Commit graph

599 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
22311ae62e Improve help message of ssl_*2.c 2015-09-09 11:22:58 +02:00
Manuel Pégourié-Gonnard
3f09b6d4c2 Fix API 2015-09-08 11:58:14 +02:00
Manuel Pégourié-Gonnard
37ff14062e Change main license to Apache 2.0 2015-09-04 14:21:07 +02:00
Simon Butcher
ed51594337 Merge pull request #265 from ARMmbed/iotssl-460-bugfixes
Iotssl 460 bugfixes
2015-09-02 23:36:36 +01:00
Manuel Pégourié-Gonnard
a2cda6bfaf Add mbedtls_ssl_get_max_frag_len()
This is not very useful for TLS as mbedtls_ssl_write() will automatically
fragment and return the length used, and the application should check for that
anyway, but this is useful for DTLS where mbedtls_ssl_write() returns an
error, and the application needs to be able to query the maximum length
instead of just guessing.
2015-08-31 20:47:04 +02:00
Manuel Pégourié-Gonnard
ea35666f50 Fix -Wshadow warnings
Checked that it is supported by gcc 4.2.1 (FreeBSD 9).

fixes #240
2015-08-31 10:34:26 +02:00
Manuel Pégourié-Gonnard
6fb8187279 Update date in copyright line 2015-07-28 17:11:58 +02:00
Manuel Pégourié-Gonnard
6755717f18 Fix stupid typo in ssl_server2.c 2015-07-02 11:15:48 +02:00
Manuel Pégourié-Gonnard
9de64f5af1 Fix MSVC warnings in library and programs 2015-07-01 16:56:08 +02:00
Manuel Pégourié-Gonnard
052f28853b Cosmetics in debug in ssl_{client,server}2.c
Print only the basename from the file, and print level too.
2015-07-01 12:01:13 +02:00
Manuel Pégourié-Gonnard
abc729e664 Simplify net_accept() with UDP sockets
This is made possible by the new API where net_accept() gets a pointer to
bind_ctx, so it can update it.
2015-07-01 01:28:24 +02:00
Manuel Pégourié-Gonnard
3d7d00ad23 Rename mbedtls_net_close() to mbedtls_net_free()
close() may be more meaningful, but free() is symmetric with _init(), and more
consistent with all other modules
2015-06-30 16:50:37 +02:00
Manuel Pégourié-Gonnard
5db64328ab Adapt programs to the new NET API 2015-06-30 16:48:17 +02:00
Manuel Pégourié-Gonnard
1c5b9fc19f Avoid truncating peer cert info in ssl_server2 2015-06-27 14:38:51 +02:00
Manuel Pégourié-Gonnard
61ee351af4 Adapt programs to the new debug API 2015-06-23 23:30:16 +02:00
Manuel Pégourié-Gonnard
c0d749418b Make 'port' a string in NET module
- avoids dependency on snprintf
- allows using "smtps" instead of "456" if desired
2015-06-23 13:09:11 +02:00
Manuel Pégourié-Gonnard
6ea831dcf4 Add tests for mbedtls_set_hs_ca_chain() 2015-06-22 17:30:18 +02:00
Manuel Pégourié-Gonnard
4d6f178376 Add support for SNI CA and authmode in ssl_server2 2015-06-22 14:52:40 +02:00
Manuel Pégourié-Gonnard
b31c5f68b1 Add SSL presets.
No need to use a separate profile as in X.509, everything we need is already
in ssl_config. Just load appropriate values.
2015-06-17 14:59:27 +02:00
Manuel Pégourié-Gonnard
7551cb9ee9 Replace malloc with calloc
- platform layer currently broken (not adapted yet)
- memmory_buffer_alloc too
2015-05-26 16:04:06 +02:00
Manuel Pégourié-Gonnard
56273daea0 Move some includes to ssl_internal.h
Also removed one from ssl.h and add it in programs where it belongs
2015-05-26 15:01:37 +02:00
Manuel Pégourié-Gonnard
a0adc1bbe4 Make cipher used in ssl tickets configurable 2015-05-25 10:35:16 +02:00
Manuel Pégourié-Gonnard
d59675d92c Move to callback for session tickets 2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard
0b104b056b Adapt prototype of net_accept() for explicit size 2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
d4f04dba42 net.c now depends on select() unconditionally 2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
151dc77732 Fix some old names that remained
- most in doxygen doc that was never renamed
- some re-introduced in comments/doc/strings by me
2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard
66dc5555f0 mbedtls_ssl_conf_arc4_support() depends on ARC4_C 2015-05-14 12:31:10 +02:00
Manuel Pégourié-Gonnard
d2377e7e78 ssl_client/server2 shouln't depend on timing.c
Would break test-ref-configs.pl.
2015-05-13 13:58:56 +02:00
Manuel Pégourié-Gonnard
e3c41ad8a4 Use the new timer callback API in programs 2015-05-13 10:04:32 +02:00
Manuel Pégourié-Gonnard
db1cc76091 Fix depend issue in program/ssl/ssl_*2.c 2015-05-12 11:27:25 +02:00
Manuel Pégourié-Gonnard
e6ef16f98c Change X.509 verify flags to uint32_t 2015-05-11 19:54:43 +02:00
Manuel Pégourié-Gonnard
06939cebef Fix order of ssl_conf vs ssl_setup in programs
Except ssl_phtread_server that will be done later
2015-05-11 14:35:42 +02:00
Manuel Pégourié-Gonnard
01e5e8c1f8 Change a few ssl_conf return types to void 2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
6729e79482 Rename ssl_set_xxx() to ssl_conf_xxx() 2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
17a40cd255 Change ssl_own_cert to work on ssl_config 2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
1af6c8500b Add ssl_set_hs_own_cert() 2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
120fdbdb3d Change ssl_set_psk() to act on ssl_config 2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
4b68296626 Use a specific function in the PSK callback 2015-05-11 14:35:41 +02:00
Manuel Pégourié-Gonnard
750e4d7769 Move ssl_set_rng() to act on config 2015-05-11 12:33:27 +02:00
Manuel Pégourié-Gonnard
5cb3308e5f Merge contexts for session cache 2015-05-11 12:33:27 +02:00
Manuel Pégourié-Gonnard
ae31914990 Rename ssl_legacy_renegotiation() to ssl_set_... 2015-05-11 12:33:27 +02:00
