yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-12-23 16:45:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'ssl_config' into development

Browse source 
* ssl_config: (45 commits)
  Fix warning in ssl_pthread_server
  Fix dependency issues
  Fix typos in mini_client.c
  Optimize config usage in concurrent server examples
  Fix bug introduced when splitting init functions
  Fix order of ssl_conf vs ssl_setup in programs
  Update Changelog with forgotten change
  Change a few ssl_conf return types to void
  Update Changelog for recent config split
  Fix typos in the Changelog
  Rename ssl_set_xxx() to ssl_conf_xxx()
  Add ssl_set_hs_ca_chain()
  Make conf const inside ssl_context (finally)
  Change ssl_own_cert to work on ssl_config
  Add ssl_set_hs_own_cert()
  Rework ssl_set_own_cert() internals
  Change ssl_set_psk() to act on ssl_config
  Use a specific function in the PSK callback
  Make xxx_drbg_random() thread-safe
  Move ssl_set_rng() to act on config
  ...
This commit is contained in:
Manuel Pégourié-Gonnard 2015-05-11 14:45:57 +02:00
parent ee6139caea 30eceb766a
commit d8d0d72dde
33 changed files with 2004 additions and 1627 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
ChangeLog
View file

@ -10,20 +10,36 @@ Features
API Changes
* All public identifiers moved to the mbedtls_* or MBEDTLS_* namespace.
Some names have been further changed to make them more consistent.
Migration helpers scripts/rename.pl and include/mbedlts/compat-1.3.h are
provided.
provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
* Headers are now found in the 'mbedtls' directory (previously 'polarssl').
* The following _init() functions that could return errors have
been split into an _init() that returns void and another function:
been split into an _init() that returns void and another function that
should generally be the first function called on this context after init:
mbedtls_ssl_init() -> mbedtls_ssl_setup()
mbedtls_ccm_init() -> mbedtls_ccm_setkey()
mbedtls_gcm_init() -> mbedtls_gcm_setkey()
mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_init(_buf)()
mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_init(_buf)()
* Renamed mbedtls_pkcs11_priv_key_init() to ..._bind() and
mbedtls_pkcs11_x509_cert_init() as well (handled by rename.pl and
compat-1.3.h)
* mbedtls_memory_bufer_alloc_init() now returns void
mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
Note that for mbetls_ssl_setup(), you need to be done setting up the
ssl_config structure before calling it.
* Most ssl_set_xxx() functions (all except ssl_set_hostname(),
ssl_set_session() and ssl_set_client_transport_id(), plus
ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx()
(see rename.pl and compat-1.3.h above) and their first argument's type
changed from ssl_context to ssl_config.
* The following functions have been introduced and must be used in callback
implementations (SNI, PSK) instead of their *conf counterparts:
mbedtls_ssl_set_hs_own_cert()
mbedtls_ssl_set_hs_ca_chain()
mbedtls_ssl_set_hs_psk()
* mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now set
using mbedtls_ssl_set_hostname().
* mbedtls_ssl_conf_session_cache() changed prototype (only one context
pointer, parameters reordered).
* mbedtls_ssl_conf_truncated_hmac() now returns void.
* mbedtls_memory_bufer_alloc_init() now returns void.
* In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now
return void.
* ecdsa_write_signature() gained an addtional md_alg argument and
@ -39,7 +55,8 @@ API Changes
(support for renegotiation now needs explicit enabling in config.h).
* net_connect() and net_bind() have a new 'proto' argument to choose
between TCP and UDP, using the macros NET_PROTO_TCP or NET_PROTO_UDP.
* ssl_set_bio() now requires that p_send == p_recv.
* ssl_set_bio() changed signature (contexts merged, order switched, one
additional callback for read-with-timeout).
* Some constness fixes
Removals
@ -60,7 +77,6 @@ Removals
New deprecations
* md_init_ctx() is deprecated in favour of md_setup(), that adds a third
argument (allowing memory savings if HMAC is not used)
* ssl_set_bio() is deprecated in favour of ssl_set_bio_timeout().
Semi-API changes (technically public, morally private)
* Changed md_info_t into an opaque structure (use md_get_xxx() accessors).
@ -80,12 +96,26 @@ Default behavior changes
* Support for RSA_ALT contexts in the PK layer is now optional. Since is is
enabled in the default configuration, this is only noticeable if using a
custom config.h
* Default DHM parameters server-side upgraded from 1024 to 2048 bits.
* Negotiation of truncated HMAC is now disabled by default on server too.
Reauirement changes
* The minimum MSVC version required is now 2010 (better C99 support).
* The NET layer now unconditionnaly relies on getaddrinfo().
* Compiler is required to support C99 types such as long long and uint32_t.
API changes from the 1.4 preview branch
* ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio() with
new prototype, and mbedtls_ssl_set_read_timeout().
* The following functions now return void:
mbedtls_ssl_conf_transport()
mbedtls_ssl_conf_max_version()
mbedtls_ssl_conf_min_version()
Changes
* mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now
thread-safe if MBEDTLS_THREADING_C is enabled.
= mbed TLS 1.3 branch
Security

82
include/mbedtls/compat-1.3.h
View file

@ -1161,10 +1161,10 @@
#define POLARSSL_ERR_NET_RECV_FAILED MBEDTLS_ERR_NET_RECV_FAILED
#define POLARSSL_ERR_NET_SEND_FAILED MBEDTLS_ERR_NET_SEND_FAILED
#define POLARSSL_ERR_NET_SOCKET_FAILED MBEDTLS_ERR_NET_SOCKET_FAILED
#define POLARSSL_ERR_NET_TIMEOUT MBEDTLS_ERR_NET_TIMEOUT
#define POLARSSL_ERR_NET_TIMEOUT MBEDTLS_ERR_SSL_TIMEOUT
#define POLARSSL_ERR_NET_UNKNOWN_HOST MBEDTLS_ERR_NET_UNKNOWN_HOST
#define POLARSSL_ERR_NET_WANT_READ MBEDTLS_ERR_NET_WANT_READ
#define POLARSSL_ERR_NET_WANT_WRITE MBEDTLS_ERR_NET_WANT_WRITE
#define POLARSSL_ERR_NET_WANT_READ MBEDTLS_ERR_SSL_WANT_READ
#define POLARSSL_ERR_NET_WANT_WRITE MBEDTLS_ERR_SSL_WANT_WRITE
#define POLARSSL_ERR_OID_BUF_TOO_SMALL MBEDTLS_ERR_OID_BUF_TOO_SMALL
#define POLARSSL_ERR_OID_NOT_FOUND MBEDTLS_ERR_OID_NOT_FOUND
#define POLARSSL_ERR_PADLOCK_DATA_MISALIGNED MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED
@ -2443,7 +2443,7 @@
#define ssl_hw_record_write mbedtls_ssl_hw_record_write
#define ssl_init mbedtls_ssl_init
#define ssl_key_cert mbedtls_ssl_key_cert
#define ssl_legacy_renegotiation mbedtls_ssl_legacy_renegotiation
#define ssl_legacy_renegotiation mbedtls_ssl_conf_legacy_renegotiation
#define ssl_list_ciphersuites mbedtls_ssl_list_ciphersuites
#define ssl_md_alg_from_hash mbedtls_ssl_md_alg_from_hash
#define ssl_optimize_checksum mbedtls_ssl_optimize_checksum
@ -2471,49 +2471,49 @@
#define ssl_session_free mbedtls_ssl_session_free
#define ssl_session_init mbedtls_ssl_session_init
#define ssl_session_reset mbedtls_ssl_session_reset
#define ssl_set_alpn_protocols mbedtls_ssl_set_alpn_protocols
#define ssl_set_arc4_support mbedtls_ssl_set_arc4_support
#define ssl_set_authmode mbedtls_ssl_set_authmode
#define ssl_set_alpn_protocols mbedtls_ssl_conf_alpn_protocols
#define ssl_set_arc4_support mbedtls_ssl_conf_arc4_support
#define ssl_set_authmode mbedtls_ssl_conf_authmode
#define ssl_set_bio mbedtls_ssl_set_bio
#define ssl_set_bio_timeout mbedtls_ssl_set_bio_timeout
#define ssl_set_ca_chain mbedtls_ssl_set_ca_chain
#define ssl_set_cbc_record_splitting mbedtls_ssl_set_cbc_record_splitting
#define ssl_set_ciphersuites mbedtls_ssl_set_ciphersuites
#define ssl_set_ciphersuites_for_version mbedtls_ssl_set_ciphersuites_for_version
#define ssl_set_bio mbedtls_ssl_set_bio_timeout
#define ssl_set_ca_chain mbedtls_ssl_conf_ca_chain
#define ssl_set_cbc_record_splitting mbedtls_ssl_conf_cbc_record_splitting
#define ssl_set_ciphersuites mbedtls_ssl_conf_ciphersuites
#define ssl_set_ciphersuites_for_version mbedtls_ssl_conf_ciphersuites_for_version
#define ssl_set_client_transport_id mbedtls_ssl_set_client_transport_id
#define ssl_set_curves mbedtls_ssl_set_curves
#define ssl_set_dbg mbedtls_ssl_set_dbg
#define ssl_set_dh_param mbedtls_ssl_set_dh_param
#define ssl_set_dh_param_ctx mbedtls_ssl_set_dh_param_ctx
#define ssl_set_dtls_anti_replay mbedtls_ssl_set_dtls_anti_replay
#define ssl_set_dtls_badmac_limit mbedtls_ssl_set_dtls_badmac_limit
#define ssl_set_dtls_cookies mbedtls_ssl_set_dtls_cookies
#define ssl_set_encrypt_then_mac mbedtls_ssl_set_encrypt_then_mac
#define ssl_set_endpoint mbedtls_ssl_set_endpoint
#define ssl_set_extended_master_secret mbedtls_ssl_set_extended_master_secret
#define ssl_set_fallback mbedtls_ssl_set_fallback
#define ssl_set_handshake_timeout mbedtls_ssl_set_handshake_timeout
#define ssl_set_curves mbedtls_ssl_conf_curves
#define ssl_set_dbg mbedtls_ssl_conf_dbg
#define ssl_set_dh_param mbedtls_ssl_conf_dh_param
#define ssl_set_dh_param_ctx mbedtls_ssl_conf_dh_param_ctx
#define ssl_set_dtls_anti_replay mbedtls_ssl_conf_dtls_anti_replay
#define ssl_set_dtls_badmac_limit mbedtls_ssl_conf_dtls_badmac_limit
#define ssl_set_dtls_cookies mbedtls_ssl_conf_dtls_cookies
#define ssl_set_encrypt_then_mac mbedtls_ssl_conf_encrypt_then_mac
#define ssl_set_endpoint mbedtls_ssl_conf_endpoint
#define ssl_set_extended_master_secret mbedtls_ssl_conf_extended_master_secret
#define ssl_set_fallback mbedtls_ssl_conf_fallback
#define ssl_set_handshake_timeout mbedtls_ssl_conf_handshake_timeout
#define ssl_set_hostname mbedtls_ssl_set_hostname
#define ssl_set_max_frag_len mbedtls_ssl_set_max_frag_len
#define ssl_set_max_version mbedtls_ssl_set_max_version
#define ssl_set_min_version mbedtls_ssl_set_min_version
#define ssl_set_own_cert mbedtls_ssl_set_own_cert
#define ssl_set_max_frag_len mbedtls_ssl_conf_max_frag_len
#define ssl_set_max_version mbedtls_ssl_conf_max_version
#define ssl_set_min_version mbedtls_ssl_conf_min_version
#define ssl_set_own_cert mbedtls_ssl_conf_own_cert
#define ssl_set_own_cert_alt mbedtls_ssl_set_own_cert_alt
#define ssl_set_own_cert_rsa mbedtls_ssl_set_own_cert_rsa
#define ssl_set_psk mbedtls_ssl_set_psk
#define ssl_set_psk_cb mbedtls_ssl_set_psk_cb
#define ssl_set_renegotiation mbedtls_ssl_set_renegotiation
#define ssl_set_renegotiation_enforced mbedtls_ssl_set_renegotiation_enforced
#define ssl_set_renegotiation_period mbedtls_ssl_set_renegotiation_period
#define ssl_set_rng mbedtls_ssl_set_rng
#define ssl_set_psk mbedtls_ssl_conf_psk
#define ssl_set_psk_cb mbedtls_ssl_conf_psk_cb
#define ssl_set_renegotiation mbedtls_ssl_conf_renegotiation
#define ssl_set_renegotiation_enforced mbedtls_ssl_conf_renegotiation_enforced
#define ssl_set_renegotiation_period mbedtls_ssl_conf_renegotiation_period
#define ssl_set_rng mbedtls_ssl_conf_rng
#define ssl_set_session mbedtls_ssl_set_session
#define ssl_set_session_cache mbedtls_ssl_set_session_cache
#define ssl_set_session_ticket_lifetime mbedtls_ssl_set_session_ticket_lifetime
#define ssl_set_session_tickets mbedtls_ssl_set_session_tickets
#define ssl_set_sni mbedtls_ssl_set_sni
#define ssl_set_transport mbedtls_ssl_set_transport
#define ssl_set_truncated_hmac mbedtls_ssl_set_truncated_hmac
#define ssl_set_verify mbedtls_ssl_set_verify
#define ssl_set_session_cache mbedtls_ssl_conf_session_cache
#define ssl_set_session_ticket_lifetime mbedtls_ssl_conf_session_ticket_lifetime
#define ssl_set_session_tickets mbedtls_ssl_conf_session_tickets
#define ssl_set_sni mbedtls_ssl_conf_sni
#define ssl_set_transport mbedtls_ssl_conf_transport
#define ssl_set_truncated_hmac mbedtls_ssl_conf_truncated_hmac
#define ssl_set_verify mbedtls_ssl_conf_verify
#define ssl_sig_from_pk mbedtls_ssl_sig_from_pk
#define ssl_states mbedtls_ssl_states
#define ssl_ticket_keys mbedtls_ssl_ticket_keys

10
include/mbedtls/config.h
View file

@ -361,7 +361,7 @@
* Remove RC4 ciphersuites by default in SSL / TLS.
* This flag removes the ciphersuites based on RC4 from the default list as
* returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to
* enable (some of) them with mbedtls_ssl_set_ciphersuites() by including them
* enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them
* explicitly.
*
* Uncomment this macro to remove RC4 ciphersuites by default.
@ -1064,7 +1064,7 @@
* MBEDTLS_SSL_PROTO_DTLS
*
* \warning Disabling this is often a security risk!
* See mbedtls_ssl_set_dtls_anti_replay() for details.
* See mbedtls_ssl_conf_dtls_anti_replay() for details.
*
* Comment this to disable anti-replay in DTLS.
*/
@ -1094,7 +1094,7 @@
*
* Enable support for a limit of records with bad MAC.
*
* See mbedtls_ssl_set_dtls_badmac_limit().
* See mbedtls_ssl_conf_dtls_badmac_limit().
*
* Requires: MBEDTLS_SSL_PROTO_DTLS
*/
@ -1136,14 +1136,14 @@
/**
* \def MBEDTLS_SSL_SET_CURVES
*
* Enable mbedtls_ssl_set_curves().
* Enable mbedtls_ssl_conf_curves().
*
* This is disabled by default since it breaks binary compatibility with the
* 1.3.x line. If you choose to enable it, you will need to rebuild your
* application against the new header files, relinking will not be enough.
* It will be enabled by default, or no longer an option, in the 1.4 branch.
*
* Uncomment to make mbedtls_ssl_set_curves() available.
* Uncomment to make mbedtls_ssl_conf_curves() available.
*/
//#define MBEDTLS_SSL_SET_CURVES

8
include/mbedtls/ctr_drbg.h
View file

@ -26,6 +26,10 @@
#include "aes.h"
#if defined(MBEDTLS_THREADING_C)
#include "mbedtls/threading.h"
#endif
#define MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED -0x0034 /**< The entropy source failed. */
#define MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG -0x0036 /**< Too many random requested in single call. */
#define MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG -0x0038 /**< Input too large (Entropy + additional). */
@ -99,6 +103,10 @@ typedef struct
int (*f_entropy)(void *, unsigned char *, size_t);
void *p_entropy; /*!< context for the entropy function */
#if defined(MBEDTLS_THREADING_C)
mbedtls_threading_mutex_t mutex;
#endif
}
mbedtls_ctr_drbg_context;

4
include/mbedtls/error.h
View file

@ -62,7 +62,7 @@
* DES 1 0x0032-0x0032
* CTR_DBRG 4 0x0034-0x003A
* ENTROPY 3 0x003C-0x0040
* NET 12 0x0042-0x0056 0x0011-0x0011
* NET 9 0x0042-0x0052
* ENTROPY 1 0x0058-0x0058
* ASN1 7 0x0060-0x006C
* MD2 1 0x0070-0x0070
@ -88,7 +88,7 @@
* ECP 4 8 (Started from top)
* MD 5 4
* CIPHER 6 6
* SSL 6 13 (Started from top)
* SSL 6 16 (Started from top)
* SSL 7 31
*
* Module dependent error code (5 bits 0x.00.-0x.F8.)

