Commit graph

1569 commits

Author SHA1 Message Date
Paul Bakker
cf0a9f96c5 Introduce platform-layer functions for reading/writing seed from NV
Introduces mbedtls_nv_seed_read() and mbedtls_nv_seed_write().

The platform-layer functions are only available when
MBEDTLS_ENTROPY_NV_SEED is enabled.
2016-06-10 19:42:14 +01:00
Janos Follath
f93b8bc2e0 Add requirements for the entropy safety switch in documentation. 2016-06-09 13:54:15 +01:00
Janos Follath
53de78444c Add entropy safety switch.
Add a switch that turns entropy collecting off entirely, but enables
mbed TLS to run in an entirely unsafe mode. Enables to test mbed TLS
on platforms that don't have their entropy sources integrated yet.
2016-06-09 11:54:54 +01:00
Janos Follath
ce52d7823c Address user reported coverity issues. 2016-06-07 14:52:35 +01:00
Janos Follath
04b591ee79 Merge branch 'development' for weekly test report. 2016-05-31 10:18:41 +01:00
Simon Butcher
2917b9e5de Clarified function param in dhm.h 2016-05-25 00:59:37 +01:00
Simon Butcher
9c22e7311c Merge branch 'development' 2016-05-24 13:25:46 +01:00
Paul Bakker
cfe392bdd4 Add end guard comment 2016-05-23 14:29:31 +01:00
Embedthis Software
c0715cb39f Fix single threaded builds 2016-05-23 14:29:31 +01:00
Simon Butcher
80119c5d28 Fixes minor typos in comments in pk.h and ctr_drbg.c
Fixes typos in PRs #475 and #437
2016-05-23 14:29:30 +01:00
Paul Bakker
4fde40f656 Fix logic to allow at least one PKCS version enabled 2016-05-23 14:29:30 +01:00
Paul Bakker
37068a79fe Add check to prevent enabling of RSA without selecting PKCS version(s) 2016-05-23 14:29:30 +01:00
SimonB
295dfa24e7 Clarifies documentation on reported memory statistics 2016-05-23 14:29:29 +01:00
James Cowgill
c788b4cb5a Fix segfault on x32 by using better register constraints in bn_mul.h
On x32, pointers are only 4-bytes wide and need to be loaded using the "movl"
instruction instead of "movq" to avoid loading garbage into the register.

