Commit Graph

4056 Commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
b86145e6cd Avoid potential NULL dereference.
May happen with a faulty configuration (eg no allowed curve but trying to use
ECDHE key exchange), but not trigger able remotely.

(Found with Clang's scan-build.)
2015-06-23 18:44:10 +02:00
Manuel Pégourié-Gonnard
14bf7063b9 Add SSL "assertions" to help static analyzers
scan-build was reporting NULL dereferences
2015-06-23 18:44:10 +02:00
Manuel Pégourié-Gonnard
b9c93d0d0a Fix earlier incomplete change in RSA PMS reading
Probably a bad merge from the 1.3 branch
2015-06-23 18:43:53 +02:00
Manuel Pégourié-Gonnard
19389753c8 Avoid dead stores (makes scan-build happier) 2015-06-23 13:46:44 +02:00
Manuel Pégourié-Gonnard
c0d749418b Make 'port' a string in NET module
- avoids dependency on snprintf
- allows using "smtps" instead of "456" if desired
2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
e244f9ffc0 Improve doc about length of strings written 2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
d23f593737 Avoid static buffer in debug module
Caused issues in threading situations
2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
96fb685e31 Some more init calls 2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
496f24e949 Deduplicate SHA-2 wrappers 2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
ab5932192a Call init functions in MD alloc wrappers
When someone defines MBEDTLS_MD5_ALT for example, the init function may need
to do more that just zeroizing the context
2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
1cd10adc7c Update prototype of x509write_set_key_usage()
Allow for future support of decipherOnly and encipherOnly. Some work will be
required to ensure we still write only one byte when only one is needed.
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
655a964539 Adapt check_key_usage to new weird bits 2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
9a702255f4 Add parsing/printing for new X.509 keyUsage flags 2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
b80d16d171 Fix return convention of x509_wildcard_verify() 2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
07894338a0 Rename M255 to Curve25519 2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
7320eb46d4 Remove references to some Montgomery curves
After all it looks like those won't become standard.
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
9386664543 Move from inttypes.h to stdint.h
Some toolchains do not have inttypes.h, and we only need stdint.h which is a
subset of it.
2015-06-22 23:41:26 +02:00
Manuel Pégourié-Gonnard
e7e89844d6 Fix and document corner-cases of time checking 2015-06-22 23:41:24 +02:00
Manuel Pégourié-Gonnard
57e10d71be Fix potential NULL dereference.
Introduced when moving from gmtime_r() to gmtime().
Found with fbinfer.
2015-06-22 23:40:44 +02:00
Manuel Pégourié-Gonnard
e91e21cf1b Simplify code in test suites
Hopefully makes it easier on static analyzers
2015-06-22 18:47:07 +02:00
Manuel Pégourié-Gonnard
f9b85d96a9 Fix potential resource leak in X.509 parse dir
Found with fbinfer.
2015-06-22 18:39:57 +02:00
Manuel Pégourié-Gonnard
bcf13bab5d Fix issue with MemSan and entropy
Due to the recent change about entropy sources strength, it is no longer
acceptable to just disable the platform source. So, instead "fix" it so that
it is clear to MemSan that memory is initialized.

I tried __attribute__((no_sanitize_memory)) and MemSan's blacklist file, but
couldn't seem to get them to work.
2015-06-22 18:25:41 +02:00
Manuel Pégourié-Gonnard
96aba64e13 Merge branch 'set_hs' into development
* set_hs:
  Add tests for mbedtls_set_hs_ca_chain()
  Add tests for mbedtls_ssl_set_hs_authmode()
  Add support for SNI CA and authmode in ssl_server2
  Add mbedtls_ssl_set_hs_authmode
2015-06-22 18:20:56 +02:00
Manuel Pégourié-Gonnard
6ea831dcf4 Add tests for mbedtls_set_hs_ca_chain() 2015-06-22 17:30:18 +02:00
Manuel Pégourié-Gonnard
c948a798bd Add tests for mbedtls_ssl_set_hs_authmode() 2015-06-22 16:04:20 +02:00
Manuel Pégourié-Gonnard
4d6f178376 Add support for SNI CA and authmode in ssl_server2 2015-06-22 14:52:40 +02:00
Manuel Pégourié-Gonnard
cdc26ae099 Add mbedtls_ssl_set_hs_authmode
While at it, fix the following:
- on server with RSA_PSK, we don't want to set flags (client auth happens via
  the PSK, no cert is expected).
- use safer tests (eg == OPTIONAL vs != REQUIRED)
2015-06-22 14:52:40 +02:00
Manuel Pégourié-Gonnard
a752d8780c Merge branch 'snprintf' into development
* snprintf:
  Rationalize other snprintf() uses
  Rationalize snprintf() usage in X.509 modules
  Add tests for snprintf
  Include fixed snprintf for Windows in platform.c
2015-06-22 14:51:28 +02:00
Manuel Pégourié-Gonnard
9dbaf400ef Rationalize other snprintf() uses 2015-06-22 14:42:04 +02:00
Manuel Pégourié-Gonnard
1685368408 Rationalize snprintf() usage in X.509 modules 2015-06-22 14:42:04 +02:00
Manuel Pégourié-Gonnard
7b6dcbe993 Add tests for snprintf
- Added in each tests program to be sure they are run (putting them in a test
  suite/function specific to the platform layer would cause them to be skipped
when PLATFORM_C is not defined).
- Platforms have already moved from a standard to a broken snprintf in the
  past [1], so make sure to catch that if it ever happens again.