Manuel Pégourié-Gonnard
1028b74cff Upgrade default DHM params size 2015-05-11 12:33:27 +02:00
Manuel Pégourié-Gonnard
8836994f6b Move WANT_READ/WANT_WRITE codes to SSL 2015-05-11 12:33:26 +02:00
Manuel Pégourié-Gonnard
1b511f93c6 Rename ssl_set_bio_timeout() to set_bio()
Initially thought it was best to keep the old function around and add a new
one, but this so many ssl_set_xxx() functions are changing anyway...
2015-05-11 12:33:26 +02:00
Manuel Pégourié-Gonnard
97fd52c529 Split ssl_set_read_timeout() out of bio_timeout() 2015-05-11 12:33:26 +02:00
Manuel Pégourié-Gonnard
bc2b771af4 Move ssl_set_ca_chain() to work on config 2015-05-11 12:33:26 +02:00
Manuel Pégourié-Gonnard
2b49445876 Move session ticket keys to conf
This is temporary, they will soon be replaced by callbacks.
!!! In this intermediate step security is removed !!!
2015-05-07 10:19:13 +01:00
Manuel Pégourié-Gonnard
6bf89d6ad9 Move ssl_set_max_fragment_len to work on conf 2015-05-07 10:19:13 +01:00
Manuel Pégourié-Gonnard
d36e33fc07 Move easy ssl_set_xxx() functions to work on conf
mbedtls_ssl_set_alpn_protocols
mbedtls_ssl_set_arc4_support
mbedtls_ssl_set_authmode
mbedtls_ssl_set_ciphersuites
mbedtls_ssl_set_ciphersuites_for_version
mbedtls_ssl_set_curves
mbedtls_ssl_set_dbg
mbedtls_ssl_set_dh_param
mbedtls_ssl_set_dh_param_ctx
mbedtls_ssl_set_dtls_anti_replay
mbedtls_ssl_set_dtls_badmac_limit
mbedtls_ssl_set_dtls_cookies
mbedtls_ssl_set_encrypt_then_mac
mbedtls_ssl_set_endpoint
mbedtls_ssl_set_extended_master_secret
mbedtls_ssl_set_handshake_timeout
mbedtls_ssl_legacy_renegotiation
mbedtls_ssl_set_max_version
mbedtls_ssl_set_min_version
mbedtls_ssl_set_psk_cb
mbedtls_ssl_set_renegotiation
mbedtls_ssl_set_renegotiation_enforced
mbedtls_ssl_set_renegotiation_period
mbedtls_ssl_set_session_cache
mbedtls_ssl_set_session_ticket_lifetime
mbedtls_ssl_set_sni
mbedtls_ssl_set_transport
mbedtls_ssl_set_truncated_hmac
mbedtls_ssl_set_verify
2015-05-07 10:19:13 +01:00
Manuel Pégourié-Gonnard
419d5ae419 Make endpoint+transport args of config_defaults() 2015-05-07 10:19:13 +01:00
Manuel Pégourié-Gonnard
def0bbe3ab Allocate ssl_config out of ssl_setup() 2015-05-07 10:19:13 +01:00
Manuel Pégourié-Gonnard
ee6139caea Fix doc issue in ssl_server2 2015-05-07 10:18:26 +01:00
Manuel Pégourié-Gonnard
41d479e7df Split ssl_init() -> ssl_setup() 2015-04-29 02:08:34 +02:00
Manuel Pégourié-Gonnard
ec160c0f53 Update ctr_drbg_init() usage in programs 2015-04-29 02:08:34 +02:00
Manuel Pégourié-Gonnard
89addc43db manually merge 0c6ce2f use x509_crt_verify_info() 2015-04-20 11:23:11 +01:00
Manuel Pégourié-Gonnard
2cf5a7c98e The Great Renaming
A simple execution of tmp/invoke-rename.pl
2015-04-08 13:25:31 +02:00
Manuel Pégourié-Gonnard
6c7af4c200 Fix a few internal name choices 2015-04-03 18:46:55 +02:00
Manuel Pégourié-Gonnard
8c8be1ebbb Change default min TLS version to TLS 1.0 2015-03-31 14:22:30 +02:00
Manuel Pégourié-Gonnard
fa44f20b9f Change authmode default to Required on client 2015-03-27 17:52:25 +01:00
Manuel Pégourié-Gonnard
2f165060f0 Start introducing test_cas NULL-terminated list 2015-03-27 10:20:26 +01:00
Manuel Pégourié-Gonnard
75f901006b Add len constants to certs.c 2015-03-27 09:56:18 +01:00
Manuel Pégourié-Gonnard
d42b7c82ef Adapt programs to new RC4 default 2015-03-20 19:44:04 +00:00
Manuel Pégourié-Gonnard
7f8099773e Rename include directory to mbedtls 2015-03-10 11:23:56 +00:00
Manuel Pégourié-Gonnard
998897be3d Merge branch 'mbedtls-1.3' into development
* mbedtls-1.3:
  Rename website and repository
  Move private macro from header to C file
  Add some missing 'static' on a few objects
  Fix whitespace issues
  Minor portability fix in benchmark
2015-03-06 13:25:41 +00:00
Manuel Pégourié-Gonnard
fe44643b0e Rename website and repository 2015-03-06 13:17:10 +00:00
Manuel Pégourié-Gonnard
cd4cd1dd26 Merge branch 'development' into dtls
* development:
  Fix the fix to ssl_set_psk()
  Update Changelog
  Finish fixing memleak in ssl_server2 arg parsing
  Fix another potential memory leak found by find-mem-leak.cocci.
  Add a rule for another type of memory leak to find-mem-leak.cocci.
  Fix a potential memory leak found by find-mem-leak.cocci.
  Add a semantic patch to find potential memory leaks.
  Fix whitespace of 369e6c20.
  Apply the semantic patch rm-malloc-cast.cocci.
  Add a semantic patch to remove casts of malloc.
2015-02-18 10:25:16 +00:00
Manuel Pégourié-Gonnard
b199095ec9 Finish fixing memleak in ssl_server2 arg parsing
Fixes omission in 5c078e1
2015-02-18 09:32:06 +00:00
Manuel Pégourié-Gonnard
d901d17817 Merge branch 'development' into dtls
* development: (100 commits)
  Update Changelog for the mem-measure branch
  Fix issues introduced when rebasing
  Fix compile error in memory_buffer_alloc_selftest
  Code cosmetics
  Add curve25519 to ecc-heap.sh
  Add curve25519 to the benchmark program
  Fix compile issue when buffer_alloc not available
  New script ecc-heap.sh
  Fix unused variable issue in some configs
  Rm usunused member in private struct
  Add heap usage for PK in benchmark
  Use memory_buffer_alloc() in benchmark if available
  Only define mode_func if mode is enabled (CBC etc)
  PKCS8 encrypted key depend on PKCS5 or PKCS12
  Disable SRV_C for client measurement
  Output stack+heap usage with massif
  Enable NIST_OPTIM by default for config-suite-b
  Refactor memory.sh
  Adapt memory.sh to config-suite-b
  Adapt mini-client for config-suite-b.h
  ...