8
include/mbedtls/hmac_drbg.h
View file

@ -26,6 +26,10 @@
#include "md.h"
#if defined(MBEDTLS_THREADING_C)
#include "mbedtls/threading.h"
#endif
/*
* Error codes
*/
@ -87,6 +91,10 @@ typedef struct
/* Callbacks */
int (*f_entropy)(void *, unsigned char *, size_t); /*!< entropy function */
void *p_entropy; /*!< context for the entropy function */
#if defined(MBEDTLS_THREADING_C)
mbedtls_threading_mutex_t mutex;
#endif
} mbedtls_hmac_drbg_context;
/**

23
include/mbedtls/net.h
View file

@ -30,6 +30,8 @@
#include MBEDTLS_CONFIG_FILE
#endif
#include "ssl.h"
#include <stddef.h>
#include <stdint.h>
@ -41,10 +43,7 @@
#define MBEDTLS_ERR_NET_RECV_FAILED -0x004C /**< Reading information from the socket failed. */
#define MBEDTLS_ERR_NET_SEND_FAILED -0x004E /**< Sending information through the socket failed. */
#define MBEDTLS_ERR_NET_CONN_RESET -0x0050 /**< Connection was reset by peer. */
#define MBEDTLS_ERR_NET_WANT_READ -0x0052 /**< Connection requires a read call. */
#define MBEDTLS_ERR_NET_WANT_WRITE -0x0054 /**< Connection requires a write call. */
#define MBEDTLS_ERR_NET_UNKNOWN_HOST -0x0056 /**< Failed to get an IP address for the given hostname. */
#define MBEDTLS_ERR_NET_TIMEOUT -0x0011 /**< The operation timed out. */
#define MBEDTLS_ERR_NET_UNKNOWN_HOST -0x0052 /**< Failed to get an IP address for the given hostname. */
#define MBEDTLS_NET_LISTEN_BACKLOG 10 /**< The backlog that listen() should use. */
@ -100,7 +99,7 @@ int mbedtls_net_bind( int *fd, const char *bind_ip, int port, int proto );
* Must be at least 4 bytes, or 16 if IPv6 is supported
*
* \return 0 if successful, MBEDTLS_ERR_NET_ACCEPT_FAILED, or
* MBEDTLS_ERR_NET_WANT_READ is bind_fd was set to
* MBEDTLS_ERR_SSL_WANT_READ is bind_fd was set to
* non-blocking and accept() is blocking.
*
* \note With UDP, connects the bind_fd to the client and just copy
@ -148,8 +147,9 @@ void mbedtls_net_usleep( unsigned long usec );
* \param len Maximum length of the buffer
*
* \return This function returns the number of bytes received,
* or a non-zero error code; MBEDTLS_ERR_NET_WANT_READ
* indicates read() is blocking.
* or a non-zero error code; with a non-blocking socket,
* MBEDTLS_ERR_SSL_WANT_READ indicates read() would be
* blocking.
*/
int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len );
@ -162,8 +162,9 @@ int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len );
* \param len The length of the buffer
*
* \return This function returns the number of bytes sent,
* or a non-zero error code; MBEDTLS_ERR_NET_WANT_WRITE
* indicates write() is blocking.
* or a non-zero error code; with a non-blocking socket,
* MBEDTLS_ERR_SSL_WANT_WRITE indicates write() would be
* blocking.
*/
int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len );
@ -180,8 +181,8 @@ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len );
*
* \return This function returns the number of bytes received,
* or a non-zero error code:
* MBEDTLS_ERR_NET_TIMEOUT if the operation timed out,
* MBEDTLS_ERR_NET_WANT_READ if interrupted by a signal.
* MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out,
* MBEDTLS_ERR_SSL_WANT_READ if interrupted by a signal.
*
* \note This function will block (until data becomes available or
* timeout is reached) even if the socket is set to

740
include/mbedtls/ssl.h
View file

File diff suppressed because it is too large Load diff

4
library/ccm.c
View file

@ -74,10 +74,6 @@ int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
int ret;
const mbedtls_cipher_info_t *cipher_info;
memset( ctx, 0, sizeof( mbedtls_ccm_context ) );
mbedtls_cipher_init( &ctx->cipher_ctx );
cipher_info = mbedtls_cipher_info_from_values( cipher, keysize, MBEDTLS_MODE_ECB );
if( cipher_info == NULL )
return( MBEDTLS_ERR_CCM_BAD_INPUT );

31
library/ctr_drbg.c
View file

@ -61,6 +61,10 @@ static void mbedtls_zeroize( void *v, size_t n ) {
void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx )
{
memset( ctx, 0, sizeof( mbedtls_ctr_drbg_context ) );
#if defined(MBEDTLS_THREADING_C)
mbedtls_mutex_init( &ctx->mutex );
#endif
}
/*
@ -78,7 +82,6 @@ int mbedtls_ctr_drbg_seed_entropy_len(
int ret;
unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
memset( ctx, 0, sizeof(mbedtls_ctr_drbg_context) );
memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE );
mbedtls_aes_init( &ctx->aes_ctx );
@ -115,6 +118,9 @@ void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx )
if( ctx == NULL )
return;
#if defined(MBEDTLS_THREADING_C)
mbedtls_mutex_free( &ctx->mutex );
#endif
mbedtls_aes_free( &ctx->aes_ctx );
mbedtls_zeroize( ctx, sizeof( mbedtls_ctr_drbg_context ) );
}
@ -392,7 +398,22 @@ int mbedtls_ctr_drbg_random_with_add( void *p_rng,
int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len )
{
return mbedtls_ctr_drbg_random_with_add( p_rng, output, output_len, NULL, 0 );
int ret;
mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
#if defined(MBEDTLS_THREADING_C)
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
return( ret );
#endif
ret = mbedtls_ctr_drbg_random_with_add( ctx, output, output_len, NULL, 0 );
#if defined(MBEDTLS_THREADING_C)
if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
#endif
return( ret );
}
#if defined(MBEDTLS_FS_IO)
@ -537,6 +558,8 @@ int mbedtls_ctr_drbg_self_test( int verbose )
CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
CHK( memcmp( buf, result_pr, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
mbedtls_ctr_drbg_free( &ctx );
if( verbose != 0 )
mbedtls_printf( "passed\n" );
@ -546,6 +569,8 @@ int mbedtls_ctr_drbg_self_test( int verbose )
if( verbose != 0 )
mbedtls_printf( " CTR_DRBG (PR = FALSE): " );
mbedtls_ctr_drbg_init( &ctx );
test_offset = 0;
CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy,
(void *) entropy_source_nopr, nonce_pers_nopr, 16, 32 ) );
@ -554,6 +579,8 @@ int mbedtls_ctr_drbg_self_test( int verbose )
CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
CHK( memcmp( buf, result_nopr, 16 ) );
mbedtls_ctr_drbg_free( &ctx );
if( verbose != 0 )
mbedtls_printf( "passed\n" );

32
library/debug.c
View file

@ -83,18 +83,18 @@ void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level,
char str[512];
int maxlen = sizeof( str ) - 1;
if( ssl->f_dbg == NULL || level > debug_threshold )
if( ssl->conf->f_dbg == NULL || level > debug_threshold )
return;
if( debug_log_mode == MBEDTLS_DEBUG_LOG_RAW )
{
ssl->f_dbg( ssl->p_dbg, level, text );
ssl->conf->f_dbg( ssl->conf->p_dbg, level, text );
return;
}
mbedtls_snprintf( str, maxlen, "%s(%04d): %s\n", file, line, text );
str[maxlen] = '\0';
ssl->f_dbg( ssl->p_dbg, level, str );
ssl->conf->f_dbg( ssl->conf->p_dbg, level, str );
}
void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level,
@ -105,7 +105,7 @@ void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level,
int maxlen = sizeof( str ) - 1;
size_t idx = 0;
if( ssl->f_dbg == NULL || level > debug_threshold )
if( ssl->conf->f_dbg == NULL || level > debug_threshold )
return;
if( debug_log_mode == MBEDTLS_DEBUG_LOG_FULL )
@ -115,7 +115,7 @@ void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level,
text, ret, -ret );
str[maxlen] = '\0';
ssl->f_dbg( ssl->p_dbg, level, str );
ssl->conf->f_dbg( ssl->conf->p_dbg, level, str );
}
void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level,
@ -126,7 +126,7 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level,
char txt[17];
size_t i, maxlen = sizeof( str ) - 1, idx = 0;
if( ssl->f_dbg == NULL || level > debug_threshold )
if( ssl->conf->f_dbg == NULL || level > debug_threshold )
return;
if( debug_log_mode == MBEDTLS_DEBUG_LOG_FULL )
@ -136,7 +136,7 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level,
text, (unsigned int) len );
str[maxlen] = '\0';
ssl->f_dbg( ssl->p_dbg, level, str );
ssl->conf->f_dbg( ssl->conf->p_dbg, level, str );
idx = 0;
memset( txt, 0, sizeof( txt ) );
@ -150,7 +150,7 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level,
if( i > 0 )
{
mbedtls_snprintf( str + idx, maxlen - idx, " %s\n", txt );
ssl->f_dbg( ssl->p_dbg, level, str );
ssl->conf->f_dbg( ssl->conf->p_dbg, level, str );
idx = 0;
memset( txt, 0, sizeof( txt ) );
@ -175,7 +175,7 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level,
idx += mbedtls_snprintf( str + idx, maxlen - idx, " " );
mbedtls_snprintf( str + idx, maxlen - idx, " %s\n", txt );
ssl->f_dbg( ssl->p_dbg, level, str );
ssl->conf->f_dbg( ssl->conf->p_dbg, level, str );
}
}
@ -187,7 +187,7 @@ void mbedtls_debug_print_ecp( const mbedtls_ssl_context *ssl, int level,
char str[512];
int maxlen = sizeof( str ) - 1;
if( ssl->f_dbg == NULL || level > debug_threshold )
if( ssl->conf->f_dbg == NULL || level > debug_threshold )
return;
mbedtls_snprintf( str, maxlen, "%s(X)", text );
@ -209,7 +209,7 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level,
int j, k, maxlen = sizeof( str ) - 1, zeros = 1;
size_t i, n, idx = 0;
if( ssl->f_dbg == NULL || X == NULL || level > debug_threshold )
if( ssl->conf->f_dbg == NULL || X == NULL || level > debug_threshold )
return;
for( n = X->n - 1; n > 0; n-- )
@ -227,7 +227,7 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level,
text, (int) ( ( n * ( sizeof(mbedtls_mpi_uint) << 3 ) ) + j + 1 ) );
str[maxlen] = '\0';
ssl->f_dbg( ssl->p_dbg, level, str );
ssl->conf->f_dbg( ssl->conf->p_dbg, level, str );
idx = 0;
for( i = n + 1, j = 0; i > 0; i-- )
@ -247,7 +247,7 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level,
if( j > 0 )
{
mbedtls_snprintf( str + idx, maxlen - idx, "\n" );
ssl->f_dbg( ssl->p_dbg, level, str );
ssl->conf->f_dbg( ssl->conf->p_dbg, level, str );
idx = 0;
}
@ -274,7 +274,7 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level,
}
mbedtls_snprintf( str + idx, maxlen - idx, "\n" );
ssl->f_dbg( ssl->p_dbg, level, str );
ssl->conf->f_dbg( ssl->conf->p_dbg, level, str );
}
#endif /* MBEDTLS_BIGNUM_C */
@ -322,7 +322,7 @@ void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level,
char str[1024], prefix[64];
int i = 0, maxlen = sizeof( prefix ) - 1, idx = 0;
if( ssl->f_dbg == NULL || crt == NULL || level > debug_threshold )
if( ssl->conf->f_dbg == NULL || crt == NULL || level > debug_threshold )
return;
if( debug_log_mode == MBEDTLS_DEBUG_LOG_FULL )
@ -347,7 +347,7 @@ void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level,
text, ++i, buf );
str[maxlen] = '\0';
ssl->f_dbg( ssl->p_dbg, level, str );
ssl->conf->f_dbg( ssl->conf->p_dbg, level, str );
debug_print_pk( ssl, level, file, line, "crt->", &crt->pk );

12
library/error.c
View file

@ -457,6 +457,12 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
mbedtls_snprintf( buf, buflen, "SSL - A buffer is too small to receive or write a message" );
if( use_ret == -(MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE) )
mbedtls_snprintf( buf, buflen, "SSL - None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages)" );
if( use_ret == -(MBEDTLS_ERR_SSL_WANT_READ) )
mbedtls_snprintf( buf, buflen, "SSL - Connection requires a read call" );
if( use_ret == -(MBEDTLS_ERR_SSL_WANT_WRITE) )
mbedtls_snprintf( buf, buflen, "SSL - Connection requires a write call" );
if( use_ret == -(MBEDTLS_ERR_SSL_TIMEOUT) )
mbedtls_snprintf( buf, buflen, "SSL - The operation timed out" );
#endif /* MBEDTLS_SSL_TLS_C */
#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
@ -675,14 +681,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
mbedtls_snprintf( buf, buflen, "NET - Sending information through the socket failed" );
if( use_ret == -(MBEDTLS_ERR_NET_CONN_RESET) )
mbedtls_snprintf( buf, buflen, "NET - Connection was reset by peer" );
if( use_ret == -(MBEDTLS_ERR_NET_WANT_READ) )
mbedtls_snprintf( buf, buflen, "NET - Connection requires a read call" );
if( use_ret == -(MBEDTLS_ERR_NET_WANT_WRITE) )
mbedtls_snprintf( buf, buflen, "NET - Connection requires a write call" );
if( use_ret == -(MBEDTLS_ERR_NET_UNKNOWN_HOST) )
mbedtls_snprintf( buf, buflen, "NET - Failed to get an IP address for the given hostname" );
if( use_ret == -(MBEDTLS_ERR_NET_TIMEOUT) )
mbedtls_snprintf( buf, buflen, "NET - The operation timed out" );
#endif /* MBEDTLS_NET_C */
#if defined(MBEDTLS_OID_C)

4
library/gcm.c
View file

@ -167,10 +167,6 @@ int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
int ret;
const mbedtls_cipher_info_t *cipher_info;
memset( ctx, 0, sizeof(mbedtls_gcm_context) );
mbedtls_cipher_init( &ctx->cipher_ctx );
cipher_info = mbedtls_cipher_info_from_values( cipher, keysize, MBEDTLS_MODE_ECB );
if( cipher_info == NULL )
return( MBEDTLS_ERR_GCM_BAD_INPUT );