[1]: http://sourceforge.net/p/mingw-w64/mailman/message/31241434/
2015-06-22 14:42:04 +02:00
Manuel Pégourié-Gonnard
6c0c8e0d3d Include fixed snprintf for Windows in platform.c
Use _WIN32 to detect it rather that _MSC_VER as it turns out MSYS2 uses the
broken MS version by default too.
2015-06-22 14:42:04 +02:00
Manuel Pégourié-Gonnard
bbc60db221 Adjustments for armcc in all.sh
- no HAVE_TIME -> no HAVE_TIME_DATE
- check if --help works, so that the test is cleanly skipped if license server
  cannot be reached
2015-06-22 14:41:37 +02:00
Manuel Pégourié-Gonnard
8ba88f0460 Fix stupid typo in documentation 2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
f9cbd73191 Update generated files 2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
d5f38b045d Fix dependencies on time on x509 test suite 2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
7580ba475d Add a concept of entropy source strength.
The main goal is, we want and error if cycle counter is the only source.
2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
3f77dfbd52 Add MBEDTLS_ENTROPY_HARDWARE_ALT
Makes it easier for an external module to plug its hardware entropy collector.
2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
bf82ff0209 Fix entropy thresholds 2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
60c793bdc9 Split HAVE_TIME into HAVE_TIME + HAVE_TIME_DATE
First one means we have time() but it may not return the actual wall clock
time, second means it does.
2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
6195767554 Fix default of openssl s_server
openssl s_server up to 1.0.2.a included uses a 512-bit prime for DH by
default. Since we now require 1024 bit at least, make s_server use decent
params. (1.0.2b and up use acceptable params by default.)
2015-06-22 14:40:55 +02:00
Manuel Pégourié-Gonnard
c0696c216b Rename mbedtls_mpi_msb to mbedtls_mpi_bitlen 2015-06-18 16:49:37 +02:00
Manuel Pégourié-Gonnard
097c7bb05b Rename relevant global symbols from size to bitlen
Just applying rename.pl with this file:

mbedtls_cipher_get_key_size mbedtls_cipher_get_key_bitlen
mbedtls_pk_get_size mbedtls_pk_get_bitlen
MBEDTLS_BLOWFISH_MIN_KEY MBEDTLS_BLOWFISH_MIN_KEY_BITS
MBEDTLS_BLOWFISH_MAX_KEY MBEDTLS_BLOWFISH_MAX_KEY_BITS
2015-06-18 16:43:38 +02:00
Manuel Pégourié-Gonnard
fb317c5221 Rename parameter in a x509 helper 2015-06-18 16:41:13 +02:00
Manuel Pégourié-Gonnard
39a48f4934 Internal renamings in PK
+ an unrelated comment in SSL
2015-06-18 16:06:55 +02:00
Manuel Pégourié-Gonnard
12ad798c87 Rename ssl_session.length to id_len 2015-06-18 15:50:37 +02:00
Manuel Pégourié-Gonnard
797f48ace6 Rename ecp_curve_info.size to bit_size 2015-06-18 15:45:05 +02:00
Manuel Pégourié-Gonnard
898e0aa210 Rename key_length in cipher_info 2015-06-18 15:31:10 +02:00
Manuel Pégourié-Gonnard
b8186a5e54 Rename len to bitlen in function parameters
Clarify a few comments too.
2015-06-18 14:58:58 +02:00
Manuel Pégourié-Gonnard
6934afa234 Merge branch 'profiles' into development
* profiles:
  Update Changelog for the profiles branch
  Add SSL presets.
  Implement sig_hashes
  Create API for mbedtls_ssl_conf_sig_hashes().
  Small internal changes in curve checking
  Extra check in verify_with_profile()
  Clarify a point in the documentation
  Fix define for ssl_conf_curves()
  Add mbedtls_ssl_conf_cert_profile()
  Implement cert profile checking
  Change data structure of profiles to bitfields
  Add pre-defined profiles for cert verification
  Create cert profile API (unimplemented yet)
  Remove duplicated tests for x509_verify_info()
  Add tests for dhm_min_bitlen
  Add dhmlen option in ssl_client2.c
  Add ssl_conf_dhm_min_bitlen()
2015-06-17 15:49:36 +02:00