Conflicts:
	ChangeLog
	include/polarssl/net.h
	library/Makefile
	library/error.c
	library/ssl_tls.c
	programs/Makefile
	programs/ssl/ssl_client2.c
	programs/ssl/ssl_server2.c
	tests/Makefile
2015-02-16 18:44:39 +00:00
Manuel Pégourié-Gonnard
5c078e17b9 Fix memory leak on bad arguments in ssl_server2
Not a big deal, but was annoying in coverity results.
2015-02-16 09:13:40 +00:00
Manuel Pégourié-Gonnard
013bffe5a7 Style: add spaces before line continuation 2015-02-13 14:09:44 +00:00
Rich Evans
85b05ec389 Cleanup programs further
removed casting of main args to void
2015-02-13 13:50:05 +00:00
Rich Evans
18b78c7498 cleanup programs
Clean up the contents of programs, add more guards to includes, move all
defines to the top of the top of files, remove some unused includes
2015-02-13 13:50:05 +00:00
Manuel Pégourié-Gonnard
f224678864 Fix remaining printfs in programs 2015-01-29 13:29:20 +00:00
Manuel Pégourié-Gonnard
b8a923db2b Merge branch 'development' into dtls
* development:
  Fix left out printf's
2015-01-29 11:53:35 +00:00
Manuel Pégourié-Gonnard
7e81e7003f Fix left out printf's 2015-01-29 11:47:41 +00:00
Manuel Pégourié-Gonnard
2a0718d947 Merge branch 'development' into dtls
* development: (46 commits)
  Fix url again
  Fix small bug in base64_encode()
  Fix depend that was checked but not documented
  Fix dependency that was not checked
  Minor gitginore fixes
  Move some ignore patterns to subdirectories
  Ignore CMake/MSVC-related build files.
  Re-categorize changelog entry
  Fix misattribution
  Minor nits with stdout/stderr.
  Add cmake compatibility targets
  Add script for polarssl symlink creation
  Fix more stdio inclusion issues
  Add debug info for cert/suite selection
  Fix possible portability issue
  Fix bug in ssl_get_verify_result()
  aescrypt2.c local char array not initial
  Update Changelog
  Fix mips64 bignum implementation
  Fix usage string of ssl_client2
  ...

Conflicts:
	include/polarssl/ssl.h
	library/CMakeLists.txt
	library/Makefile
	programs/Makefile
	programs/ssl/ssl_client2.c
	programs/ssl/ssl_server2.c
	visualc/VS2010/PolarSSL.sln
	visualc/VS2010/mbedTLS.vcxproj
	visualc/VS6/mbedtls.dsp
	visualc/VS6/mbedtls.dsw
2015-01-29 11:29:12 +00:00
Manuel Pégourié-Gonnard
860b51642d Fix url again 2015-01-28 17:12:07 +00:00
Rich Evans
f90016aade Use platform layer in programs for consistency. 2015-01-28 15:28:28 +01:00
Manuel Pégourié-Gonnard
d43ccb66fb Quit using deprecated header. 2015-01-23 17:38:09 +00:00
Manuel Pégourié-Gonnard
df6411d8d8 Merge branch 'development' into dtls
* development:
  Fix website url to use https.
  Remove maintainer line.
  Remove redundant "all rights reserved"
2015-01-23 11:23:08 +00:00
Manuel Pégourié-Gonnard
085ab040aa Fix website url to use https. 2015-01-23 11:06:27 +00:00
Manuel Pégourié-Gonnard
9698f5852c Remove maintainer line. 2015-01-23 10:59:00 +00:00
Manuel Pégourié-Gonnard
19f6b5dfaa Remove redundant "all rights reserved" 2015-01-23 10:54:00 +00:00
Manuel Pégourié-Gonnard
eab72e2ced Merge branch 'development' into dtls
* development:
  Update copyright
  Fix issue in compat.sh
  Rename doxyfile
  Rename to mbed TLS in tests/
  Rename to mbed TLS in examples
  Remove old test certificates.
  Rename to mbed TLS in the documentation/comments
  Change name to mbed TLS in the copyright notice