The MULADDC routines for x86-64 are adjusted to work on x32 as well by getting
gcc to load all the registers for us in advance (and storing them later) by
using better register constraints. The b, c, D and S constraints correspond to
the rbx, rcx, rdi and rsi registers respectively.
2016-05-23 14:29:28 +01:00
Simon Butcher
db0feca55c Fixes platform time_t abstraction
Fixes platform abstraction in error.c and the file that it's generated
from as well as DTLS samples.
2016-05-17 00:03:14 +01:00
Paul Bakker
9edf1eb062 Merge pull request #376 from jcowgill/x32
Support for x32
2016-05-11 20:40:08 +02:00
Paul Bakker
e049ccd405 Add end guard comment 2016-05-11 14:13:02 +01:00
Embedthis Software
17ddff5eaf Fix single threaded builds 2016-05-11 14:13:02 +01:00
Simon Butcher
295639bfa1 Fixes minor typos in comments in pk.h and ctr_drbg.c
Fixes typos in PRs #475 and #437
2016-05-10 19:39:36 +01:00
Attila Molnar
7e8a6fb78c Fix minor doc issue 2016-05-05 14:28:28 +01:00
SimonB
5be3a25691 Clarifies documentation on reported memory statistics 2016-05-05 14:25:03 +01:00
Attila Molnar
0b98d2f086 Fix minor doc issue 2016-05-02 11:06:47 +02:00
Simon Butcher
80aea30aa5 Fixes syntax and naming for check-names.sh
Some macros were failing checks by check-names.sh
2016-04-27 00:28:14 +01:00
Simon Butcher
3fe6cd3a2d Fixes time() abstraction for custom configs
Added platform abstraction of time() to ChangeLog, version features, and fixed the build for dynamic configuration.
2016-04-26 19:51:29 +01:00
SimonB
d5800b7761 Abstracts away time()/stdlib.h into platform
Substitutes time() into a configurable platform interface to allow it to be
easily substituted.
2016-04-26 14:49:59 +01:00
Janos Follath
c351d18c0e Restore a change in the documentation.
Using the wildcard name MBEDTLS_PLATFORM_XXX_ALT made the Travis build
fail.
2016-03-21 08:43:59 +00:00
Janos Follath
d75b782d0d Fix a typo that confuses check-names.sh 2016-03-18 16:47:10 +00:00
Janos Follath
9194744595 Add exit value macros to platform abstraction layer. 2016-03-18 14:05:28 +00:00
Simon Butcher
68c0bd72bc Clarified current status of RC4 usage
Made clear RC4 has been deprecated by IETF standard, and disabled
by default in the library.
2016-03-17 21:08:46 +00:00
Simon Butcher
7ef5cf3c54 Provided doxygen function definitions for debug.h
Documented each function definition.
2016-03-17 21:08:29 +00:00
Simon Butcher
d567a23c59 Fix typos, grammar in the comments and clarify them 2016-03-09 20:19:21 +00:00
Janos Follath
e2681a448b Update default configuration
Change the default settings for SSL and modify the tests accordingly.
2016-03-09 19:32:11 +00:00
Simon Butcher
e846b5128f Use the SSL IO and time callback typedefs consistently
The callback typedefs defined for mbedtls_ssl_set_bio() and
mbedtls_ssl_set_timer_cb() were not used consistently where the callbacks were
referenced in structures or in code.
2016-03-09 19:32:09 +00:00
Simon Butcher
c0957bdc13 Fix some minor typos in comments
Fix spelling mistakes and typos.
2016-03-09 19:32:09 +00:00
Manuel Pégourié-Gonnard
986bbf24ce x509:
-
2016-03-09 19:32:09 +00:00
Manuel Pégourié-Gonnard
d1b7f2b8cf ssl: ignore CertificateRequest's content for real
- document why we made that choice
- remove the two TODOs about checking hash and CA
- remove the code that parsed certificate_type: it did nothing except store
  the selected type in handshake->cert_type, but that field was never accessed
afterwards. Since handshake_params is now an internal type, we can remove that
field without breaking the ABI.
2016-03-09 19:32:09 +00:00
Manuel Pégourié-Gonnard
eeef947040 Clarify documentation about missing CRLs
Also tune up some working while at it.
2016-03-09 19:32:08 +00:00
Manuel Pégourié-Gonnard
9d6241269a Add note about not implementing PSK id_hint 2016-03-09 19:32:08 +00:00
Simon Butcher
157cb656a9 Clarified mbedtls_ssl_conf_alpn_protocols() doc
Clarified the lifetime of the protos parameter passed in the
function mbedtls_ssl_conf_alpn_protocols().
2016-03-09 19:32:08 +00:00
Manuel Pégourié-Gonnard
02049dcbd1 Add links to KB articles 2016-02-22 16:46:34 +00:00
Manuel Pégourié-Gonnard
325ce093f9 Give better error messages for semi-portable parts
Previously it was failing with errors about headers not found, which is
suboptimal in terms of clarity. Now give a clean error with pointer to the
documentation.

Do the checks in the .c files rather than check_config.h as it keeps them
closer to the platform-specific implementations.
2016-02-22 10:47:32 +01:00
Manuel Pégourié-Gonnard
d13b9507b3 Improve documentation of some SSL callbacks
The previous documentation was not explicit about what was expected of the
callbacks - the user had to infer that from the descriptions in net.h or
timing.h, and it was not clear what was part of the calling convention and
what was specific to our implementation.
2016-02-22 10:13:22 +01:00
Manuel Pégourié-Gonnard
edb1a48397 dtls: improve doc about handshake timeouts 2016-01-29 16:05:55 +01:00
Manuel Pégourié-Gonnard
365f325e03 Make check-names.sh happy 2016-01-08 15:05:11 +01:00
Manuel Pégourié-Gonnard
25caaf36a6 Avoid build errors with -O0 due to assembly 2016-01-08 14:29:11 +01:00
Simon Butcher
bfafadb45d Change version number to 2.2.1
Changed version for library files and yotta module
2016-01-04 22:26:36 +00:00
Manuel Pégourié-Gonnard
76da60c56e Fix doxygen warnings for generic names in config.h
When we use the same documentation for a list of #defines, we used to use a
generic name in the \def command. Use the first name of the list instead so
that doxygen stops complaining, and mention the generic name in the longer
description.