39
library/hmac_drbg.c
View file

@ -62,6 +62,10 @@ static void mbedtls_zeroize( void *v, size_t n ) {
void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx )
{
memset( ctx, 0, sizeof( mbedtls_hmac_drbg_context ) );
#if defined(MBEDTLS_THREADING_C)
mbedtls_mutex_init( &ctx->mutex );
#endif
}
/*
@ -101,10 +105,6 @@ int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx,
{
int ret;
memset( ctx, 0, sizeof( mbedtls_hmac_drbg_context ) );
mbedtls_md_init( &ctx->md_ctx );
if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 )
return( ret );
@ -175,10 +175,6 @@ int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
int ret;
size_t entropy_len, md_size;
memset( ctx, 0, sizeof( mbedtls_hmac_drbg_context ) );
mbedtls_md_init( &ctx->md_ctx );
if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 )
return( ret );
@ -313,7 +309,22 @@ int mbedtls_hmac_drbg_random_with_add( void *p_rng,
*/
int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len )
{
return( mbedtls_hmac_drbg_random_with_add( p_rng, output, out_len, NULL, 0 ) );
int ret;
mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng;
#if defined(MBEDTLS_THREADING_C)
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
return( ret );
#endif
ret = mbedtls_hmac_drbg_random_with_add( ctx, output, out_len, NULL, 0 );
#if defined(MBEDTLS_THREADING_C)
if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
#endif
return( ret );
}
/*
@ -324,8 +335,10 @@ void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx )
if( ctx == NULL )
return;
#if defined(MBEDTLS_THREADING_C)
mbedtls_mutex_free( &ctx->mutex );
#endif
mbedtls_md_free( &ctx->md_ctx );
mbedtls_zeroize( ctx, sizeof( mbedtls_hmac_drbg_context ) );
}
@ -481,6 +494,8 @@ int mbedtls_hmac_drbg_self_test( int verbose )
CHK( memcmp( buf, result_pr, OUTPUT_LEN ) );
mbedtls_hmac_drbg_free( &ctx );
mbedtls_hmac_drbg_free( &ctx );
if( verbose != 0 )
mbedtls_printf( "passed\n" );
@ -490,6 +505,8 @@ int mbedtls_hmac_drbg_self_test( int verbose )
if( verbose != 0 )
mbedtls_printf( " HMAC_DRBG (PR = False) : " );
mbedtls_hmac_drbg_init( &ctx );
test_offset = 0;
CHK( mbedtls_hmac_drbg_seed( &ctx, md_info,
hmac_drbg_self_test_entropy, (void *) entropy_nopr,
@ -500,6 +517,8 @@ int mbedtls_hmac_drbg_self_test( int verbose )
CHK( memcmp( buf, result_nopr, OUTPUT_LEN ) );
mbedtls_hmac_drbg_free( &ctx );
mbedtls_hmac_drbg_free( &ctx );
if( verbose != 0 )
mbedtls_printf( "passed\n" );

16
library/net.c
View file

@ -338,7 +338,7 @@ int mbedtls_net_accept( int bind_fd, int *client_fd, void *client_ip )
if( ret < 0 )
{
if( net_would_block( bind_fd ) != 0 )
return( MBEDTLS_ERR_NET_WANT_READ );
return( MBEDTLS_ERR_SSL_WANT_READ );
return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
}
@ -425,7 +425,7 @@ int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len )
if( ret < 0 )
{
if( net_would_block( fd ) != 0 )
return( MBEDTLS_ERR_NET_WANT_READ );
return( MBEDTLS_ERR_SSL_WANT_READ );
#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
!defined(EFI32)
@ -436,7 +436,7 @@ int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len )
return( MBEDTLS_ERR_NET_CONN_RESET );
if( errno == EINTR )
return( MBEDTLS_ERR_NET_WANT_READ );
return( MBEDTLS_ERR_SSL_WANT_READ );
#endif
return( MBEDTLS_ERR_NET_RECV_FAILED );
@ -467,17 +467,17 @@ int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
/* Zero fds ready means we timed out */
if( ret == 0 )
return( MBEDTLS_ERR_NET_TIMEOUT );
return( MBEDTLS_ERR_SSL_TIMEOUT );
if( ret < 0 )
{
#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
!defined(EFI32)
if( WSAGetLastError() == WSAEINTR )
return( MBEDTLS_ERR_NET_WANT_READ );
return( MBEDTLS_ERR_SSL_WANT_READ );
#else
if( errno == EINTR )
return( MBEDTLS_ERR_NET_WANT_READ );
return( MBEDTLS_ERR_SSL_WANT_READ );
#endif
return( MBEDTLS_ERR_NET_RECV_FAILED );
@ -499,7 +499,7 @@ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len )
if( ret < 0 )
{
if( net_would_block( fd ) != 0 )
return( MBEDTLS_ERR_NET_WANT_WRITE );
return( MBEDTLS_ERR_SSL_WANT_WRITE );
#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
!defined(EFI32)
@ -510,7 +510,7 @@ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len )
return( MBEDTLS_ERR_NET_CONN_RESET );
if( errno == EINTR )
return( MBEDTLS_ERR_NET_WANT_WRITE );
return( MBEDTLS_ERR_SSL_WANT_WRITE );
#endif
return( MBEDTLS_ERR_NET_SEND_FAILED );

174
library/ssl_cli.c
View file

@ -65,6 +65,7 @@ static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
size_t *olen )
{
unsigned char *p = buf;
size_t hostname_len;
*olen = 0;
@ -74,6 +75,8 @@ static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
ssl->hostname ) );
hostname_len = strlen( ssl->hostname );
/*
* struct {
* NameType name_type;
@ -95,19 +98,19 @@ static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
*p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( (ssl->hostname_len + 5) ) & 0xFF );
*p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
*p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( (ssl->hostname_len + 3) ) & 0xFF );
*p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
*p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( ssl->hostname_len ) & 0xFF );
*p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( hostname_len ) & 0xFF );
memcpy( p, ssl->hostname, ssl->hostname_len );
memcpy( p, ssl->hostname, hostname_len );
*olen = ssl->hostname_len + 9;
*olen = hostname_len + 9;
}
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
@ -158,7 +161,7 @@ static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
*olen = 0;
if( ssl->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
return;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
@ -262,7 +265,7 @@ static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
#if defined(MBEDTLS_SSL_SET_CURVES)
for( grp_id = ssl->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
{
info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
#else
@ -320,7 +323,7 @@ static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
{
unsigned char *p = buf;
if( ssl->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
*olen = 0;
return;
}
@ -333,7 +336,7 @@ static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
*p++ = 0x00;
*p++ = 1;
*p++ = ssl->mfl_code;
*p++ = ssl->conf->mfl_code;
*olen = 5;
}
@ -345,7 +348,7 @@ static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
{
unsigned char *p = buf;
if( ssl->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
{
*olen = 0;
return;
@ -369,8 +372,8 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
{
unsigned char *p = buf;
if( ssl->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
ssl->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
{
*olen = 0;
return;
@ -395,8 +398,8 @@ static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
{
unsigned char *p = buf;
if( ssl->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
ssl->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
{
*olen = 0;
return;
@ -422,7 +425,7 @@ static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
unsigned char *p = buf;
size_t tlen = ssl->session_negotiate->ticket_len;
if( ssl->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
{
*olen = 0;
return;
@ -459,7 +462,7 @@ static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
unsigned char *p = buf;
const char **cur;
if( ssl->alpn_list == NULL )
if( ssl->conf->alpn_list == NULL )
{
*olen = 0;
return;
@ -481,7 +484,7 @@ static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
/* Skip writing extension and list length for now */
p += 4;
for( cur = ssl->alpn_list; *cur != NULL; cur++ )
for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
{
*p = (unsigned char)( strlen( *cur ) & 0xFF );
memcpy( p + 1, *cur, *p );
@ -515,7 +518,7 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl )
* When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
*/
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
ssl->handshake->verify_cookie != NULL )
{
return( 0 );
@ -531,13 +534,13 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
#else
if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
return( ret );
p += 4;
#endif /* MBEDTLS_HAVE_TIME */
if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
return( ret );
return( 0 );
@ -555,7 +558,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
if( ssl->f_rng == NULL )
if( ssl->conf->f_rng == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
return( MBEDTLS_ERR_SSL_NO_RNG );
@ -565,14 +568,15 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
#endif
{
ssl->major_ver = ssl->min_major_ver;
ssl->minor_ver = ssl->min_minor_ver;
ssl->major_ver = ssl->conf->min_major_ver;
ssl->minor_ver = ssl->conf->min_minor_ver;
}
if( ssl->max_major_ver == 0 && ssl->max_minor_ver == 0 )
if( ssl->conf->max_major_ver == 0 )
{
ssl->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
ssl->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
"consider using mbedtls_ssl_config_defaults()" ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
/*
@ -585,8 +589,8 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
buf = ssl->out_msg;
p = buf + 4;
mbedtls_ssl_write_version( ssl->max_major_ver, ssl->max_minor_ver,
ssl->transport, p );
mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
ssl->conf->transport, p );
p += 2;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
@ -637,7 +641,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
if( ssl->session_negotiate->ticket != NULL &&
ssl->session_negotiate->ticket_len != 0 )
{
ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 );
ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 );
if( ret != 0 )
return( ret );
@ -659,7 +663,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
* DTLS cookie
*/
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
if( ssl->handshake->verify_cookie == NULL )
{
@ -683,7 +687,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
/*
* Ciphersuite list
*/
ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
/* Skip writing ciphersuite length for now */
n = 0;
@ -697,17 +701,17 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
if( ciphersuite_info == NULL )
continue;
if( ciphersuite_info->min_minor_ver > ssl->max_minor_ver ||
ciphersuite_info->max_minor_ver < ssl->min_minor_ver )
if( ciphersuite_info->min_minor_ver > ssl->conf->max_minor_ver ||
ciphersuite_info->max_minor_ver < ssl->conf->min_minor_ver )
continue;
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
continue;
#endif
if( ssl->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
continue;
@ -733,7 +737,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
/* Some versions of OpenSSL don't handle it correctly if not at end */
#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
if( ssl->fallback == MBEDTLS_SSL_IS_FALLBACK )
if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
*p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
@ -760,7 +764,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
* an actual need for it.
*/
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
offer_compress = 0;
#endif
@ -860,7 +864,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
ssl->state++;
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
mbedtls_ssl_send_flight_completed( ssl );
#endif
@ -928,9 +932,9 @@ static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
* server should use the extension only if we did,
* and if so the server's value should match ours (and len is always 1)
*/
if( ssl->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
len != 1 ||
buf[0] != ssl->mfl_code )
buf[0] != ssl->conf->mfl_code )
{
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
@ -944,7 +948,7 @@ static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
{
if( ssl->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
len != 0 )
{
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
@ -963,7 +967,7 @@ static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
{
if( ssl->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
len != 0 )
{
@ -983,7 +987,7 @@ static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
{
if( ssl->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
len != 0 )
{
@ -1003,7 +1007,7 @@ static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
{
if( ssl->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
len != 0 )
{
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
@ -1060,7 +1064,7 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
const char **p;
/* If we didn't send it, the server shouldn't send it */
if( ssl->alpn_list == NULL )
if( ssl->conf->alpn_list == NULL )
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
/*
@ -1086,7 +1090,7 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
/* Check that the server chosen protocol was in our list and save it */
for( p = ssl->alpn_list; *p != NULL; p++ )
for( p = ssl->conf->alpn_list; *p != NULL; p++ )
{
if( name_len == strlen( *p ) &&
memcmp( buf + 3, *p, name_len ) == 0 )
@ -1119,7 +1123,7 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
* } HelloVerifyRequest;
*/
MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->transport, p );
mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
p += 2;
/*
@ -1128,8 +1132,8 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
*/
if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
major_ver > ssl->max_major_ver ||
minor_ver > ssl->max_minor_ver )
major_ver > ssl->conf->max_major_ver ||
minor_ver > ssl->conf->max_minor_ver )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
@ -1199,8 +1203,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
{
ssl->renego_records_seen++;
if( ssl->renego_max_records >= 0 &&
ssl->renego_records_seen > ssl->renego_max_records )
if( ssl->conf->renego_max_records >= 0 &&
ssl->renego_records_seen > ssl->conf->renego_max_records )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
"but not honored by server" ) );
@ -1217,7 +1221,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
}
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
{
@ -1257,18 +1261,18 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
ssl->transport, buf + 0 );
ssl->conf->transport, buf + 0 );
if( ssl->major_ver < ssl->min_major_ver ||
ssl->minor_ver < ssl->min_minor_ver ||
ssl->major_ver > ssl->max_major_ver ||
ssl->minor_ver > ssl->max_minor_ver )
if( ssl->major_ver < ssl->conf->min_major_ver ||
ssl->minor_ver < ssl->conf->min_minor_ver ||
ssl->major_ver > ssl->conf->max_major_ver ||
ssl->minor_ver > ssl->conf->max_minor_ver )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
" min: [%d:%d], server: [%d:%d], max: [%d:%d]",
ssl->min_major_ver, ssl->min_minor_ver,
ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
ssl->major_ver, ssl->minor_ver,
ssl->max_major_ver, ssl->max_minor_ver ) );
ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
@ -1334,7 +1338,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
/* See comments in ssl_write_client_hello() */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
accept_comp = 0;
#endif
@ -1402,7 +1406,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
if( suite_info == NULL ||
( ssl->arc4_disabled &&
( ssl->conf->arc4_disabled &&
suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
@ -1413,13 +1417,13 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
i = 0;
while( 1 )
{
if( ssl->ciphersuite_list[ssl->minor_ver][i] == 0 )
if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
if( ssl->ciphersuite_list[ssl->minor_ver][i++] ==
if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
ssl->session_negotiate->ciphersuite )
{
break;
@ -1575,7 +1579,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
* Renegotiation security checks
*/
if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
ssl->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
handshake_failure = 1;
@ -1590,7 +1594,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
}
else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
ssl->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
handshake_failure = 1;
@ -1779,10 +1783,10 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
* opaque random[46];
* } PreMasterSecret;
*/
mbedtls_ssl_write_version( ssl->max_major_ver, ssl->max_minor_ver,
ssl->transport, p );
mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
ssl->conf->transport, p );
if( ( ret = ssl->f_rng( ssl->p_rng, p + 2, 46 ) ) != 0 )
if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
return( ret );
@ -1804,7 +1808,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
p, ssl->handshake->pmslen,
ssl->out_msg + offset + len_bytes, olen,
MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes,
ssl->f_rng, ssl->p_rng ) ) != 0 )
ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
return( ret );
@ -2426,7 +2430,7 @@ static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
ssl->state++;
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
mbedtls_ssl_recv_flight_completed( ssl );
#endif
@ -2458,7 +2462,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
(int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
&ssl->out_msg[i], n,
ssl->f_rng, ssl->p_rng );
ssl->conf->f_rng, ssl->conf->p_rng );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
@ -2473,7 +2477,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
ssl->handshake->premaster,
&ssl->handshake->pmslen,
ssl->f_rng, ssl->p_rng ) ) != 0 )
ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
return( ret );
@ -2500,7 +2504,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
&n,
&ssl->out_msg[i], 1000,
ssl->f_rng, ssl->p_rng );
ssl->conf->f_rng, ssl->conf->p_rng );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
@ -2513,7 +2517,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
&ssl->handshake->pmslen,
ssl->handshake->premaster,
MBEDTLS_MPI_MAX_SIZE,
ssl->f_rng, ssl->p_rng ) ) != 0 )
ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
return( ret );
@ -2535,16 +2539,16 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
/*
* opaque psk_identity<0..2^16-1>;
*/
if( ssl->psk == NULL || ssl->psk_identity == NULL )
if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL )
return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
i = 4;
n = ssl->psk_identity_len;
n = ssl->conf->psk_identity_len;
ssl->out_msg[i++] = (unsigned char)( n >> 8 );
ssl->out_msg[i++] = (unsigned char)( n );
memcpy( ssl->out_msg + i, ssl->psk_identity, ssl->psk_identity_len );
i += ssl->psk_identity_len;
memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len );
i += ssl->conf->psk_identity_len;
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
@ -2574,7 +2578,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
(int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
&ssl->out_msg[i], n,
ssl->f_rng, ssl->p_rng );
ssl->conf->f_rng, ssl->conf->p_rng );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
@ -2591,7 +2595,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
*/
ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
&ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i,
ssl->f_rng, ssl->p_rng );
ssl->conf->f_rng, ssl->conf->p_rng );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
@ -2801,7 +2805,7 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen,
ssl->out_msg + 6 + offset, &n,
ssl->f_rng, ssl->p_rng ) ) != 0 )
ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
return( ret );
@ -2944,7 +2948,7 @@ int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
return( ret );
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
ssl->handshake != NULL &&
ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
{