Conflicts:
	doxygen/input/doc_mainpage.h
	doxygen/mbedtls.doxyfile
	include/polarssl/version.h
	tests/compat.sh
2015-01-23 10:23:17 +00:00
Manuel Pégourié-Gonnard
a658a4051b Update copyright 2015-01-23 09:55:24 +00:00
Manuel Pégourié-Gonnard
9169921271 Rename to mbed TLS in examples 2015-01-22 16:26:39 +00:00
Manuel Pégourié-Gonnard
967a2a5f8c Change name to mbed TLS in the copyright notice 2015-01-22 14:28:16 +00:00
Manuel Pégourié-Gonnard
3a173f497b Merge branch 'development' into dtls
* development:
  Fix error code description.
  generate_errors.pl now errors on duplicate codes
  Avoid nested if's without braces.
  Move renego SCSV after actual ciphersuites
  Fix send_close_notify usage.
  Rename variable for clarity
  Improve script portability

Conflicts:
	library/ssl_srv.c
	programs/ssl/ssl_client2.c
	programs/ssl/ssl_server2.c
	tests/ssl-opt.sh
2015-01-22 13:30:33 +00:00
Manuel Pégourié-Gonnard
34377b1e1c Fix send_close_notify usage. 2015-01-22 10:46:46 +00:00
Manuel Pégourié-Gonnard
6a0017b7c0 Rename variable for clarity 2015-01-22 10:33:29 +00:00
Manuel Pégourié-Gonnard
23eb74d8b5 Fix issues with new defaults 2015-01-21 14:37:13 +00:00
Manuel Pégourié-Gonnard
67505bf9e8 Merge branch 'development' into dtls
* development:
  Adapt tests to new defaults/errors.
  Fix typos/cosmetics in Changelog
  Disable RC4 by default in example programs.
  Add ssl_set_arc4_support()
  Set min version to TLS 1.0 in programs

Conflicts:
	include/polarssl/ssl.h
	library/ssl_cli.c
	library/ssl_srv.c
	tests/compat.sh
2015-01-21 13:57:33 +00:00
Manuel Pégourié-Gonnard
bfccdd3c92 Merge commit '36adc36' into dtls
* commit '36adc36':
  Add support for getrandom()
  Use library default for trunc-hmac in ssl_client2
  Make truncated hmac a runtime option server-side
  Fix portability issue in script
  Specific error for suites in common but none good
  Prefer SHA-1 certificates for pre-1.2 clients
  Some more refactoring/tuning.
  Minor refactoring

Conflicts:
	include/polarssl/error.h
	include/polarssl/ssl.h
	library/error.c
2015-01-21 13:48:45 +00:00
Manuel Pégourié-Gonnard
0017c2be48 Merge commit '9835bc0' into dtls
* commit '9835bc0':
  Fix racy test.
  Fix stupid error in previous commit
  Don't check errors on ssl_close_notify()
  Fix char signedness issue
  Fix issue with non-blocking I/O & record splitting
  Fix warning

Conflicts:
	programs/ssl/ssl_client2.c
	programs/ssl/ssl_server2.c
2015-01-21 13:42:16 +00:00
Manuel Pégourié-Gonnard
8fbb01ec84 Merge commit 'b2eaac1' into dtls
* commit 'b2eaac1':
  Stop assuming chars are signed
  Add tests for CBC record splitting
  Fix tests that were failing with record splitting
  Allow disabling record splitting at runtime
  Add 1/n-1 record splitting
  Enhance doc on ssl_write()

Conflicts:
	include/polarssl/ssl.h
	programs/ssl/ssl_client2.c
	programs/ssl/ssl_server2.c
2015-01-21 13:37:08 +00:00
Manuel Pégourié-Gonnard
0af1ba3521 Merge commit 'f6080b8' into dtls
* commit 'f6080b8':
  Fix warning in reduced configs
  Adapt to "negative" switch for renego
  Add tests for periodic renegotiation
  Make renego period configurable
  Auto-renegotiate before sequence number wrapping
  Update Changelog for compile-option renegotiation
  Switch from an enable to a disable flag
  Save 48 bytes if SSLv3 is not defined
  Make renegotiation a compile-time option
  Add tests for renego security enforcement

Conflicts:
	include/polarssl/ssl.h
	library/ssl_cli.c
	library/ssl_srv.c
	library/ssl_tls.c
	programs/ssl/ssl_server2.c
	tests/ssl-opt.sh
2015-01-21 11:54:33 +00:00
Manuel Pégourié-Gonnard
edb7ed3a43 Merge commit 'd7e2483' into dtls
* commit 'd7e2483': (57 commits)
  Skip signature_algorithms ext if PSK only
  Fix bug in ssl_client2 reconnect option
  Cosmetics in ssl_server2
  Improve debugging message.
  Fix net_usleep for durations greater than 1 second
  Use pk_load_file() in X509
  Create ticket keys only if enabled
  Fix typo in #ifdef
  Clarify documentation a bit
  Fix comment on resumption
  Update comment from draft to RFC
  Use more #ifdef's on CLI_C and SRV_C in ssl_tls.c
  Add recursion.pl to all.sh
  Allow x509_crt_verify_child() in recursion.pl
  Set a compile-time limit to X.509 chain length
  Fix 3DES -> DES in all.sh (+ time estimates)
  Add curves.pl to all.sh
  Rework all.sh to use MSan instead of valgrind
  Fix depends on individual curves in tests
  Add script to test depends on individual curves
  ...