This is not entirely satisfactory as the full list of macros will not be
included in the generated doc, but it's still an improvement as at least the
first macro is documented now, with a hint that there are others.
2016-01-04 13:51:01 +01:00
Manuel Pégourié-Gonnard
ddbb166041 Reintroduce line deleted by accident 2016-01-04 12:40:15 +01:00
Simon Butcher
5b331b9d48 Various fixes to doxygen API generation
* Fixed incorrect file definitions
 * Fixed accidental tag problems in ecjpake.h
 * Corrected function naming in X.509 module definition
2016-01-03 16:14:14 +00:00
Simon Butcher
9803d07a63 Fix for MPI divide on MSVC
Resolves multiple platform issues when building bignum.c with Microsoft
Visual Studio.
2016-01-03 00:24:34 +00:00
Simon Butcher
4c2bfdbff6 Merge 'iotssl-558-md5-tls-sigs-restricted' 2015-12-23 18:33:54 +00:00
Simon Butcher
fabce5e137 Merge branch 'misc' into development
Fixes github #358, #362 and IOTSSL-536
2015-12-22 18:56:56 +00:00
James Cowgill
21e402a3ae Fix segfault on x32 by using better register constraints in bn_mul.h
On x32, pointers are only 4-bytes wide and need to be loaded using the "movl"
instruction instead of "movq" to avoid loading garbage into the register.

The MULADDC routines for x86-64 are adjusted to work on x32 as well by getting
gcc to load all the registers for us in advance (and storing them later) by
using better register constraints. The b, c, D and S constraints correspond to
the rbx, rcx, rdi and rsi registers respectively.
2015-12-17 13:08:47 +00:00
Manuel Pégourié-Gonnard
acbb050118 Make documentation more explicit on TLS errors
fixes #358
2015-12-10 13:57:27 +01:00
Manuel Pégourié-Gonnard
47229c7cbb Disable MD5 in handshake signatures by default 2015-12-04 15:02:56 +01:00
Manuel Pégourié-Gonnard
e2e25e7427 DTLS: avoid dropping too many records
When the peer retransmits a flight with many record in the same datagram, and
we already saw one of the records in that datagram, we used to drop the whole
datagram, resulting in interoperability failure (spurious handshake timeouts,
due to ignoring record retransmitted by the peer) with some implementations
(issues with Chrome were reported).

So in those cases, we want to only drop the current record, and look at the
following records (if any) in the same datagram. OTOH, this is not something
we always want to do, as sometime the header of the current record is not
reliable enough.

This commit introduces a new return code for ssl_parse_header() that allows to
distinguish if we should drop only the current record or the whole datagram,
and uses it in mbedtls_ssl_read_record()

fixes #345
2015-12-03 16:13:17 +01:00
Simon Butcher
8254ed2a9f Change version number to 2.2.0
Changed for library and yotta module
2015-11-04 19:55:40 +00:00
Manuel Pégourié-Gonnard
ba1d897987 Merge branch 'bugfixes' into development
* bugfixes:
  Fix typo in an OID name
  Disable reportedly broken assembly of Sparc(64)
2015-11-02 05:50:41 +09:00
Manuel Pégourié-Gonnard
fb84d38b45 Try to prevent some misuse of RSA functions
fixes #331
2015-10-30 10:56:25 +01:00
Simon Butcher
204606238c Merge branch 'development' into misc 2015-10-27 16:57:34 +00:00
Simon Butcher
5f7c34b8b0 Merge branch iotssl-521-keylen-check 2015-10-27 15:14:55 +00:00
Manuel Pégourié-Gonnard
65eefc8707 Fix missing check for RSA key length on EE certs
- also adapt tests to use lesser requirement for compatibility with old
  testing material
2015-10-23 16:19:53 +02:00
Manuel Pégourié-Gonnard
e5f3072aed Fix #ifdef inconsistency
fixes #310