219
library/ssl_srv.c
View file

@ -189,15 +189,15 @@ static int ssl_write_ticket( mbedtls_ssl_context *ssl, size_t *tlen )
*tlen = 0;
if( ssl->ticket_keys == NULL )
if( ssl->conf->ticket_keys == NULL )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
/* Write key name */
memcpy( p, ssl->ticket_keys->key_name, 16 );
memcpy( p, ssl->conf->ticket_keys->key_name, 16 );
p += 16;
/* Generate and write IV (with a copy for aes_crypt) */
if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 16 ) ) != 0 )
return( ret );
memcpy( iv, p, 16 );
p += 16;
@ -224,7 +224,7 @@ static int ssl_write_ticket( mbedtls_ssl_context *ssl, size_t *tlen )
state[i] = (unsigned char) pad_len;
/* Encrypt */
if( ( ret = mbedtls_aes_crypt_cbc( &ssl->ticket_keys->enc, MBEDTLS_AES_ENCRYPT,
if( ( ret = mbedtls_aes_crypt_cbc( &ssl->conf->ticket_keys->enc, MBEDTLS_AES_ENCRYPT,
enc_len, iv, state, state ) ) != 0 )
{
return( ret );
@ -237,7 +237,7 @@ static int ssl_write_ticket( mbedtls_ssl_context *ssl, size_t *tlen )
/* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
if( ( ret = mbedtls_md_hmac( mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 ),
ssl->ticket_keys->mac_key, 16,
ssl->conf->ticket_keys->mac_key, 16,
start, p - start, p ) ) != 0 )
{
return( ret );
@ -271,7 +271,7 @@ static int ssl_parse_ticket( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
if( len < 34 || ssl->ticket_keys == NULL )
if( len < 34 || ssl->conf->ticket_keys == NULL )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
@ -283,12 +283,12 @@ static int ssl_parse_ticket( mbedtls_ssl_context *ssl,
/* Check name, in constant time though it's not a big secret */
diff = 0;
for( i = 0; i < 16; i++ )
diff |= key_name[i] ^ ssl->ticket_keys->key_name[i];
diff |= key_name[i] ^ ssl->conf->ticket_keys->key_name[i];
/* don't return yet, check the MAC anyway */
/* Check mac, with constant-time buffer comparison */
if( ( ret = mbedtls_md_hmac( mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 ),
ssl->ticket_keys->mac_key, 16,
ssl->conf->ticket_keys->mac_key, 16,
buf, len - 32, computed_mac ) ) != 0 )
{
return( ret );
@ -303,7 +303,7 @@ static int ssl_parse_ticket( mbedtls_ssl_context *ssl,
return( MBEDTLS_ERR_SSL_INVALID_MAC );
/* Decrypt */
if( ( ret = mbedtls_aes_crypt_cbc( &ssl->ticket_keys->dec, MBEDTLS_AES_DECRYPT,
if( ( ret = mbedtls_aes_crypt_cbc( &ssl->conf->ticket_keys->dec, MBEDTLS_AES_DECRYPT,
enc_len, iv, ticket, ticket ) ) != 0 )
{
return( ret );
@ -333,7 +333,7 @@ static int ssl_parse_ticket( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_HAVE_TIME)
/* Check if still valid */
if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
if( (int) ( time( NULL) - session.start ) > ssl->conf->ticket_lifetime )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
mbedtls_ssl_session_free( &session );
@ -363,7 +363,7 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
const unsigned char *info,
size_t ilen )
{
if( ssl->endpoint != MBEDTLS_SSL_IS_SERVER )
if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
mbedtls_free( ssl->cli_id );
@ -377,37 +377,18 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
return( 0 );
}
void mbedtls_ssl_set_dtls_cookies( mbedtls_ssl_context *ssl,
void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
mbedtls_ssl_cookie_write_t *f_cookie_write,
mbedtls_ssl_cookie_check_t *f_cookie_check,
void *p_cookie )
{
ssl->f_cookie_write = f_cookie_write;
ssl->f_cookie_check = f_cookie_check;
ssl->p_cookie = p_cookie;
conf->f_cookie_write = f_cookie_write;
conf->f_cookie_check = f_cookie_check;
conf->p_cookie = p_cookie;
}
#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
/*
* Wrapper around f_sni, allowing use of mbedtls_ssl_set_own_cert() but
* making it act on ssl->handshake->sni_key_cert instead.
*/
static int ssl_sni_wrapper( mbedtls_ssl_context *ssl,
const unsigned char* name, size_t len )
{
int ret;
mbedtls_ssl_key_cert *key_cert_ori = ssl->key_cert;
ssl->key_cert = NULL;
ret = ssl->f_sni( ssl->p_sni, ssl, name, len );
ssl->handshake->sni_key_cert = ssl->key_cert;
ssl->key_cert = key_cert_ori;
return( ret );
}
static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@ -437,7 +418,8 @@ static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
{
ret = ssl_sni_wrapper( ssl, p + 3, hostname_len );
ret = ssl->conf->f_sni( ssl->conf->p_sni,
ssl, p + 3, hostname_len );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
@ -670,7 +652,7 @@ static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
((void) buf);
if( ssl->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
return( 0 );
@ -690,7 +672,7 @@ static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
((void) buf);
if( ssl->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
{
ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
@ -713,7 +695,7 @@ static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
((void) buf);
if( ssl->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
{
ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
@ -730,7 +712,7 @@ static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
{
int ret;
if( ssl->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
return( 0 );
/* Remember the client asked us to send a new ticket */
@ -778,7 +760,7 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
const char **ours;
/* If ALPN not configured, just ignore the extension */
if( ssl->alpn_list == NULL )
if( ssl->conf->alpn_list == NULL )
return( 0 );
/*
@ -802,7 +784,7 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
*/
start = buf + 2;
end = buf + len;
for( ours = ssl->alpn_list; *ours != NULL; ours++ )
for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
{
ours_len = strlen( *ours );
for( theirs = start; theirs != end; theirs += cur_len )
@ -875,7 +857,7 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
list = ssl->handshake->sni_key_cert;
else
#endif
list = ssl->handshake->key_cert;
list = ssl->conf->key_cert;
if( pk_alg == MBEDTLS_PK_NONE )
return( 0 );
@ -943,7 +925,7 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
cur = fallback;
/* Do not update ssl->handshake->key_cert unless the is a match */
/* Do not update ssl->handshake->key_cert unless there is a match */
if( cur != NULL )
{
ssl->handshake->key_cert = cur;
@ -982,12 +964,12 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
}
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
return( 0 );
#endif
if( ssl->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
@ -1009,9 +991,9 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
/* If the ciphersuite requires a pre-shared key and we don't
* have one, skip it now rather than failing later */
if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
ssl->f_psk == NULL &&
( ssl->psk == NULL || ssl->psk_identity == NULL ||
ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
ssl->conf->f_psk == NULL &&
( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
return( 0 );
@ -1100,15 +1082,15 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
}
ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
? buf[4] : ssl->max_minor_ver;
ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
? buf[4] : ssl->conf->max_minor_ver;
if( ssl->minor_ver < ssl->min_minor_ver )
if( ssl->minor_ver < ssl->conf->min_minor_ver )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
" [%d:%d] < [%d:%d]",
ssl->major_ver, ssl->minor_ver,
ssl->min_major_ver, ssl->min_minor_ver ) );
ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
@ -1224,7 +1206,7 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
if( ssl->minor_ver < ssl->max_minor_ver )
if( ssl->minor_ver < ssl->conf->max_minor_ver )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
@ -1240,7 +1222,7 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
got_common_suite = 0;
ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
ciphersuite_info = NULL;
#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
@ -1291,7 +1273,7 @@ have_ciphersuite_v2:
* SSLv2 Client Hello relevant renegotiation security checks
*/
if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
ssl->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
@ -1353,7 +1335,7 @@ read_record_header:
#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
#endif
if( ( buf[0] & 0x80 ) != 0 )
return ssl_parse_client_hello_v2( ssl );
@ -1385,7 +1367,7 @@ read_record_header:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
buf[1], buf[2] ) );
mbedtls_ssl_read_version( &major, &minor, ssl->transport, buf + 1 );
mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
/* According to RFC 5246 Appendix E.1, the version here is typically
* "{03,00}, the lowest version number supported by the client, [or] the
@ -1400,7 +1382,7 @@ read_record_header:
/* For DTLS if this is the initial handshake, remember the client sequence
* number to use it in our next message (RFC 6347 4.2.1) */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
#if defined(MBEDTLS_SSL_RENEGOTIATION)
&& ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
#endif
@ -1455,7 +1437,7 @@ read_record_header:
/* Done reading this record, get ready for the next one */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl );
else
#endif
@ -1502,7 +1484,7 @@ read_record_header:
}
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
/*
* Copy the client's handshake message_seq on initial handshakes,
@ -1583,18 +1565,18 @@ read_record_header:
MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
ssl->transport, buf );
ssl->conf->transport, buf );
ssl->handshake->max_major_ver = ssl->major_ver;
ssl->handshake->max_minor_ver = ssl->minor_ver;
if( ssl->major_ver < ssl->min_major_ver ||
ssl->minor_ver < ssl->min_minor_ver )
if( ssl->major_ver < ssl->conf->min_major_ver ||
ssl->minor_ver < ssl->conf->min_minor_ver )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
" [%d:%d] < [%d:%d]",
ssl->major_ver, ssl->minor_ver,
ssl->min_major_ver, ssl->min_minor_ver ) );
ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
@ -1602,13 +1584,13 @@ read_record_header:
return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
}
if( ssl->major_ver > ssl->max_major_ver )
if( ssl->major_ver > ssl->conf->max_major_ver )
{
ssl->major_ver = ssl->max_major_ver;
ssl->minor_ver = ssl->max_minor_ver;
ssl->major_ver = ssl->conf->max_major_ver;
ssl->minor_ver = ssl->conf->max_minor_ver;
}
else if( ssl->minor_ver > ssl->max_minor_ver )
ssl->minor_ver = ssl->max_minor_ver;
else if( ssl->minor_ver > ssl->conf->max_minor_ver )
ssl->minor_ver = ssl->conf->max_minor_ver;
/*
* Save client random (inc. Unix time)
@ -1641,7 +1623,7 @@ read_record_header:
* Check the cookie length and content
*/
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
cookie_offset = 35 + sess_len;
cookie_len = buf[cookie_offset];
@ -1656,13 +1638,13 @@ read_record_header:
buf + cookie_offset + 1, cookie_len );
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
if( ssl->f_cookie_check != NULL
if( ssl->conf->f_cookie_check != NULL
#if defined(MBEDTLS_SSL_RENEGOTIATION)
&& ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
#endif
)
{
if( ssl->f_cookie_check( ssl->p_cookie,
if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
buf + cookie_offset + 1, cookie_len,
ssl->cli_id, ssl->cli_id_len ) != 0 )
{
@ -1743,7 +1725,7 @@ read_record_header:
/* See comments in ssl_write_client_hello() */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
#endif
@ -1793,7 +1775,7 @@ read_record_header:
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
case MBEDTLS_TLS_EXT_SERVERNAME:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
if( ssl->f_sni == NULL )
if( ssl->conf->f_sni == NULL )
break;
ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
@ -1931,7 +1913,7 @@ read_record_header:
{
MBEDTLS_SSL_DEBUG_MSG( 0, ( "received FALLBACK_SCSV" ) );
if( ssl->minor_ver < ssl->max_minor_ver )
if( ssl->minor_ver < ssl->conf->max_minor_ver )
{
MBEDTLS_SSL_DEBUG_MSG( 0, ( "inapropriate fallback" ) );
@ -1974,7 +1956,7 @@ read_record_header:
* Renegotiation security checks
*/
if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
ssl->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
handshake_failure = 1;
@ -1989,7 +1971,7 @@ read_record_header:
}
else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
ssl->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
handshake_failure = 1;
@ -2017,7 +1999,7 @@ read_record_header:
* and certificate from the SNI callback triggered by the SNI extension.)
*/
got_common_suite = 0;
ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
ciphersuite_info = NULL;
#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
@ -2068,7 +2050,7 @@ have_ciphersuite:
ssl->state++;
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
mbedtls_ssl_recv_flight_completed( ssl );
#endif
@ -2351,12 +2333,12 @@ static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
/* The RFC is not clear on this point, but sending the actual negotiated
* version looks like the most interoperable thing to do. */
mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
ssl->transport, p );
ssl->conf->transport, p );
MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
p += 2;
/* If we get here, f_cookie_check is not null */
if( ssl->f_cookie_write == NULL )
if( ssl->conf->f_cookie_write == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
@ -2365,7 +2347,7 @@ static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
/* Skip length byte until we know the length */
cookie_len_byte = p++;
if( ( ret = ssl->f_cookie_write( ssl->p_cookie,
if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
&p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN,
ssl->cli_id, ssl->cli_id_len ) ) != 0 )
{
@ -2407,7 +2389,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
ssl->handshake->verify_cookie_len != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
@ -2417,7 +2399,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
}
#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
if( ssl->f_rng == NULL )
if( ssl->conf->f_rng == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
return( MBEDTLS_ERR_SSL_NO_RNG );
@ -2434,7 +2416,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
p = buf + 4;
mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
ssl->transport, p );
ssl->conf->transport, p );
p += 2;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
@ -2449,13 +2431,13 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
#else
if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
return( ret );
p += 4;
#endif /* MBEDTLS_HAVE_TIME */
if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
return( ret );
p += 28;
@ -2474,8 +2456,8 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
#endif
ssl->session_negotiate->length != 0 &&
ssl->f_get_cache != NULL &&
ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
ssl->conf->f_get_cache != NULL &&
ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
ssl->handshake->resume = 1;
@ -2503,7 +2485,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
{
ssl->session_negotiate->length = n = 32;
if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
n ) ) != 0 )
return( ret );
}
@ -2651,7 +2633,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
ssl->authmode == MBEDTLS_SSL_VERIFY_NONE )
ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
return( 0 );
@ -2743,7 +2725,12 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
* opaque DistinguishedName<1..2^16-1>;
*/
p += 2;
crt = ssl->ca_chain;
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_ca_chain != NULL )
crt = ssl->handshake->sni_ca_chain;
else
#endif
crt = ssl->conf->ca_chain;
total_dn_size = 0;
while( crt != NULL && crt->version != 0 )
@ -2871,6 +2858,12 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
{
if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
/*
* Ephemeral DH parameters:
*
@ -2880,8 +2873,8 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
* opaque dh_Ys<1..2^16-1>;
* } ServerDHParams;
*/
if( ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
if( ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->conf->dhm_P ) ) != 0 ||
( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->conf->dhm_G ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret );
return( ret );
@ -2889,7 +2882,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx,
(int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
p, &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
return( ret );
@ -2927,7 +2920,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
const mbedtls_ecp_group_id *gid;
/* Match our preference list against the offered curves */
for( gid = ssl->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
if( (*curve)->grp_id == *gid )
goto curve_matching_done;
@ -2954,7 +2947,7 @@ curve_matching_done:
if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
p, MBEDTLS_SSL_MAX_CONTENT_LEN - n,
ssl->f_rng, ssl->p_rng ) ) != 0 )
ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
return( ret );
@ -3118,7 +3111,7 @@ curve_matching_done:
if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen,
p + 2 , &signature_len,
ssl->f_rng, ssl->p_rng ) ) != 0 )
ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
return( ret );
@ -3167,7 +3160,7 @@ static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
ssl->state++;
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
mbedtls_ssl_send_flight_completed( ssl );
#endif
@ -3268,7 +3261,7 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
ssl->handshake->max_minor_ver,
ssl->transport, ver );
ssl->conf->transport, ver );
/*
* Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
* must not cause the connection to end immediately; instead, send a
@ -3276,14 +3269,14 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
* Also, avoid data-dependant branches here to protect against
* timing-based variants.
*/
ret = ssl->f_rng( ssl->p_rng, fake_pms, sizeof( fake_pms ) );
ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
if( ret != 0 )
return( ret );
ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len,
peer_pms, &peer_pmslen,
sizeof( peer_pms ),
ssl->f_rng, ssl->p_rng );
ssl->conf->f_rng, ssl->conf->p_rng );
diff = (size_t) ret;
diff |= peer_pmslen ^ 48;
@ -3320,9 +3313,9 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha
int ret = 0;
size_t n;
if( ssl->f_psk == NULL &&
( ssl->psk == NULL || ssl->psk_identity == NULL ||
ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
if( ssl->conf->f_psk == NULL &&
( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
@ -3346,17 +3339,17 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
}
if( ssl->f_psk != NULL )
if( ssl->conf->f_psk != NULL )
{
if( ssl->f_psk( ssl->p_psk, ssl, *p, n ) != 0 )
if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
}
else
{
/* Identity is not a big secret since clients send it in the clear,
* but treat it carefully anyway, just in case */
if( n != ssl->psk_identity_len ||
mbedtls_ssl_safer_memcmp( ssl->psk_identity, *p, n ) != 0 )
if( n != ssl->conf->psk_identity_len ||
mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
{
ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
}
@ -3432,7 +3425,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
ssl->handshake->premaster,
&ssl->handshake->pmslen,
ssl->f_rng, ssl->p_rng ) ) != 0 )
ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
@ -3464,7 +3457,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
&ssl->handshake->pmslen,
ssl->handshake->premaster,
MBEDTLS_MPI_MAX_SIZE,
ssl->f_rng, ssl->p_rng ) ) != 0 )
ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
@ -3796,7 +3789,7 @@ static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
{
int ret;
size_t tlen;
uint32_t lifetime = (uint32_t) ssl->ticket_lifetime;
uint32_t lifetime = (uint32_t) ssl->conf->ticket_lifetime;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
@ -3864,7 +3857,7 @@ int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
return( ret );
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
ssl->handshake != NULL &&
ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
{