Conflicts:
	CMakeLists.txt
	programs/ssl/ssl_client2.c
2015-01-20 16:52:28 +00:00
Paul Bakker
5b8f7eaa3e Merge new security defaults for programs (RC4 disabled, SSL3 disabled) 2015-01-14 16:26:54 +01:00
Paul Bakker
c82b7e2003 Merge option to disable truncated hmac on the server-side 2015-01-14 16:16:55 +01:00
Manuel Pégourié-Gonnard
a92ed4845c Fix stupid error in previous commit
Since ret is no longer update by close_notify(), we need to reset it to 0
after a successful write.
2015-01-14 10:46:53 +01:00
Manuel Pégourié-Gonnard
687f89beab Don't check errors on ssl_close_notify()
Depending on timing we might get different errors (conn_reset, write failed)
and ignoring them all ends up being almost the same as just not checking
errors.
2015-01-13 21:48:12 +01:00
Paul Bakker
b2eaac154b Stop assuming chars are signed 2015-01-13 17:15:31 +01:00
Paul Bakker
f6080b8557 Merge support for enabling / disabling renegotiation support at compile-time 2015-01-13 16:18:23 +01:00
Paul Bakker
d7e2483bfc Merge miscellaneous fixes into development 2015-01-13 16:04:38 +01:00
Manuel Pégourié-Gonnard
bd47a58221 Add ssl_set_arc4_support()
Rationale: if people want to disable RC4 but otherwise keep the default suite
list, it was cumbersome. Also, since it uses a global array,
ssl_list_ciphersuite() is not a convenient place. So the SSL modules look like
the best place, even if it means temporarily adding one SSL setting.
2015-01-13 13:03:06 +01:00
Manuel Pégourié-Gonnard
448ea506bf Set min version to TLS 1.0 in programs 2015-01-12 12:32:04 +01:00
Manuel Pégourié-Gonnard
e117a8fc0d Make truncated hmac a runtime option server-side
Reading the documentation of ssl_set_truncated_hmac() may give the impression
I changed the default for clients but I didn't, the old documentation was
wrong.
2015-01-09 12:52:20 +01:00
Manuel Pégourié-Gonnard
590f416142 Add tests for periodic renegotiation 2014-12-02 10:40:55 +01:00
Manuel Pégourié-Gonnard
615e677c0b Make renegotiation a compile-time option 2014-12-02 10:40:54 +01:00
Manuel Pégourié-Gonnard
85d915b81d Add tests for renego security enforcement 2014-12-02 10:40:54 +01:00
Manuel Pégourié-Gonnard
f29e5de09d Cosmetics in ssl_server2 2014-11-27 17:44:46 +01:00
Manuel Pégourié-Gonnard
3a3066c3ee ssl_server2 now exits on signal during a read too 2014-11-17 12:50:34 +01:00
Manuel Pégourié-Gonnard
403a86f73d ssl_server2: exit cleanly on SIGINT too 2014-11-17 12:46:49 +01:00
Manuel Pégourié-Gonnard
f9d778d635 Merge branch 'etm' into dtls
* etm:
  Fix warning in reduced config
  Update Changelog for EtM
  Keep EtM state across renegotiations
  Adjust minimum length for EtM
  Don't send back EtM extension if not using CBC
  Fix for the RFC erratum
  Implement EtM
  Preparation for EtM
  Implement initial negotiation of EtM

Conflicts:
	include/polarssl/check_config.h
2014-11-06 01:36:32 +01:00
Manuel Pégourié-Gonnard
56d985d0a6 Merge branch 'session-hash' into dtls
* session-hash:
  Update Changelog for session-hash
  Make session-hash depend on TLS versions
  Forbid extended master secret with SSLv3
  compat.sh: allow git version of gnutls
  compat.sh: make options a bit more robust
  Implement extended master secret
  Add negotiation of Extended Master Secret