Actually all key exchanges that use a certificate use signatures too, and
there is no key exchange that uses signatures but no cert, so merge those two
flags.
2015-10-23 08:40:23 +02:00
Manuel Pégourié-Gonnard
7c5fcdc17a Disable reportedly broken assembly of Sparc(64)
fixes #292
2015-10-21 14:52:24 +02:00
Manuel Pégourié-Gonnard
fadacb9d0b Merge branch 'development' into iotssl-461-ecjpake-finalization
* development: (73 commits)
  Bump yotta dependencies version
  Fix typo in documentation
  Corrected misleading fn description in ssl_cache.h
  Corrected URL/reference to MPI library
  Fix yotta dependencies
  Fix minor spelling mistake in programs/pkey/gen_key.c
  Bump version to 2.1.2
  Fix CVE number in ChangeLog
  Add 'inline' workaround where needed
  Fix references to non-standard SIZE_T_MAX
  Fix yotta version dependencies again
  Upgrade yotta dependency versions
  Fix compile error in net.c with musl libc
  Add missing warning in doc
  Remove inline workaround when not useful
  Fix macroization of inline in C++
  Changed attribution for Guido Vranken
  Merge of IOTSSL-476 - Random malloc in pem_read()
  Fix for IOTSSL-473 Double free error
  Fix potential overflow in CertificateRequest
  ...

Conflicts:
	include/mbedtls/ssl_internal.h
	library/ssl_cli.c
2015-10-20 15:00:29 +02:00
Manuel Pégourié-Gonnard
cf82893411 Disable EC J-PAKE by default (experimental) 2015-10-20 14:57:00 +02:00
Manuel Pégourié-Gonnard
db90c82eb7 Fix typo in documentation 2015-10-20 09:36:39 +02:00
Simon Butcher
e3132a9e5a Corrected misleading fn description in ssl_cache.h
Mistake in comments spotted by Andris Mednis
2015-10-19 19:28:41 +01:00
Manuel Pégourié-Gonnard
024b6df3b1 Improve key export API and documentation
- "master secret" is the usual name
- move key block arg closer to the related lengths
- document lengths

Also fix some trailing whitespace while at it
2015-10-19 13:52:53 +02:00
Manuel Pégourié-Gonnard
4104864e54 ECHDE-PSK does not use a certificate
fixes #270
2015-10-09 14:50:43 +01:00
Manuel Pégourié-Gonnard
adeb7d8ec9 Move all KEY_EXCHANGE__ definitions in one place 2015-10-09 14:44:47 +01:00
Robert Cragie
4289c0d1fa Typo in parameter name 2015-10-06 17:20:41 +01:00
Manuel Pégourié-Gonnard
c4e7d8a381 Bump version to 2.1.2
Yotta version bumped to 2.1.3, as we had to do one more patch release to the
yotta registry to accommodate for dependencies updates.
2015-10-05 19:13:36 +01:00
Manuel Pégourié-Gonnard
c80a74f734 Merge branch 'development' into development-restricted
* development:
  Add 'inline' workaround where needed
2015-10-05 16:30:53 +01:00
Manuel Pégourié-Gonnard
2ac9c60838 Add 'inline' workaround where needed
Was previously using the workaround from md.h
2015-10-05 16:18:23 +01:00
Manuel Pégourié-Gonnard
a97ab2c8a6 Merge branch 'development' into development-restricted
* development:
  Remove inline workaround when not useful
  Fix macroization of inline in C++
2015-10-05 15:48:09 +01:00
Simon Butcher
7776fc36d3 Fix for #279 macroisation of 'inline' keyword 2015-10-05 15:44:18 +01:00
Manuel Pégourié-Gonnard
2d7083435d Fix references to non-standard SIZE_T_MAX
Turns out C99 doesn't define SIZE_T_MAX, so let's not use it.
2015-10-05 15:23:11 +01:00
Manuel Pégourié-Gonnard
899ac849d0 Merge branch 'development' into development-restricted
* development:
  Upgrade yotta dependency versions
  Fix compile error in net.c with musl libc
  Add missing warning in doc
2015-10-05 14:47:43 +01:00
Manuel Pégourié-Gonnard
cb6af00e2a Add missing warning in doc
Found by Nicholas Wilson