1058
library/ssl_tls.c
View file

File diff suppressed because it is too large Load diff

64
programs/ssl/dtls_client.c
View file

@ -92,6 +92,7 @@ int main( int argc, char *argv[] )
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt cacert;
((void) argc);
@ -105,6 +106,7 @@ int main( int argc, char *argv[] )
* 0. Initialize the RNG and the session data
*/
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_x509_crt_init( &cacert );
mbedtls_ctr_drbg_init( &ctr_drbg );
@ -123,7 +125,7 @@ int main( int argc, char *argv[] )
mbedtls_printf( " ok\n" );
/*
* 0. Initialize certificates
* 0. Load certificates
*/
mbedtls_printf( " . Loading the CA root certificate ..." );
fflush( stdout );
@ -160,30 +162,39 @@ int main( int argc, char *argv[] )
mbedtls_printf( " . Setting up the DTLS structure..." );
fflush( stdout );
if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 )
if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
goto exit;
}
/* OPTIONAL is usually a bad choice for security, but makes interop easier
* in this simplified example, in which the ca chain is hardcoded.
* Production code should set a proper ca chain and use REQUIRED. */
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL );
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
goto exit;
}
if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
goto exit;
}
mbedtls_ssl_set_bio( &ssl, &server_fd,
mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout );
mbedtls_printf( " ok\n" );
mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT );
mbedtls_ssl_set_transport( &ssl, MBEDTLS_SSL_TRANSPORT_DATAGRAM );
/* OPTIONAL is usually a bad choice for security, but makes interop easier
* in this simplified example, in which the ca chain is hardcoded.
* Production code should set a proper ca chain and use REQUIRED. */
mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_OPTIONAL );
mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, SERVER_NAME );
mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_set_dbg( &ssl, my_debug, stdout );
mbedtls_ssl_set_bio_timeout( &ssl, &server_fd,
mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout,
READ_TIMEOUT_MS );
/*
* 4. Handshake
*/
@ -191,8 +202,8 @@ int main( int argc, char *argv[] )
fflush( stdout );
do ret = mbedtls_ssl_handshake( &ssl );
while( ret == MBEDTLS_ERR_NET_WANT_READ ||
ret == MBEDTLS_ERR_NET_WANT_WRITE );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret != 0 )
{
@ -241,8 +252,8 @@ send_request:
len = sizeof( MESSAGE ) - 1;
do ret = mbedtls_ssl_write( &ssl, (unsigned char *) MESSAGE, len );
while( ret == MBEDTLS_ERR_NET_WANT_READ ||
ret == MBEDTLS_ERR_NET_WANT_WRITE );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret < 0 )
{
@ -263,14 +274,14 @@ send_request:
memset( buf, 0, sizeof( buf ) );
do ret = mbedtls_ssl_read( &ssl, buf, len );
while( ret == MBEDTLS_ERR_NET_WANT_READ ||
ret == MBEDTLS_ERR_NET_WANT_WRITE );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret <= 0 )
{
switch( ret )
{
case MBEDTLS_ERR_NET_TIMEOUT:
case MBEDTLS_ERR_SSL_TIMEOUT:
mbedtls_printf( " timeout\n\n" );
if( retry_left-- > 0 )
goto send_request;
@ -298,7 +309,7 @@ close_notify:
/* No error checking, the connection might be closed already */
do ret = mbedtls_ssl_close_notify( &ssl );
while( ret == MBEDTLS_ERR_NET_WANT_WRITE );
while( ret == MBEDTLS_ERR_SSL_WANT_WRITE );
ret = 0;
mbedtls_printf( " done\n" );
@ -322,6 +333,7 @@ exit:
mbedtls_x509_crt_free( &cacert );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );

59
programs/ssl/dtls_server.c
View file

@ -97,6 +97,7 @@ int main( void )
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt srvcert;
mbedtls_pk_context pkey;
#if defined(MBEDTLS_SSL_CACHE_C)
@ -104,6 +105,7 @@ int main( void )
#endif
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_ssl_cookie_init( &cookie_ctx );
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_init( &cache );
@ -190,28 +192,27 @@ int main( void )
printf( " . Setting up the DTLS data..." );
fflush( stdout );
if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 )
if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ) != 0 )
{
printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
goto exit;
}
mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_SERVER );
mbedtls_ssl_set_transport( &ssl, MBEDTLS_SSL_TRANSPORT_DATAGRAM );
mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE );
mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_set_dbg( &ssl, my_debug, stdout );
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_set_session_cache( &ssl, mbedtls_ssl_cache_get, &cache,
mbedtls_ssl_cache_set, &cache );
mbedtls_ssl_conf_session_cache( &conf, &cache,
mbedtls_ssl_cache_get,
mbedtls_ssl_cache_set );
#endif
mbedtls_ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 )
mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL );
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 )
{
printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret );
printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
goto exit;
}
@ -222,9 +223,15 @@ int main( void )
goto exit;
}
mbedtls_ssl_set_dtls_cookies( &ssl, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check,
mbedtls_ssl_conf_dtls_cookies( &conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check,
&cookie_ctx );
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
reset:
@ -268,13 +275,12 @@ reset:
sizeof( client_ip ) ) ) != 0 )
{
printf( " failed\n ! "
"ssl_set_client_tranport_id() returned -0x%x\n\n", -ret );
"ssl_set_client_transport_id() returned -0x%x\n\n", -ret );
goto exit;
}
mbedtls_ssl_set_bio_timeout( &ssl, &client_fd,
mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout,
READ_TIMEOUT_MS );
mbedtls_ssl_set_bio( &ssl, &client_fd,
mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout );
printf( " ok\n" );
@ -285,8 +291,8 @@ reset:
fflush( stdout );
do ret = mbedtls_ssl_handshake( &ssl );
while( ret == MBEDTLS_ERR_NET_WANT_READ ||
ret == MBEDTLS_ERR_NET_WANT_WRITE );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
{
@ -312,14 +318,14 @@ reset:
memset( buf, 0, sizeof( buf ) );
do ret = mbedtls_ssl_read( &ssl, buf, len );
while( ret == MBEDTLS_ERR_NET_WANT_READ ||
ret == MBEDTLS_ERR_NET_WANT_WRITE );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret <= 0 )
{
switch( ret )
{
case MBEDTLS_ERR_NET_TIMEOUT:
case MBEDTLS_ERR_SSL_TIMEOUT:
printf( " timeout\n\n" );
goto reset;
@ -344,8 +350,8 @@ reset:
fflush( stdout );
do ret = mbedtls_ssl_write( &ssl, buf, len );
while( ret == MBEDTLS_ERR_NET_WANT_READ ||
ret == MBEDTLS_ERR_NET_WANT_WRITE );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret < 0 )
{
@ -364,7 +370,7 @@ close_notify:
/* No error checking, the connection might be closed already */
do ret = mbedtls_ssl_close_notify( &ssl );
while( ret == MBEDTLS_ERR_NET_WANT_WRITE );
while( ret == MBEDTLS_ERR_SSL_WANT_WRITE );
ret = 0;
printf( " done\n" );
@ -391,6 +397,7 @@ exit:
mbedtls_x509_crt_free( &srvcert );
mbedtls_pk_free( &pkey );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
mbedtls_ssl_cookie_free( &cookie_ctx );
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_free( &cache );

35
programs/ssl/mini_client.c
View file

@ -147,7 +147,9 @@ enum exit_codes
{
exit_ok = 0,
ctr_drbg_seed_failed,
ssl_config_defaults_failed,
ssl_setup_failed,
hostname_failed,
socket_failed,
connect_failed,
x509_crt_parse_failed,
@ -167,12 +169,14 @@ int main( void )
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ctr_drbg_init( &ctr_drbg );
/*
* 0. Initialize and setup stuff
*/
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_init( &ca );
#endif
@ -185,18 +189,18 @@ int main( void )
goto exit;
}
if( mbedtls_ssl_setup( &ssl ) != 0 )
if( mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM) != 0 )
{
ret = ssl_setup_failed;
ret = ssl_config_defaults_failed;
goto exit;
}
mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT );
mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
mbedtls_ssl_set_psk( &ssl, psk, sizeof( psk ),
mbedtls_ssl_conf_psk( &conf, psk, sizeof( psk ),
(const unsigned char *) psk_id, sizeof( psk_id ) - 1 );
#endif
@ -207,10 +211,22 @@ int main( void )
goto exit;
}
mbedtls_ssl_set_ca_chain( &ssl, &ca, NULL, HOSTNAME );
mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_REQUIRED );
mbedtls_ssl_conf_ca_chain( &conf, &ca, NULL );
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED );
#endif
if( mbedtls_ssl_setup( &ssl, &conf ) != 0 )
{
ret = ssl_setup_failed;
goto exit;
}
if( mbedtls_ssl_set_hostname( &ssl, HOSTNAME ) != 0 )
{
ret = hostname_failed;
goto exit;
}
/*
* 1. Start the connection
*/
@ -235,7 +251,7 @@ int main( void )
goto exit;
}
mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 );
mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
if( mbedtls_ssl_handshake( &ssl ) != 0 )
{
@ -260,6 +276,7 @@ exit:
mbedtls_net_close( server_fd );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );
#if defined(MBEDTLS_X509_CRT_PARSE_C)

38
programs/ssl/ssl_client1.c
View file

@ -83,6 +83,7 @@ int main( void )
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt cacert;
#if defined(MBEDTLS_DEBUG_C)
@ -93,6 +94,7 @@ int main( void )
* 0. Initialize the RNG and the session data
*/
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_x509_crt_init( &cacert );
mbedtls_ctr_drbg_init( &ctr_drbg );
@ -148,23 +150,36 @@ int main( void )
mbedtls_printf( " . Setting up the SSL/TLS structure..." );
fflush( stdout );
if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 )
if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
goto exit;
}
mbedtls_printf( " ok\n" );
mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT );
/* OPTIONAL is not optimal for security,
* but makes interop easier in this simplified example */
mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_OPTIONAL );
mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, "mbed TLS Server 1" );
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL );
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_set_dbg( &ssl, my_debug, stdout );
mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 );
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
goto exit;
}
if( ( ret = mbedtls_ssl_set_hostname( &ssl, "mbed TLS Server 1" ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
goto exit;
}
mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
/*
* 4. Handshake
@ -174,7 +189,7 @@ int main( void )
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
goto exit;
@ -212,7 +227,7 @@ int main( void )
while( ( ret = mbedtls_ssl_write( &ssl, buf, len ) ) <= 0 )
{
if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret );
goto exit;
@ -234,7 +249,7 @@ int main( void )
memset( buf, 0, sizeof( buf ) );
ret = mbedtls_ssl_read( &ssl, buf, len );
if( ret == MBEDTLS_ERR_NET_WANT_READ || ret == MBEDTLS_ERR_NET_WANT_WRITE )
if( ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE )
continue;
if( ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY )
@ -275,6 +290,7 @@ exit:
mbedtls_x509_crt_free( &cacert );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );

178
programs/ssl/ssl_client2.c
View file

@ -334,11 +334,11 @@ static int my_recv( void *ctx, unsigned char *buf, size_t len )
if( first_try )
{
first_try = 0;
return( MBEDTLS_ERR_NET_WANT_READ );
return( MBEDTLS_ERR_SSL_WANT_READ );
}
ret = mbedtls_net_recv( ctx, buf, len );
if( ret != MBEDTLS_ERR_NET_WANT_READ )
if( ret != MBEDTLS_ERR_SSL_WANT_READ )
first_try = 1; /* Next call will be a new operation */
return( ret );
}
@ -351,11 +351,11 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len )
if( first_try )
{
first_try = 0;
return( MBEDTLS_ERR_NET_WANT_WRITE );
return( MBEDTLS_ERR_SSL_WANT_WRITE );
}
ret = mbedtls_net_send( ctx, buf, len );
if( ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_WRITE )
first_try = 1; /* Next call will be a new operation */
return( ret );
}
@ -401,6 +401,7 @@ int main( int argc, char *argv[] )
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ssl_session saved_session;
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt cacert;
@ -415,6 +416,7 @@ int main( int argc, char *argv[] )
*/
server_fd = 0;
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
memset( &saved_session, 0, sizeof( mbedtls_ssl_session ) );
mbedtls_ctr_drbg_init( &ctr_drbg );
#if defined(MBEDTLS_X509_CRT_PARSE_C)
@ -1047,134 +1049,106 @@ int main( int argc, char *argv[] )
mbedtls_printf( " . Setting up the SSL/TLS structure..." );
fflush( stdout );
if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 )
if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT,
opt.transport ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", -ret );
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned -0x%x\n\n", -ret );
goto exit;
}
#if defined(MBEDTLS_X509_CRT_PARSE_C)
if( opt.debug_level > 0 )
mbedtls_ssl_set_verify( &ssl, my_verify, NULL );
mbedtls_ssl_conf_verify( &conf, my_verify, NULL );
#endif
mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT );
if( opt.auth_mode != DFL_AUTH_MODE )
mbedtls_ssl_set_authmode( &ssl, opt.auth_mode );
mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ( ret = mbedtls_ssl_set_transport( &ssl, opt.transport ) ) != 0 )
{
mbedtls_printf( " failed\n ! selected transport is not available\n" );
goto exit;
}
if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX )
mbedtls_ssl_set_handshake_timeout( &ssl, opt.hs_to_min, opt.hs_to_max );
mbedtls_ssl_conf_handshake_timeout( &conf, opt.hs_to_min, opt.hs_to_max );
#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
if( ( ret = mbedtls_ssl_set_max_frag_len( &ssl, opt.mfl_code ) ) != 0 )
if( ( ret = mbedtls_ssl_conf_max_frag_len( &conf, opt.mfl_code ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_max_frag_len returned %d\n\n", ret );
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_max_frag_len returned %d\n\n", ret );
goto exit;
}
#endif
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
if( opt.trunc_hmac != DFL_TRUNC_HMAC )
mbedtls_ssl_set_truncated_hmac( &ssl, opt.trunc_hmac );
mbedtls_ssl_conf_truncated_hmac( &conf, opt.trunc_hmac );
#endif
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
if( opt.extended_ms != DFL_EXTENDED_MS )
mbedtls_ssl_set_extended_master_secret( &ssl, opt.extended_ms );
mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms );
#endif
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
if( opt.etm != DFL_ETM )
mbedtls_ssl_set_encrypt_then_mac( &ssl, opt.etm );
mbedtls_ssl_conf_encrypt_then_mac( &conf, opt.etm );
#endif
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
if( opt.recsplit != DFL_RECSPLIT )
mbedtls_ssl_set_cbc_record_splitting( &ssl, opt.recsplit
mbedtls_ssl_conf_cbc_record_splitting( &conf, opt.recsplit
? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED
: MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED );
#endif
#if defined(MBEDTLS_SSL_ALPN)
if( opt.alpn_string != NULL )
if( ( ret = mbedtls_ssl_set_alpn_protocols( &ssl, alpn_list ) ) != 0 )
if( ( ret = mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_alpn_protocols returned %d\n\n", ret );
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_alpn_protocols returned %d\n\n", ret );
goto exit;
}
#endif
mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_set_dbg( &ssl, my_debug, stdout );
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
if( opt.nbio == 2 )
mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, my_send, my_recv, NULL,
opt.read_timeout );
else
mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv,
#if defined(MBEDTLS_HAVE_TIME)
opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL,
#else
NULL,
#endif
opt.read_timeout );
mbedtls_ssl_conf_read_timeout( &conf, opt.read_timeout );
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
if( ( ret = mbedtls_ssl_set_session_tickets( &ssl, opt.tickets ) ) != 0 )
if( ( ret = mbedtls_ssl_conf_session_tickets( &conf, opt.tickets ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_session_tickets returned %d\n\n", ret );
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_session_tickets returned %d\n\n", ret );
goto exit;
}
#endif
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
mbedtls_ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite );
if( opt.arc4 != DFL_ARC4 )
mbedtls_ssl_set_arc4_support( &ssl, opt.arc4 );
mbedtls_ssl_conf_arc4_support( &conf, opt.arc4 );
if( opt.allow_legacy != DFL_ALLOW_LEGACY )
mbedtls_ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy );
#if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_set_renegotiation( &ssl, opt.renegotiation );
mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation );
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C)
if( strcmp( opt.ca_path, "none" ) != 0 &&
strcmp( opt.ca_file, "none" ) != 0 )
{
mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
}
if( strcmp( opt.crt_file, "none" ) != 0 &&
strcmp( opt.key_file, "none" ) != 0 )
{
if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 )
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret );
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
goto exit;
}
}
#endif
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
if( ( ret = mbedtls_ssl_set_psk( &ssl, psk, psk_len,
(const unsigned char *) opt.psk_identity,
strlen( opt.psk_identity ) ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_psk returned %d\n\n", ret );
goto exit;
}
#endif
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
@ -1182,31 +1156,52 @@ int main( int argc, char *argv[] )
}
#endif
if( opt.min_version != DFL_MIN_VERSION )
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
if( ( ret = mbedtls_ssl_conf_psk( &conf, psk, psk_len,
(const unsigned char *) opt.psk_identity,
strlen( opt.psk_identity ) ) ) != 0 )
{
ret = mbedtls_ssl_set_min_version( &ssl, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! selected min_version is not available\n" );
goto exit;
}
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_psk returned %d\n\n", ret );
goto exit;
}
#endif
if( opt.min_version != DFL_MIN_VERSION )
mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version );
if( opt.max_version != DFL_MAX_VERSION )
{
ret = mbedtls_ssl_set_max_version( &ssl, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! selected max_version is not available\n" );
goto exit;
}
}
mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version );
#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
if( opt.fallback != DFL_FALLBACK )
mbedtls_ssl_set_fallback( &ssl, opt.fallback );
mbedtls_ssl_conf_fallback( &conf, opt.fallback );
#endif
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", -ret );
goto exit;
}
#if defined(MBEDTLS_X509_CRT_PARSE_C)
if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
goto exit;
}
#endif
if( opt.nbio == 2 )
mbedtls_ssl_set_bio( &ssl, &server_fd, my_send, my_recv, NULL );
else
mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv,
#if defined(MBEDTLS_HAVE_TIME)
opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL
#else
NULL
#endif
);
mbedtls_printf( " ok\n" );
/*
@ -1217,7 +1212,7 @@ int main( int argc, char *argv[] )
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n", -ret );
if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
@ -1303,8 +1298,8 @@ int main( int argc, char *argv[] )
fflush( stdout );
while( ( ret = mbedtls_ssl_renegotiate( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_NET_WANT_READ &&
ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_renegotiate returned %d\n\n", ret );
goto exit;
@ -1355,8 +1350,8 @@ send_request:
while( ( ret = mbedtls_ssl_write( &ssl, buf + written, len - written ) )
<= 0 )
{
if( ret != MBEDTLS_ERR_NET_WANT_READ &&
ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_write returned -0x%x\n\n", -ret );
goto exit;
@ -1367,8 +1362,8 @@ send_request:
else /* Not stream, so datagram */
{
do ret = mbedtls_ssl_write( &ssl, buf, len );
while( ret == MBEDTLS_ERR_NET_WANT_READ ||
ret == MBEDTLS_ERR_NET_WANT_WRITE );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret < 0 )
{
@ -1400,8 +1395,8 @@ send_request:
memset( buf, 0, sizeof( buf ) );
ret = mbedtls_ssl_read( &ssl, buf, len );
if( ret == MBEDTLS_ERR_NET_WANT_READ ||
ret == MBEDTLS_ERR_NET_WANT_WRITE )
if( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE )
continue;
if( ret <= 0 )
@ -1445,14 +1440,14 @@ send_request:
memset( buf, 0, sizeof( buf ) );
do ret = mbedtls_ssl_read( &ssl, buf, len );
while( ret == MBEDTLS_ERR_NET_WANT_READ ||
ret == MBEDTLS_ERR_NET_WANT_WRITE );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret <= 0 )
{
switch( ret )
{
case MBEDTLS_ERR_NET_TIMEOUT:
case MBEDTLS_ERR_SSL_TIMEOUT:
mbedtls_printf( " timeout\n" );
if( retry_left-- > 0 )
goto send_request;
@ -1489,7 +1484,7 @@ close_notify:
/* No error checking, the connection might be closed already */
do ret = mbedtls_ssl_close_notify( &ssl );
while( ret == MBEDTLS_ERR_NET_WANT_WRITE );
while( ret == MBEDTLS_ERR_SSL_WANT_WRITE );
ret = 0;
mbedtls_printf( " done\n" );
@ -1520,7 +1515,7 @@ reconnect:
if( ( ret = mbedtls_ssl_set_session( &ssl, &saved_session ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_session returned %d\n\n", ret );
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_session returned %d\n\n", ret );
goto exit;
}
@ -1545,8 +1540,8 @@ reconnect:
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_NET_WANT_READ &&
ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
goto exit;
@ -1581,6 +1576,7 @@ exit:
#endif
mbedtls_ssl_session_free( &saved_session );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );

56
programs/ssl/ssl_fork_server.c
View file

@ -103,11 +103,12 @@ int main( void )
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt srvcert;
mbedtls_pk_context pkey;
memset( &ssl, 0, sizeof(mbedtls_ssl_context) );
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_entropy_init( &entropy );
mbedtls_pk_init( &pkey );
mbedtls_x509_crt_init( &srvcert );
@ -168,6 +169,32 @@ int main( void )
mbedtls_printf( " ok\n" );
/*
* 1b. Prepare SSL configuration
*/
mbedtls_printf( " . Configuring SSL..." );
fflush( stdout );
if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
goto exit;
}
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL );
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
* 2. Setup the listening TCP socket
*/
@ -248,28 +275,16 @@ int main( void )
goto exit;
}
if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 )
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
goto exit;
}
mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
mbedtls_printf( " ok\n" );
mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_SERVER );
mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE );
mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_set_dbg( &ssl, my_debug, stdout );
mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 );
mbedtls_ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret );
goto exit;
}
/*
* 5. Handshake
*/
@ -278,7 +293,7 @@ int main( void )
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned %d\n\n", ret );
goto exit;
@ -299,7 +314,7 @@ int main( void )
memset( buf, 0, sizeof( buf ) );
ret = mbedtls_ssl_read( &ssl, buf, len );
if( ret == MBEDTLS_ERR_NET_WANT_READ || ret == MBEDTLS_ERR_NET_WANT_WRITE )
if( ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE )
continue;
if( ret <= 0 )
@ -349,7 +364,7 @@ int main( void )
goto exit;
}
if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret );
goto exit;
@ -373,6 +388,7 @@ exit:
mbedtls_x509_crt_free( &srvcert );
mbedtls_pk_free( &pkey );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );

70
programs/ssl/ssl_mail_client.c
View file

@ -177,7 +177,7 @@ static int do_handshake( mbedtls_ssl_context *ssl )
while( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
#if defined(MBEDTLS_ERROR_C)
mbedtls_strerror( ret, (char *) buf, 1024 );
@ -224,7 +224,7 @@ static int write_ssl_data( mbedtls_ssl_context *ssl, unsigned char *buf, size_t
mbedtls_printf("\n%s", buf);
while( len && ( ret = mbedtls_ssl_write( ssl, buf, len ) ) <= 0 )
{
if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret );
return -1;
@ -244,7 +244,7 @@ static int write_ssl_and_get_response( mbedtls_ssl_context *ssl, unsigned char *
mbedtls_printf("\n%s", buf);
while( len && ( ret = mbedtls_ssl_write( ssl, buf, len ) ) <= 0 )
{
if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret );
return -1;
@ -257,7 +257,7 @@ static int write_ssl_and_get_response( mbedtls_ssl_context *ssl, unsigned char *
memset( data, 0, sizeof( data ) );
ret = mbedtls_ssl_read( ssl, data, len );
if( ret == MBEDTLS_ERR_NET_WANT_READ || ret == MBEDTLS_ERR_NET_WANT_WRITE )
if( ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE )
continue;
if( ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY )
@ -355,6 +355,7 @@ int main( int argc, char *argv[] )
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt cacert;
mbedtls_x509_crt clicert;
mbedtls_pk_context pkey;
@ -368,6 +369,7 @@ int main( int argc, char *argv[] )
*/
server_fd = 0;
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
memset( &buf, 0, sizeof( buf ) );
mbedtls_x509_crt_init( &cacert );
mbedtls_x509_crt_init( &clicert );
@ -582,34 +584,43 @@ int main( int argc, char *argv[] )
mbedtls_printf( " . Setting up the SSL/TLS structure..." );
fflush( stdout );
if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 )
if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
goto exit;
}
/* OPTIONAL is not optimal for security,
* but makes interop easier in this simplified example */
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL );
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite );
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
goto exit;
}
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
goto exit;
}
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
goto exit;
}
mbedtls_printf( " ok\n" );
mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT );
/* OPTIONAL is not optimal for security,
* but makes interop easier in this simplified example */
mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_OPTIONAL );
mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_set_dbg( &ssl, my_debug, stdout );
mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 );
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
mbedtls_ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret );
goto exit;
}
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
#if defined(MBEDTLS_x509_CRT_PARSE_C)
if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
@ -617,6 +628,10 @@ int main( int argc, char *argv[] )
}
#endif
mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
mbedtls_printf( " ok\n" );
if( opt.mode == MODE_SSL_TLS )
{
if( do_handshake( &ssl ) != 0 )
@ -821,6 +836,7 @@ exit:
mbedtls_x509_crt_free( &cacert );
mbedtls_pk_free( &pkey );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );

179
programs/ssl/ssl_pthread_server.c
View file

@ -103,13 +103,7 @@ static void my_mutexed_debug( void *ctx, int level, const char *str )
typedef struct {
int client_fd;
int thread_complete;
mbedtls_entropy_context *entropy;
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_context *cache;
#endif
mbedtls_x509_crt *ca_chain;
mbedtls_x509_crt *server_cert;
mbedtls_pk_context *server_key;
const mbedtls_ssl_config *config;
} thread_info_t;
typedef struct {
@ -126,93 +120,48 @@ static void *handle_ssl_connection( void *data )
int ret, len;
thread_info_t *thread_info = (thread_info_t *) data;
int client_fd = thread_info->client_fd;
int thread_id = (int) pthread_self();
long int thread_id = (long int) pthread_self();
unsigned char buf[1024];
char pers[50];
mbedtls_ssl_context ssl;
mbedtls_ctr_drbg_context ctr_drbg;
/* Make sure memory references are valid */
mbedtls_ssl_init( &ssl );
mbedtls_ctr_drbg_init( &ctr_drbg );
mbedtls_snprintf( pers, sizeof(pers), "SSL Pthread Thread %d", thread_id );
mbedtls_printf( " [ #%d ] Client FD %d\n", thread_id, client_fd );
mbedtls_printf( " [ #%d ] Seeding the random number generator...\n", thread_id );
/* mbedtls_entropy_func() is thread-safe if MBEDTLS_THREADING_C is set
*/
if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, thread_info->entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
mbedtls_printf( " [ #%d ] failed: mbedtls_ctr_drbg_seed returned -0x%04x\n",
thread_id, -ret );
goto thread_exit;
}
mbedtls_printf( " [ #%d ] ok\n", thread_id );
mbedtls_printf( " [ #%ld ] Client FD %d\n", thread_id, client_fd );
/*
* 4. Setup stuff
* 4. Get the SSL context ready
*/
mbedtls_printf( " [ #%d ] Setting up the SSL data....\n", thread_id );
if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 )
if( ( ret = mbedtls_ssl_setup( &ssl, thread_info->config ) ) != 0 )
{
mbedtls_printf( " [ #%d ] failed: mbedtls_ssl_setup returned -0x%04x\n",
mbedtls_printf( " [ #%ld ] failed: mbedtls_ssl_setup returned -0x%04x\n",
thread_id, -ret );
goto thread_exit;
}
mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_SERVER );
mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE );
mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_set_dbg( &ssl, my_mutexed_debug, stdout );
/* mbedtls_ssl_cache_get() and mbedtls_ssl_cache_set() are thread-safe if
* MBEDTLS_THREADING_C is set.
*/
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_set_session_cache( &ssl, mbedtls_ssl_cache_get, thread_info->cache,
mbedtls_ssl_cache_set, thread_info->cache );
#endif
mbedtls_ssl_set_ca_chain( &ssl, thread_info->ca_chain, NULL, NULL );
if( ( ret = mbedtls_ssl_set_own_cert( &ssl, thread_info->server_cert, thread_info->server_key ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret );
goto thread_exit;
}
mbedtls_printf( " [ #%d ] ok\n", thread_id );
mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 );
mbedtls_printf( " [ #%d ] ok\n", thread_id );
mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
/*
* 5. Handshake
*/
mbedtls_printf( " [ #%d ] Performing the SSL/TLS handshake\n", thread_id );
mbedtls_printf( " [ #%ld ] Performing the SSL/TLS handshake\n", thread_id );
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " [ #%d ] failed: mbedtls_ssl_handshake returned -0x%04x\n",
mbedtls_printf( " [ #%ld ] failed: mbedtls_ssl_handshake returned -0x%04x\n",
thread_id, -ret );
goto thread_exit;
}
}
mbedtls_printf( " [ #%d ] ok\n", thread_id );
mbedtls_printf( " [ #%ld ] ok\n", thread_id );
/*
* 6. Read the HTTP Request
*/
mbedtls_printf( " [ #%d ] < Read from client\n", thread_id );
mbedtls_printf( " [ #%ld ] < Read from client\n", thread_id );
do
{
@ -220,7 +169,7 @@ static void *handle_ssl_connection( void *data )
memset( buf, 0, sizeof( buf ) );
ret = mbedtls_ssl_read( &ssl, buf, len );
if( ret == MBEDTLS_ERR_NET_WANT_READ || ret == MBEDTLS_ERR_NET_WANT_WRITE )
if( ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE )
continue;
if( ret <= 0 )
@ -228,24 +177,24 @@ static void *handle_ssl_connection( void *data )
switch( ret )
{
case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
mbedtls_printf( " [ #%d ] connection was closed gracefully\n",
mbedtls_printf( " [ #%ld ] connection was closed gracefully\n",
thread_id );
goto thread_exit;
case MBEDTLS_ERR_NET_CONN_RESET:
mbedtls_printf( " [ #%d ] connection was reset by peer\n",
mbedtls_printf( " [ #%ld ] connection was reset by peer\n",
thread_id );
goto thread_exit;
default:
mbedtls_printf( " [ #%d ] mbedtls_ssl_read returned -0x%04x\n",
mbedtls_printf( " [ #%ld ] mbedtls_ssl_read returned -0x%04x\n",
thread_id, -ret );
goto thread_exit;
}
}
len = ret;
mbedtls_printf( " [ #%d ] %d bytes read\n=====\n%s\n=====\n",
mbedtls_printf( " [ #%ld ] %d bytes read\n=====\n%s\n=====\n",
thread_id, len, (char *) buf );
if( ret > 0 )
@ -256,7 +205,7 @@ static void *handle_ssl_connection( void *data )
/*
* 7. Write the 200 Response
*/
mbedtls_printf( " [ #%d ] > Write to client:\n", thread_id );
mbedtls_printf( " [ #%ld ] > Write to client:\n", thread_id );
len = sprintf( (char *) buf, HTTP_RESPONSE,
mbedtls_ssl_get_ciphersuite( &ssl ) );
@ -265,31 +214,31 @@ static void *handle_ssl_connection( void *data )
{
if( ret == MBEDTLS_ERR_NET_CONN_RESET )
{
mbedtls_printf( " [ #%d ] failed: peer closed the connection\n",
mbedtls_printf( " [ #%ld ] failed: peer closed the connection\n",
thread_id );
goto thread_exit;
}
if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " [ #%d ] failed: mbedtls_ssl_write returned -0x%04x\n",
mbedtls_printf( " [ #%ld ] failed: mbedtls_ssl_write returned -0x%04x\n",
thread_id, ret );
goto thread_exit;
}
}
len = ret;
mbedtls_printf( " [ #%d ] %d bytes written\n=====\n%s\n=====\n",
mbedtls_printf( " [ #%ld ] %d bytes written\n=====\n%s\n=====\n",
thread_id, len, (char *) buf );
mbedtls_printf( " [ #%d ] . Closing the connection...", thread_id );
mbedtls_printf( " [ #%ld ] . Closing the connection...", thread_id );
while( ( ret = mbedtls_ssl_close_notify( &ssl ) ) < 0 )
{
if( ret != MBEDTLS_ERR_NET_WANT_READ &&
ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " [ #%d ] failed: mbedtls_ssl_close_notify returned -0x%04x\n",
mbedtls_printf( " [ #%ld ] failed: mbedtls_ssl_close_notify returned -0x%04x\n",
thread_id, ret );
goto thread_exit;
}
@ -306,13 +255,12 @@ thread_exit:
{
char error_buf[100];
mbedtls_strerror( ret, error_buf, 100 );
mbedtls_printf(" [ #%d ] Last error was: -0x%04x - %s\n\n",
mbedtls_printf(" [ #%ld ] Last error was: -0x%04x - %s\n\n",
thread_id, -ret, error_buf );
}
#endif
mbedtls_net_close( client_fd );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_ssl_free( &ssl );
thread_info->thread_complete = 1;
@ -364,9 +312,13 @@ int main( void )
int ret;
int listen_fd;
int client_fd = -1;
const char pers[] = "ssl_pthread_server";
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_config conf;
mbedtls_x509_crt srvcert;
mbedtls_x509_crt cachain;
mbedtls_pk_context pkey;
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
unsigned char alloc_buf[100000];
@ -381,18 +333,23 @@ int main( void )
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_init( &cache );
base_info.cache = &cache;
#endif
mbedtls_x509_crt_init( &srvcert );
mbedtls_x509_crt_init( &cachain );
mbedtls_ssl_config_init( &conf );
mbedtls_ctr_drbg_init( &ctr_drbg );
memset( threads, 0, sizeof(threads) );
mbedtls_mutex_init( &debug_mutex );
base_info.config = &conf;
/*
* We use only a single entropy source that is used in all the threads.
*/
mbedtls_entropy_init( &entropy );
base_info.entropy = &entropy;
/*
* 1. Load the certificates and private RSA key
@ -400,8 +357,6 @@ int main( void )
mbedtls_printf( "\n . Loading the server cert. and key..." );
fflush( stdout );
mbedtls_x509_crt_init( &srvcert );
/*
* This demonstration program uses embedded test certificates.
* Instead, you may want to use mbedtls_x509_crt_parse_file() to read the
@ -415,7 +370,7 @@ int main( void )
goto exit;
}
ret = mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_cas_pem,
ret = mbedtls_x509_crt_parse( &cachain, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len );
if( ret != 0 )
{
@ -432,12 +387,60 @@ int main( void )
goto exit;
}
base_info.ca_chain = srvcert.next;
base_info.server_cert = &srvcert;
base_info.server_key = &pkey;
mbedtls_printf( " ok\n" );
/*
* 1b. Seed the random number generator
*/
mbedtls_printf( " . Seeding the random number generator..." );
if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
mbedtls_printf( " failed: mbedtls_ctr_drbg_seed returned -0x%04x\n",
-ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
* 1c. Prepare SSL configuration
*/
mbedtls_printf( " . Setting up the SSL data...." );
if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 )
{
mbedtls_printf( " failed: mbedtls_ssl_config_defaults returned -0x%04x\n",
-ret );
goto exit;
}
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_dbg( &conf, my_mutexed_debug, stdout );
/* mbedtls_ssl_cache_get() and mbedtls_ssl_cache_set() are thread-safe if
* MBEDTLS_THREADING_C is set.
*/
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_conf_session_cache( &conf, &cache,
mbedtls_ssl_cache_get,
mbedtls_ssl_cache_set );
#endif
mbedtls_ssl_conf_ca_chain( &conf, &cachain, NULL );
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
* 2. Setup the listening TCP socket
*/
@ -494,7 +497,9 @@ exit:
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_free( &cache );
#endif
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );
mbedtls_ssl_config_free( &conf );
mbedtls_mutex_free( &debug_mutex );

45
programs/ssl/ssl_server.c
View file

@ -97,6 +97,7 @@ int main( void )
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt srvcert;
mbedtls_pk_context pkey;
#if defined(MBEDTLS_SSL_CACHE_C)
@ -104,6 +105,7 @@ int main( void )
#endif
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_init( &cache );
#endif
@ -189,27 +191,33 @@ int main( void )
mbedtls_printf( " . Setting up the SSL data...." );
fflush( stdout );
if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 )
if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
goto exit;
}
mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_SERVER );
mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE );
mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_set_dbg( &ssl, my_debug, stdout );
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_set_session_cache( &ssl, mbedtls_ssl_cache_get, &cache,
mbedtls_ssl_cache_set, &cache );
mbedtls_ssl_conf_session_cache( &conf, &cache,
mbedtls_ssl_cache_get,
mbedtls_ssl_cache_set );
#endif
mbedtls_ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 )
mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL );
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret );
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
goto exit;
}
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
goto exit;
}
@ -244,7 +252,7 @@ reset:
goto exit;
}
mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 );
mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
mbedtls_printf( " ok\n" );
@ -256,7 +264,7 @@ reset:
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned %d\n\n", ret );
goto reset;
@ -277,7 +285,7 @@ reset:
memset( buf, 0, sizeof( buf ) );
ret = mbedtls_ssl_read( &ssl, buf, len );
if( ret == MBEDTLS_ERR_NET_WANT_READ || ret == MBEDTLS_ERR_NET_WANT_WRITE )
if( ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE )
continue;
if( ret <= 0 )
@ -325,7 +333,7 @@ reset:
goto reset;
}
if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret );
goto exit;
@ -339,8 +347,8 @@ reset:
while( ( ret = mbedtls_ssl_close_notify( &ssl ) ) < 0 )
{
if( ret != MBEDTLS_ERR_NET_WANT_READ &&
ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_close_notify returned %d\n\n", ret );
goto reset;
@ -369,6 +377,7 @@ exit:
mbedtls_x509_crt_free( &srvcert );
mbedtls_pk_free( &pkey );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_free( &cache );
#endif