Conflicts:
	include/polarssl/check_config.h
	programs/ssl/ssl_server2.c
2014-11-06 01:25:09 +01:00
Manuel Pégourié-Gonnard
699cafaea2 Implement initial negotiation of EtM
Not implemented yet:
- actually using EtM
- conditions on renegotiation
2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard
367381fddd Add negotiation of Extended Master Secret
(But not the actual thing yet.)
2014-11-05 16:00:49 +01:00
Manuel Pégourié-Gonnard
a6ace04c5c Test for lost HelloRequest 2014-10-21 16:32:57 +02:00
Manuel Pégourié-Gonnard
e698f59a25 Add tests for ssl_set_dtls_badmac_limit() 2014-10-21 16:32:56 +02:00
Manuel Pégourié-Gonnard
9b35f18f66 Add ssl_get_record_expansion() 2014-10-21 16:32:55 +02:00
Manuel Pégourié-Gonnard
e63582a166 Add dlts_client.c and dtls_server.c 2014-10-21 16:32:54 +02:00
Manuel Pégourié-Gonnard
dc6a75a952 ERR_NET_CONN_RESET can't happen with UDP 2014-10-21 16:32:54 +02:00
Manuel Pégourié-Gonnard
caecdaed25 Cosmetics in ssl_server2 & complete tests for HVR 2014-10-21 16:32:54 +02:00
Manuel Pégourié-Gonnard
2d87e419e0 Adapt ssl_{client,server}2.c to datagram write 2014-10-21 16:32:53 +02:00
Manuel Pégourié-Gonnard
994f8b554f Ok for close_notify to fail 2014-10-21 16:32:52 +02:00
Manuel Pégourié-Gonnard
a9d7d03e30 SIGTERM also interrupts server2 during net_read() 2014-10-21 16:32:50 +02:00
Manuel Pégourié-Gonnard
6a2bc23f63 Allow exchanges=0 in ssl_server2
Useful for testing with defensics with no data exchange
2014-10-21 16:32:50 +02:00
Manuel Pégourié-Gonnard
cce220d6aa Adapt ssl_server2 to datagram-style read 2014-10-21 16:32:49 +02:00
Manuel Pégourié-Gonnard
6b65141718 Implement ssl_read() timeout (DTLS only for now) 2014-10-21 16:32:46 +02:00
Manuel Pégourié-Gonnard
d823bd0a04 Add handshake_timeout option to test server/client 2014-10-21 16:32:44 +02:00
Manuel Pégourié-Gonnard
f03651217c Adapt programs to use nbio with DTLS 2014-10-21 16:32:42 +02:00
Manuel Pégourié-Gonnard
bd97fdb3a4 Make ssl_server2's HVR handling more realistic
It makes not sense to keep the connection open until the client is verified.
Until now it was useful since closing it crates a race where the second
ClientHello might be lost. But now that our client is able to resend, that's
not an issue any more.
2014-10-21 16:32:40 +02:00
Manuel Pégourié-Gonnard
2739313cea Make anti-replay a runtime option 2014-10-21 16:32:35 +02:00
Manuel Pégourié-Gonnard
b6440a496b ssl_server2 now dies on SIGTERM during a read 2014-10-21 16:32:29 +02:00
Manuel Pégourié-Gonnard
a014829024 Use ssl_set_bio_timeout() in test client/server 2014-10-21 16:32:27 +02:00
Manuel Pégourié-Gonnard
4ba6ab6d0d Fix glitch with HelloVerifyRequest
With the close-rebind strategy, sometimes the second ClientHello was lost (if
received before close), and since our client doesn't resend yet, the tests
would fail (no problem with other client that resend). Anyway, it's not really
clean to lose messages.
2014-10-21 16:30:20 +02:00
Manuel Pégourié-Gonnard
26820e3061 Add option 'cookies' to ssl_server2 2014-10-21 16:30:18 +02:00
Manuel Pégourié-Gonnard
a64acd4f84 Add separate SSL_COOKIE_C define 2014-10-21 16:30:18 +02:00
Manuel Pégourié-Gonnard
232edd46be Move cookie callbacks implementation to own module 2014-10-21 16:30:17 +02:00
Manuel Pégourié-Gonnard
d485d194f9 Move to a callback interface for DTLS cookies 2014-10-21 16:30:17 +02:00
Manuel Pégourié-Gonnard
82202f0a9c Make DTLS_HELLO_VERIFY a compile option 2014-10-21 16:30:16 +02:00
Manuel Pégourié-Gonnard
98545f128a Generate random key for HelloVerifyRequest 2014-10-21 16:30:16 +02:00
Manuel Pégourié-Gonnard
336b824f07 Use ssl_set_client_transport_id() in ssl_server2 2014-10-21 16:30:15 +02:00
Manuel Pégourié-Gonnard
798f15a500 Fix version adjustments with force_ciphersuite 2014-10-21 16:30:10 +02:00
Manuel Pégourié-Gonnard
fe3f73bdeb Allow force_version to select DTLS 2014-10-21 16:30:10 +02:00
Manuel Pégourié-Gonnard
8a06d9c5d6 Actually use UDP for DTLS in test client/server 2014-10-21 16:30:09 +02:00
Manuel Pégourié-Gonnard
f5a1312eaa Add UDP support to the NET module 2014-10-21 16:30:09 +02:00
Manuel Pégourié-Gonnard
83218f1da1 Add dtls version aliases to test serv/cli 2014-10-21 16:30:05 +02:00
Manuel Pégourié-Gonnard
864a81fdc0 More ssl_set_XXX() functions can return BAD_INPUT 2014-10-21 16:30:04 +02:00
Manuel Pégourié-Gonnard
e29fd4beaf Add a dtls option to test server and client 2014-10-21 16:30:03 +02:00
Manuel Pégourié-Gonnard
a8c0a0dbd0 Add "exchanges" option to test server and client
Goal is to test renegotiation better: we need more than one exchange for
server-initiated renego to work reliably (the previous hack for this wouldn't
work with non-blocking I/O and probably not with DTLS either).