fixes #288
2015-10-05 12:12:39 +01:00
Manuel Pégourié-Gonnard
5a2e389811 Remove inline workaround when not useful
This header doesn't have nay inline function any more
2015-10-05 11:55:39 +01:00
Manuel Pégourié-Gonnard
0223ab9d38 Fix macroization of inline in C++
When compiling as C++, MSVC complains about our macroization of a keyword.
Stop doing that as we know inline is always available in C++
2015-10-05 11:41:36 +01:00
Simon Butcher
6418ffaadb Merge fix for IOTSSL-480 - base64 overflow issue 2015-10-05 09:54:11 +01:00
Robert Cragie
4feb7ae8c2 Added key export API 2015-10-02 13:33:37 +01:00
Robert Cragie
7cdad7708e Add point format handling 2015-10-02 13:31:41 +01:00
Manuel Pégourié-Gonnard
ef388f168d Merge branch 'development' into development-restricted
* development:
  Updated ChangeLog with credit
  Fix a fairly common typo in comments
  Make config check include for configs examples more consistent
2015-10-02 12:44:39 +02:00
Manuel Pégourié-Gonnard
0aa45c209a Fix potential overflow in base64_encode 2015-09-30 16:37:49 +02:00
Simon Butcher
9f81231fb8 Revised hostname length check from review 2015-09-28 19:22:33 +01:00
Simon Butcher
89f77623b8 Added max length checking of hostname 2015-09-27 22:50:49 +01:00
Tillmann Karras
588ad50c5a Fix a fairly common typo in comments 2015-09-25 04:27:22 +02:00
Manuel Pégourié-Gonnard
77c0646ef2 Add cache for EC J-PAKE client extension
Not used yet, just add the variables and cleanup code.
2015-09-17 13:59:49 +02:00
Manuel Pégourié-Gonnard
8cea8ad8b8 Bump version to 2.1.1 2015-09-17 11:58:45 +02:00
Manuel Pégourié-Gonnard
75df902740 Add warning on config options
Note to self: actually disable before merging that branch!
2015-09-16 23:21:01 +02:00
Manuel Pégourié-Gonnard
bf57be690e Add server extension parsing
Only accept EC J-PAKE ciphersuite if extension was present and OK (single flag
for both), and ignore extension if we have no password.
2015-09-16 22:58:29 +02:00
Manuel Pégourié-Gonnard
eef142d753 Depend on ECJPAKE key exchange, not module
This is more consistent, as it doesn't make any sense for a user to be able to
set up an EC J-PAKE password with TLS if the corresponding key exchange is
disabled.

Arguably this is what we should de for other key exchanges as well instead of
depending on ECDH_C etc, but this is an independent issue, so let's just do
the right thing with the new key exchange and fix the other ones later. (This
is a marginal issue anyway, since people who disable all ECDH key exchange are
likely to also disable ECDH_C in order to minimize footprint.)
2015-09-16 22:58:29 +02:00
Manuel Pégourié-Gonnard
538cb7b0b4 Add the ECJPAKE ciphersuite 2015-09-16 22:58:29 +02:00
Manuel Pégourié-Gonnard
557535d8c4 Add ECJPAKE key exchange 2015-09-16 22:58:29 +02:00
Simon Butcher
5793e7ef01 Merge 'development' into iotssl-411-port-reuse
Conflicts:
	ChangeLog
2015-09-16 15:25:53 +01:00
Manuel Pégourié-Gonnard
294139b57a Add client extension writing 2015-09-16 16:10:48 +02:00
Manuel Pégourié-Gonnard
b813accf84 Add mbedtls_ecjpake_check(), tells if set up
This will be used in SSL to avoid the computation-heavy processing of EC
J-PAKE hello extensions in case we don't have an EC J-PAKE password
2015-09-16 16:10:48 +02:00