key was a waste
2015-03-26 11:41:28 +01:00
Manuel Pégourié-Gonnard
6890c6b64e
Factor tls_prf_sha{256,384} together
2015-03-26 11:11:49 +01:00
Manuel Pégourié-Gonnard
abb674467b
Rename md_init_ctx() to md_setup()
2015-03-25 21:55:56 +01:00
Manuel Pégourié-Gonnard
4063ceb281
Make hmac_ctx optional
...
Note from future self: actually md_init_ctx will be re-introduced with the
same signature later, and a new function with the additional argument will be
added.
2015-03-25 21:55:56 +01:00
Manuel Pégourié-Gonnard
7da726bb53
Remove calls to xxx_hmac() from SSL modules
2015-03-25 21:55:56 +01:00
Manuel Pégourié-Gonnard
9a65e80e4f
Properly mark ssl_set_bio() as deprecated
2015-03-25 18:09:46 +01:00
Manuel Pégourié-Gonnard
c70581c272
Add POLARSSL_DEPRECATED_{WARNING,REMOVED}
2015-03-23 14:11:11 +01:00
Manuel Pégourié-Gonnard
849b174e57
Disable RC4 by default in the library
2015-03-20 19:14:19 +00:00
Manuel Pégourié-Gonnard
47723147f5
Remove functions deprecated in 1.3
2015-03-20 18:21:12 +00:00
Manuel Pégourié-Gonnard
852a6d3d8f
Rename ssl.renegotiation to ssl.renego_status
2015-03-19 16:15:20 +00:00