Also check message termination in a semi-realistic way.
2014-08-19 13:26:05 +02:00
Manuel Pégourié-Gonnard
296e3b1174 Request renego before write in ssl_server2
Will be useful for:
- detecting termination of messages by other means than connection close
- DTLS (can be seen as a special case of the above: datagram-oriented)
2014-08-19 12:59:03 +02:00
Manuel Pégourié-Gonnard
e08660e612 Fix ssl_read() and close_notify error handling in programs 2014-08-19 10:34:37 +02:00
Manuel Pégourié-Gonnard
67686c42e6 Fix undocumented option in ssl_server2 2014-08-19 10:34:37 +02:00
Manuel Pégourié-Gonnard
250b1ca6f3 Fix ssl_server2 exiting on recoverable errors 2014-08-19 10:34:37 +02:00
Paul Bakker
bc3e54c70d Fix overly rigorous defines in ssl_server2.c 2014-08-18 14:36:17 +02:00
Paul Bakker
c1283d3f4c Only use signal() in ssl_server2 on non-Windows platforms 2014-08-18 11:05:51 +02:00
Manuel Pégourié-Gonnard
dcab293bd4 Get rid of SERVERQUIT code in ssl_{client,server}2 2014-08-14 18:33:00 +02:00
Manuel Pégourié-Gonnard
db49330e08 ssl_server2 aborts cleanly on SIGTERM
(while waiting for a new connection)
2014-08-14 18:33:00 +02:00
Paul Bakker
a317a98221 Adapt programs / test suites 2014-07-09 10:19:24 +02:00
Manuel Pégourié-Gonnard
c5fd391e04 Check return value of ssl_set_xxx() in programs 2014-07-08 14:20:26 +02:00
Paul Bakker
8fb99abaac Merge changes for leaner memory footprint 2014-07-04 15:02:19 +02:00
Manuel Pégourié-Gonnard
481fcfde93 Make PSK_LEN configurable and adjust PMS size 2014-07-04 14:59:08 +02:00
Manuel Pégourié-Gonnard
fae355e8ee Add tests for ssl_set_renegotiation_enforced() 2014-07-04 14:32:27 +02:00
Paul Bakker
2a45d1c8bb Merge changes to config examples and configuration issues 2014-06-25 11:27:00 +02:00
Manuel Pégourié-Gonnard
0669f272e9 Fix printing large packets in ssl_server2 2014-06-25 11:26:11 +02:00
Manuel Pégourié-Gonnard
8a4d571af8 Fix warnings in no-SSL configs 2014-06-24 14:19:59 +02:00
Manuel Pégourié-Gonnard
4505ed3c90 Fix missing free() with recent ssl_server2 options 2014-06-20 18:35:16 +02:00
Paul Bakker
9b7fb6f68e Prevent warning for possibly uninitialized variable in ssl_server2 2014-06-12 23:01:43 +02:00
Manuel Pégourié-Gonnard
8de259b953 Minor code simplification in ssl programs 2014-06-11 18:35:33 +02:00
Manuel Pégourié-Gonnard
95c0a63023 Add tests for ssl_get_bytes_avail() 2014-06-11 18:34:47 +02:00
Manuel Pégourié-Gonnard
e7a3b10dcc Use ssl_get_bytes_avail() in ssl_server2. 2014-06-11 18:34:47 +02:00
Manuel Pégourié-Gonnard
6dc0781aba Add version_suites option to ssl_server2 2014-06-11 14:07:14 +02:00
Manuel Pégourié-Gonnard
dc019b9559 Use ssl_set_psk() only when a psk is given 2014-06-10 15:32:02 +02:00
Manuel Pégourié-Gonnard
fdee74b8d6 Simplify some option parsing code 2014-06-10 15:32:02 +02:00
Manuel Pégourié-Gonnard
80c8553a1a Add psk_list option to ssl_server2: PSK callback 2014-06-10 15:32:02 +02:00
Manuel Pégourié-Gonnard
9e27163acd Refactor PSK parsing in ssl_server2 2014-06-10 15:32:01 +02:00
Manuel Pégourié-Gonnard
736699c08c Add a dhm_file option to ssl_server2 2014-06-10 15:32:01 +02:00
Paul Bakker
1ebc0c592c Fix typos 2014-05-22 15:47:58 +02:00
Paul Bakker
525f87559f Cast alpn_list to void * to prevent MSVC compiler warnings 2014-05-01 10:59:27 +02:00
Manuel Pégourié-Gonnard
cef4ad2509 Adapt sources to configurable config.h name 2014-04-30 16:40:20 +02:00
Paul Bakker
c73079a78c Add debug_set_threshold() and thresholding of messages 2014-04-25 16:58:16 +02:00
Paul Bakker
93c32b21b3 Allow ssl_client to pad request to SSL_MAX_CONTENT_LEN 2014-04-25 16:58:12 +02:00
Paul Bakker
0c22610693 Cleaned up location of init and free for some programs to prevent memory
leaks on incorrect arguments
2014-04-17 16:02:36 +02:00
Manuel Pégourié-Gonnard
1bd2281260 Add an alpn option to ssl_client2 and ssl_server2 2014-04-05 14:51:42 +02:00
Manuel Pégourié-Gonnard
6b0d268bc9 Add ssl_close_notify() to servers that missed it 2014-03-31 11:28:11 +02:00
Manuel Pégourié-Gonnard
00d538f8f9 Disable renegotiation by default in example cli/srv 2014-03-31 11:03:06 +02:00
Manuel Pégourié-Gonnard
3e1b178ba2 Add options for no certificates in test srv/cli 2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard
5575316385 Add options for non-blocking I/O in test cli & srv 2014-03-14 08:41:01 +01:00
Manuel Pégourié-Gonnard
5d917ff6a8 Add a 'sni' option to ssl_server2 2014-03-14 08:41:01 +01:00
Manuel Pégourié-Gonnard
dbe1ee1988 Add tests for session ticket lifetime 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard
c55a5b7d6f Add tests for cache timeout 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard
4c88345f19 Add test for ssl_cache max_entries 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard
780d671f9d Add tests for renegotiation 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard
2fc243d06a Rearrange help messages of example cli/srv 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard
c580a00e3c Print protocol version in example cli/srv 2014-02-12 10:15:30 +01:00
Manuel Pégourié-Gonnard
18d31f8e59 Make listening address configurable in ssl_server2 2013-12-17 12:00:57 +01:00
Paul Bakker
a8239a4490 Removed Windows auto-spawn client code 2013-11-29 11:16:37 +01:00
Manuel Pégourié-Gonnard
6d8404d6ba Server: enforce renegotiation 2013-10-30 16:48:10 +01:00
Manuel Pégourié-Gonnard
9c1e1898b6 Move some code around, improve documentation 2013-10-30 16:48:09 +01:00
Manuel Pégourié-Gonnard
f3dc2f6a1d Add code for testing server-initiated renegotiation 2013-10-30 16:46:46 +01:00
Manuel Pégourié-Gonnard
8a3c64d73f Fix and simplify *-PSK ifdef's 2013-10-14 19:54:10 +02:00
Manuel Pégourié-Gonnard
1b62c7f93d Fix dependencies and related issues 2013-10-14 14:02:19 +02:00
Paul Bakker
1337affc91 Buffer allocator threading support 2013-09-29 15:02:11 +02:00
Paul Bakker
1ffefaca1e Introduced entropy_free() 2013-09-29 15:01:42 +02:00
Manuel Pégourié-Gonnard
a0fdf8b0a0 Simplify the way default certs are used 2013-09-25 14:05:49 +02:00
Manuel Pégourié-Gonnard
641de714b6 Use both RSA and ECDSA CA if available 2013-09-25 13:23:33 +02:00
Manuel Pégourié-Gonnard
ac8474fb1c Changed default cert loading in ssl_server2 2013-09-25 11:35:15 +02:00
Manuel Pégourié-Gonnard
b095a7bf29 Offer both RSA and ECDSA by default in ssl_server2 2013-09-24 21:25:54 +02:00
Manuel Pégourié-Gonnard
3ebb2cdb52 Add support for multiple server certificates 2013-09-24 21:25:53 +02:00
Manuel Pégourié-Gonnard
abd6e02b7b Rm _CRT_SECURE_NO_DEPRECATE for programs
(Already in config.h.)
2013-09-20 16:51:13 +02:00
Manuel Pégourié-Gonnard
3bd2aae5a5 Add forgotten initializations 2013-09-20 16:51:13 +02:00
Paul Bakker
c559c7a680 Renamed x509_cert structure to x509_crt for consistency 2013-09-18 14:32:52 +02:00
Paul Bakker
ddf26b4e38 Renamed x509parse_* functions to new form
e.g. x509parse_crtfile -> x509_crt_parse_file
2013-09-18 13:46:23 +02:00
Paul Bakker
369d2eb2a2 Introduced x509_crt_init(), x509_crl_init() and x509_csr_init() 2013-09-18 12:01:43 +02:00
Paul Bakker
36713e8ed9 Fixed bunch of X509_PARSE related defines / dependencies 2013-09-17 13:25:29 +02:00
Paul Bakker
1a7550ac67 Moved PK key parsing from X509 module to PK module 2013-09-15 13:47:30 +02:00
Manuel Pégourié-Gonnard
e8ea0c0421 Fix exit value on SERVERQUIT 2013-09-08 20:08:24 +02:00
Manuel Pégourié-Gonnard
ac75523593 Adapt ssl_set_own_cert() to generic keys 2013-08-27 22:21:20 +02:00
Paul Bakker
05decb24c3 Made support for the max_fragment_length extension configurable 2013-08-15 13:33:48 +02:00
Paul Bakker
a503a63b85 Made session tickets support configurable from config.h 2013-08-14 14:26:03 +02:00
Manuel Pégourié-Gonnard
aa0d4d1aff Add ssl_set_session_tickets() 2013-08-14 14:08:06 +02:00
Paul Bakker
6c85279719 Newline fixes in help text for ssl_client2 / ssl_server2 2013-07-26 14:02:13 +02:00
Paul Bakker
dbd79ca617 ssl_client2 and ssl_server2 now exit with 1 on errors (shell
limitations)
2013-07-24 16:28:35 +02:00
Paul Bakker
5b55b79021 Better handling of ciphersuite version range and forced version in
ssl_server2
2013-07-19 14:51:31 +02:00
Manuel Pégourié-Gonnard
0c017a55e0 Add max_frag_len option in ssl_server2
Also reformat code and output more information in ssl_client2
2013-07-18 14:07:36 +02:00
Paul Bakker
8e714d7aca Modified LONG_RESPONSE and comments in ssl_server2 2013-07-18 11:23:48 +02:00
Manuel Pégourié-Gonnard
bd7ce63115 Adapt ssl_server2 to test sending long messages 2013-07-18 11:23:48 +02:00
Paul Bakker
82024bf7b9 ssl_server2 now uses alloc_buffer if present and can be 'SERVERQUIT' 2013-07-16 17:48:58 +02:00
Manuel Pégourié-Gonnard
ba4878aa64 Rename x509parse_key & co with _rsa suffix 2013-07-08 15:31:18 +02:00
Paul Bakker
03a8a79516 Programs adapted to use polarssl_strerror() instead of error_strerror() 2013-06-30 12:18:08 +02:00
Paul Bakker
c1516be99d ssl_server2 and ssl_client2 adapted to support maximum protocol version 2013-06-29 18:35:41 +02:00
Paul Bakker
3c5ef71322 Cleanup up non-prototyped functions (static) and const-correctness in programs 2013-06-25 16:37:45 +02:00
Paul Bakker
ef3f8c747e Fixed const correctness issues in programs and tests
(cherry picked from commit e0225e4d7f18f4565224f4997af537533d06a80d)

Conflicts:
	programs/ssl/ssl_client2.c
	programs/ssl/ssl_server2.c
	programs/test/ssl_test.c
	programs/x509/cert_app.c
2013-06-24 19:09:24 +02:00
Paul Bakker
bcbe2d8d81 Prettier printing of the lists for longer ciphersuite names 2013-04-19 09:10:20 +02:00
Paul Bakker
ed27a041e4 More granular define selections within code to allow for smaller code
sizes
2013-04-18 23:12:34 +02:00
Paul Bakker
fbb17804d8 Added pre-shared key handling for the server side of SSL / TLS
Server side handling of the pure PSK ciphersuites is now in the base
code.
2013-04-18 23:12:33 +02:00
Paul Bakker
41c83d3f67 Added Ephemeral Elliptic Curve Diffie Hellman ciphersuites to SSL/TLS
Made all modifications to include Ephemeral Elliptic Curve Diffie
Hellman ciphersuites into the existing SSL/TLS modules. All basic
handling of the ECDHE-ciphersuites (TLS_ECDHE_RSA_WITH_NULL_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
has been included.
2013-03-20 14:39:14 +01:00
Paul Bakker
91ebfb5272 Made auth_mode as an command line option 2012-11-23 14:04:08 +01:00
Paul Bakker
1f9d02dc90 Added more notes / comments on own_cert, trust_ca purposes 2012-11-20 10:30:55 +01:00
Paul Bakker
645ce3a2b4 - Moved ciphersuite naming scheme to IANA reserved names 2012-10-31 12:32:41 +00:00
Paul Bakker
b0550d90c9 - Added ssl_get_peer_cert() to SSL API 2012-10-30 07:51:03 +00:00
Paul Bakker
1d29fb5e33 - Added option to add minimum accepted SSL/TLS protocol version 2012-09-28 13:28:45 +00:00
Paul Bakker
5d19f86fdd - Added comment 2012-09-28 07:33:00 +00:00
Paul Bakker
819370c7b7 - Removed lowercasing of parameters 2012-09-28 07:04:41 +00:00
Paul Bakker
d43241060b - Removed clutter from my_dhm values 2012-09-26 08:29:38 +00:00
Paul Bakker
0a59707523 - Added simple SSL session cache implementation
- Revamped session resumption handling
2012-09-25 21:55:46 +00:00
Paul Bakker
29b64761fd - Added predefined DHM groups from RFC 5114 2012-09-25 09:36:44 +00:00
Paul Bakker
b60b95fd7f - Added first version of ssl_server2 example application 2012-09-25 09:05:17 +00:00