186
programs/ssl/ssl_server2.c
View file

@ -409,11 +409,11 @@ static int my_recv( void *ctx, unsigned char *buf, size_t len )
if( first_try )
{
first_try = 0;
return( MBEDTLS_ERR_NET_WANT_READ );
return( MBEDTLS_ERR_SSL_WANT_READ );
}
ret = mbedtls_net_recv( ctx, buf, len );
if( ret != MBEDTLS_ERR_NET_WANT_READ )
if( ret != MBEDTLS_ERR_SSL_WANT_READ )
first_try = 1; /* Next call will be a new operation */
return( ret );
}
@ -426,11 +426,11 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len )
if( first_try )
{
first_try = 0;
return( MBEDTLS_ERR_NET_WANT_WRITE );
return( MBEDTLS_ERR_SSL_WANT_WRITE );
}
ret = mbedtls_net_send( ctx, buf, len );
if( ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_WRITE )
first_try = 1; /* Next call will be a new operation */
return( ret );
}
@ -547,7 +547,7 @@ int sni_callback( void *p_info, mbedtls_ssl_context *ssl,
if( name_len == strlen( cur->name ) &&
memcmp( name, cur->name, name_len ) == 0 )
{
return( mbedtls_ssl_set_own_cert( ssl, cur->cert, cur->key ) );
return( mbedtls_ssl_set_hs_own_cert( ssl, cur->cert, cur->key ) );
}
cur = cur->next;
@ -678,8 +678,7 @@ int psk_callback( void *p_info, mbedtls_ssl_context *ssl,
if( name_len == strlen( cur->name ) &&
memcmp( name, cur->name, name_len ) == 0 )
{
return( mbedtls_ssl_set_psk( ssl, cur->key, cur->key_len,
name, name_len ) );
return( mbedtls_ssl_set_hs_psk( ssl, cur->key, cur->key_len ) );
}
cur = cur->next;
@ -722,6 +721,7 @@ int main( int argc, char *argv[] )
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
#if defined(MBEDTLS_SSL_RENEGOTIATION)
unsigned char renego_period[8] = { 0 };
#endif
@ -762,6 +762,7 @@ int main( int argc, char *argv[] )
*/
listen_fd = 0;
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_ctr_drbg_init( &ctr_drbg );
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_init( &cacert );
@ -1518,61 +1519,56 @@ int main( int argc, char *argv[] )
mbedtls_printf( " . Setting up the SSL/TLS structure..." );
fflush( stdout );
if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 )
if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_SERVER,
opt.transport ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", -ret );
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned -0x%x\n\n", -ret );
goto exit;
}
mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_SERVER );
if( opt.auth_mode != DFL_AUTH_MODE )
mbedtls_ssl_set_authmode( &ssl, opt.auth_mode );
mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ( ret = mbedtls_ssl_set_transport( &ssl, opt.transport ) ) != 0 )
{
mbedtls_printf( " failed\n ! selected transport is not available\n" );
goto exit;
}
if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX )
mbedtls_ssl_set_handshake_timeout( &ssl, opt.hs_to_min, opt.hs_to_max );
mbedtls_ssl_conf_handshake_timeout( &conf, opt.hs_to_min, opt.hs_to_max );
#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
if( ( ret = mbedtls_ssl_set_max_frag_len( &ssl, opt.mfl_code ) ) != 0 )
if( ( ret = mbedtls_ssl_conf_max_frag_len( &conf, opt.mfl_code ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_max_frag_len returned %d\n\n", ret );
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_max_frag_len returned %d\n\n", ret );
goto exit;
};
#endif
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
if( opt.trunc_hmac != DFL_TRUNC_HMAC )
mbedtls_ssl_set_truncated_hmac( &ssl, opt.trunc_hmac );
mbedtls_ssl_conf_truncated_hmac( &conf, opt.trunc_hmac );
#endif
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
if( opt.extended_ms != DFL_EXTENDED_MS )
mbedtls_ssl_set_extended_master_secret( &ssl, opt.extended_ms );
mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms );
#endif
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
if( opt.etm != DFL_ETM )
mbedtls_ssl_set_encrypt_then_mac( &ssl, opt.etm );
mbedtls_ssl_conf_encrypt_then_mac( &conf, opt.etm );
#endif
#if defined(MBEDTLS_SSL_ALPN)
if( opt.alpn_string != NULL )
if( ( ret = mbedtls_ssl_set_alpn_protocols( &ssl, alpn_list ) ) != 0 )
if( ( ret = mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_alpn_protocols returned %d\n\n", ret );
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_alpn_protocols returned %d\n\n", ret );
goto exit;
}
#endif
mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_set_dbg( &ssl, my_debug, stdout );
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
#if defined(MBEDTLS_SSL_CACHE_C)
if( opt.cache_max != -1 )
@ -1581,19 +1577,20 @@ int main( int argc, char *argv[] )
if( opt.cache_timeout != -1 )
mbedtls_ssl_cache_set_timeout( &cache, opt.cache_timeout );
mbedtls_ssl_set_session_cache( &ssl, mbedtls_ssl_cache_get, &cache,
mbedtls_ssl_cache_set, &cache );
mbedtls_ssl_conf_session_cache( &conf, &cache,
mbedtls_ssl_cache_get,
mbedtls_ssl_cache_set );
#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
if( ( ret = mbedtls_ssl_set_session_tickets( &ssl, opt.tickets ) ) != 0 )
if( ( ret = mbedtls_ssl_conf_session_tickets( &conf, opt.tickets ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_session_tickets returned %d\n\n", ret );
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_session_tickets returned %d\n\n", ret );
goto exit;
}
if( opt.ticket_timeout != -1 )
mbedtls_ssl_set_session_ticket_lifetime( &ssl, opt.ticket_timeout );
mbedtls_ssl_conf_session_ticket_lifetime( &conf, opt.ticket_timeout );
#endif
#if defined(MBEDTLS_SSL_PROTO_DTLS)
@ -1609,7 +1606,7 @@ int main( int argc, char *argv[] )
goto exit;
}
mbedtls_ssl_set_dtls_cookies( &ssl, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check,
mbedtls_ssl_conf_dtls_cookies( &conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check,
&cookie_ctx );
}
else
@ -1617,7 +1614,7 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
if( opt.cookies == 0 )
{
mbedtls_ssl_set_dtls_cookies( &ssl, NULL, NULL, NULL );
mbedtls_ssl_conf_dtls_cookies( &conf, NULL, NULL, NULL );
}
else
#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
@ -1627,50 +1624,50 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
if( opt.anti_replay != DFL_ANTI_REPLAY )
mbedtls_ssl_set_dtls_anti_replay( &ssl, opt.anti_replay );
mbedtls_ssl_conf_dtls_anti_replay( &conf, opt.anti_replay );
#endif
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
if( opt.badmac_limit != DFL_BADMAC_LIMIT )
mbedtls_ssl_set_dtls_badmac_limit( &ssl, opt.badmac_limit );
mbedtls_ssl_conf_dtls_badmac_limit( &conf, opt.badmac_limit );
#endif
}
#endif /* MBEDTLS_SSL_PROTO_DTLS */
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
mbedtls_ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite );
if( opt.arc4 != DFL_ARC4 )
mbedtls_ssl_set_arc4_support( &ssl, opt.arc4 );
mbedtls_ssl_conf_arc4_support( &conf, opt.arc4 );
if( opt.version_suites != NULL )
{
mbedtls_ssl_set_ciphersuites_for_version( &ssl, version_suites[0],
mbedtls_ssl_conf_ciphersuites_for_version( &conf, version_suites[0],
MBEDTLS_SSL_MAJOR_VERSION_3,
MBEDTLS_SSL_MINOR_VERSION_0 );
mbedtls_ssl_set_ciphersuites_for_version( &ssl, version_suites[1],
mbedtls_ssl_conf_ciphersuites_for_version( &conf, version_suites[1],
MBEDTLS_SSL_MAJOR_VERSION_3,
MBEDTLS_SSL_MINOR_VERSION_1 );
mbedtls_ssl_set_ciphersuites_for_version( &ssl, version_suites[2],
mbedtls_ssl_conf_ciphersuites_for_version( &conf, version_suites[2],
MBEDTLS_SSL_MAJOR_VERSION_3,
MBEDTLS_SSL_MINOR_VERSION_2 );
mbedtls_ssl_set_ciphersuites_for_version( &ssl, version_suites[3],
mbedtls_ssl_conf_ciphersuites_for_version( &conf, version_suites[3],
MBEDTLS_SSL_MAJOR_VERSION_3,
MBEDTLS_SSL_MINOR_VERSION_3 );
}
if( opt.allow_legacy != DFL_ALLOW_LEGACY )
mbedtls_ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy );
#if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_set_renegotiation( &ssl, opt.renegotiation );
mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation );
if( opt.renego_delay != DFL_RENEGO_DELAY )
mbedtls_ssl_set_renegotiation_enforced( &ssl, opt.renego_delay );
mbedtls_ssl_conf_renegotiation_enforced( &conf, opt.renego_delay );
if( opt.renego_period != DFL_RENEGO_PERIOD )
{
renego_period[7] = opt.renego_period;
mbedtls_ssl_set_renegotiation_period( &ssl, renego_period );
mbedtls_ssl_conf_renegotiation_period( &conf, renego_period );
}
#endif
@ -1678,42 +1675,42 @@ int main( int argc, char *argv[] )
if( strcmp( opt.ca_path, "none" ) != 0 &&
strcmp( opt.ca_file, "none" ) != 0 )
{
mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, NULL );
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
}
if( key_cert_init )
if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 )
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret );
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
goto exit;
}
if( key_cert_init2 )
if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert2, &pkey2 ) ) != 0 )
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert2, &pkey2 ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret );
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
goto exit;
}
#endif
#if defined(SNI_OPTION)
if( opt.sni != NULL )
mbedtls_ssl_set_sni( &ssl, sni_callback, sni_info );
mbedtls_ssl_conf_sni( &conf, sni_callback, sni_info );
#endif
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
if( strlen( opt.psk ) != 0 && strlen( opt.psk_identity ) != 0 )
{
ret = mbedtls_ssl_set_psk( &ssl, psk, psk_len,
ret = mbedtls_ssl_conf_psk( &conf, psk, psk_len,
(const unsigned char *) opt.psk_identity,
strlen( opt.psk_identity ) );
if( ret != 0 )
{
mbedtls_printf( " failed\n mbedtls_ssl_set_psk returned -0x%04X\n\n", - ret );
mbedtls_printf( " failed\n mbedtls_ssl_conf_psk returned -0x%04X\n\n", - ret );
goto exit;
}
}
if( opt.psk_list != NULL )
mbedtls_ssl_set_psk_cb( &ssl, psk_callback, psk_info );
mbedtls_ssl_conf_psk_cb( &conf, psk_callback, psk_info );
#endif
#if defined(MBEDTLS_DHM_C)
@ -1722,39 +1719,38 @@ int main( int argc, char *argv[] )
*/
#if defined(MBEDTLS_FS_IO)
if( opt.dhm_file != NULL )
ret = mbedtls_ssl_set_dh_param_ctx( &ssl, &dhm );
else
ret = mbedtls_ssl_conf_dh_param_ctx( &conf, &dhm );
#endif
ret = mbedtls_ssl_set_dh_param( &ssl, MBEDTLS_DHM_RFC5114_MODP_2048_P,
MBEDTLS_DHM_RFC5114_MODP_2048_G );
if( ret != 0 )
{
mbedtls_printf( " failed\n mbedtls_ssl_set_dh_param returned -0x%04X\n\n", - ret );
mbedtls_printf( " failed\n mbedtls_ssl_conf_dh_param returned -0x%04X\n\n", - ret );
goto exit;
}
#endif
if( opt.min_version != DFL_MIN_VERSION )
{
ret = mbedtls_ssl_set_min_version( &ssl, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! selected min_version is not available\n" );
goto exit;
}
}
mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version );
if( opt.max_version != DFL_MIN_VERSION )
mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version );
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
ret = mbedtls_ssl_set_max_version( &ssl, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! selected max_version is not available\n" );
goto exit;
}
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", -ret );
goto exit;
}
if( opt.nbio == 2 )
mbedtls_ssl_set_bio( &ssl, &client_fd, my_send, my_recv, NULL );
else
mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv,
#if defined(MBEDTLS_HAVE_TIME)
opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL
#else
NULL
#endif
);
mbedtls_printf( " ok\n" );
reset:
@ -1814,16 +1810,7 @@ reset:
goto exit;
}
if( opt.nbio == 2 )
mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, my_send, my_recv, NULL, 0 );
else
mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv,
#if defined(MBEDTLS_HAVE_TIME)
opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL,
#else
NULL,
#endif
opt.read_timeout );
mbedtls_ssl_conf_read_timeout( &conf, opt.read_timeout );
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
@ -1832,7 +1819,7 @@ reset:
sizeof( client_ip ) ) ) != 0 )
{
mbedtls_printf( " failed\n ! "
"ssl_set_client_tranport_id() returned -0x%x\n\n", -ret );
"ssl_set_client_transport_id() returned -0x%x\n\n", -ret );
goto exit;
}
}
@ -1869,8 +1856,8 @@ reset:
fflush( stdout );
do ret = mbedtls_ssl_handshake( &ssl );
while( ret == MBEDTLS_ERR_NET_WANT_READ ||
ret == MBEDTLS_ERR_NET_WANT_WRITE );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
{
@ -1954,8 +1941,8 @@ data_exchange:
memset( buf, 0, sizeof( buf ) );
ret = mbedtls_ssl_read( &ssl, buf, len );
if( ret == MBEDTLS_ERR_NET_WANT_READ ||
ret == MBEDTLS_ERR_NET_WANT_WRITE )
if( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE )
continue;
if( ret <= 0 )
@ -2045,8 +2032,8 @@ data_exchange:
memset( buf, 0, sizeof( buf ) );
do ret = mbedtls_ssl_read( &ssl, buf, len );
while( ret == MBEDTLS_ERR_NET_WANT_READ ||
ret == MBEDTLS_ERR_NET_WANT_WRITE );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret <= 0 )
{
@ -2081,8 +2068,8 @@ data_exchange:
while( ( ret = mbedtls_ssl_renegotiate( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_NET_WANT_READ &&
ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_renegotiate returned %d\n\n", ret );
goto reset;
@ -2115,8 +2102,8 @@ data_exchange:
goto reset;
}
if( ret != MBEDTLS_ERR_NET_WANT_READ &&
ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret );
goto reset;
@ -2127,8 +2114,8 @@ data_exchange:
else /* Not stream, so datagram */
{
do ret = mbedtls_ssl_write( &ssl, buf, len );
while( ret == MBEDTLS_ERR_NET_WANT_READ ||
ret == MBEDTLS_ERR_NET_WANT_WRITE );
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
if( ret < 0 )
{
@ -2158,7 +2145,7 @@ close_notify:
/* No error checking, the connection might be closed already */
do ret = mbedtls_ssl_close_notify( &ssl );
while( ret == MBEDTLS_ERR_NET_WANT_WRITE );
while( ret == MBEDTLS_ERR_SSL_WANT_WRITE );
ret = 0;
mbedtls_printf( " done\n" );
@ -2205,6 +2192,7 @@ exit:
#endif
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );

55
programs/x509/cert_app.c
View file

@ -146,6 +146,7 @@ int main( int argc, char *argv[] )
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt cacert;
mbedtls_x509_crt clicert;
mbedtls_x509_crl cacrl;
@ -161,6 +162,7 @@ int main( int argc, char *argv[] )
server_fd = 0;
mbedtls_ctr_drbg_init( &ctr_drbg );
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_x509_crt_init( &cacert );
mbedtls_x509_crt_init( &clicert );
#if defined(MBEDTLS_X509_CRL_PARSE_C)
@ -372,7 +374,7 @@ int main( int argc, char *argv[] )
strlen( pers ) ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
goto exit;
goto ssl_exit;
}
mbedtls_printf( " ok\n" );
@ -388,56 +390,61 @@ int main( int argc, char *argv[] )
opt.server_port, MBEDTLS_NET_PROTO_TCP ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_net_connect returned %d\n\n", ret );
goto exit;
goto ssl_exit;
}
/*
* 3. Setup stuff
*/
if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 )
if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
goto exit;
}
mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT );
if( verify )
{
mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_REQUIRED );
mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
mbedtls_ssl_set_verify( &ssl, my_verify, NULL );
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED );
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
mbedtls_ssl_conf_verify( &conf, my_verify, NULL );
}
else
mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE );
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE );
mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_set_dbg( &ssl, my_debug, stdout );
mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 );
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 )
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret );
goto exit;
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
goto ssl_exit;
}
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
goto ssl_exit;
}
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
goto exit;
goto ssl_exit;
}
#endif
mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
/*
* 4. Handshake
*/
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE )
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned %d\n\n", ret );
mbedtls_ssl_free( &ssl );
goto exit;
goto ssl_exit;
}
}
@ -452,14 +459,16 @@ int main( int argc, char *argv[] )
if( ret == -1 )
{
mbedtls_printf( " failed\n ! mbedtls_x509_crt_info returned %d\n\n", ret );
mbedtls_ssl_free( &ssl );
goto exit;
goto ssl_exit;
}
mbedtls_printf( "%s\n", buf );
mbedtls_ssl_close_notify( &ssl );
ssl_exit:
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
}
else
goto usage;

80
scripts/data_files/rename-1.3-2.0.txt
View file

@ -546,10 +546,10 @@ POLARSSL_ERR_NET_LISTEN_FAILED MBEDTLS_ERR_NET_LISTEN_FAILED
POLARSSL_ERR_NET_RECV_FAILED MBEDTLS_ERR_NET_RECV_FAILED
POLARSSL_ERR_NET_SEND_FAILED MBEDTLS_ERR_NET_SEND_FAILED
POLARSSL_ERR_NET_SOCKET_FAILED MBEDTLS_ERR_NET_SOCKET_FAILED
POLARSSL_ERR_NET_TIMEOUT MBEDTLS_ERR_NET_TIMEOUT
POLARSSL_ERR_NET_TIMEOUT MBEDTLS_ERR_SSL_TIMEOUT
POLARSSL_ERR_NET_UNKNOWN_HOST MBEDTLS_ERR_NET_UNKNOWN_HOST
POLARSSL_ERR_NET_WANT_READ MBEDTLS_ERR_NET_WANT_READ
POLARSSL_ERR_NET_WANT_WRITE MBEDTLS_ERR_NET_WANT_WRITE
POLARSSL_ERR_NET_WANT_READ MBEDTLS_ERR_SSL_WANT_READ
POLARSSL_ERR_NET_WANT_WRITE MBEDTLS_ERR_SSL_WANT_WRITE
POLARSSL_ERR_OID_BUF_TOO_SMALL MBEDTLS_ERR_OID_BUF_TOO_SMALL
POLARSSL_ERR_OID_NOT_FOUND MBEDTLS_ERR_OID_NOT_FOUND
POLARSSL_ERR_PADLOCK_DATA_MISALIGNED MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED
@ -1969,7 +1969,7 @@ ssl_hw_record_reset mbedtls_ssl_hw_record_reset
ssl_hw_record_write mbedtls_ssl_hw_record_write
ssl_init mbedtls_ssl_init
ssl_key_cert mbedtls_ssl_key_cert
ssl_legacy_renegotiation mbedtls_ssl_legacy_renegotiation
ssl_legacy_renegotiation mbedtls_ssl_conf_legacy_renegotiation
ssl_list_ciphersuites mbedtls_ssl_list_ciphersuites
ssl_md_alg_from_hash mbedtls_ssl_md_alg_from_hash
ssl_optimize_checksum mbedtls_ssl_optimize_checksum
@ -1997,49 +1997,49 @@ ssl_session mbedtls_ssl_session
ssl_session_free mbedtls_ssl_session_free
ssl_session_init mbedtls_ssl_session_init
ssl_session_reset mbedtls_ssl_session_reset
ssl_set_alpn_protocols mbedtls_ssl_set_alpn_protocols
ssl_set_arc4_support mbedtls_ssl_set_arc4_support
ssl_set_authmode mbedtls_ssl_set_authmode
ssl_set_alpn_protocols mbedtls_ssl_conf_alpn_protocols
ssl_set_arc4_support mbedtls_ssl_conf_arc4_support
ssl_set_authmode mbedtls_ssl_conf_authmode
ssl_set_bio mbedtls_ssl_set_bio
ssl_set_bio_timeout mbedtls_ssl_set_bio_timeout
ssl_set_ca_chain mbedtls_ssl_set_ca_chain
ssl_set_cbc_record_splitting mbedtls_ssl_set_cbc_record_splitting
ssl_set_ciphersuites mbedtls_ssl_set_ciphersuites
ssl_set_ciphersuites_for_version mbedtls_ssl_set_ciphersuites_for_version
ssl_set_ca_chain mbedtls_ssl_conf_ca_chain
ssl_set_cbc_record_splitting mbedtls_ssl_conf_cbc_record_splitting
ssl_set_ciphersuites mbedtls_ssl_conf_ciphersuites
ssl_set_ciphersuites_for_version mbedtls_ssl_conf_ciphersuites_for_version
ssl_set_client_transport_id mbedtls_ssl_set_client_transport_id
ssl_set_curves mbedtls_ssl_set_curves
ssl_set_dbg mbedtls_ssl_set_dbg
ssl_set_dh_param mbedtls_ssl_set_dh_param
ssl_set_dh_param_ctx mbedtls_ssl_set_dh_param_ctx
ssl_set_dtls_anti_replay mbedtls_ssl_set_dtls_anti_replay
ssl_set_dtls_badmac_limit mbedtls_ssl_set_dtls_badmac_limit
ssl_set_dtls_cookies mbedtls_ssl_set_dtls_cookies
ssl_set_encrypt_then_mac mbedtls_ssl_set_encrypt_then_mac
ssl_set_endpoint mbedtls_ssl_set_endpoint
ssl_set_extended_master_secret mbedtls_ssl_set_extended_master_secret
ssl_set_fallback mbedtls_ssl_set_fallback
ssl_set_handshake_timeout mbedtls_ssl_set_handshake_timeout
ssl_set_curves mbedtls_ssl_conf_curves
ssl_set_dbg mbedtls_ssl_conf_dbg
ssl_set_dh_param mbedtls_ssl_conf_dh_param
ssl_set_dh_param_ctx mbedtls_ssl_conf_dh_param_ctx
ssl_set_dtls_anti_replay mbedtls_ssl_conf_dtls_anti_replay
ssl_set_dtls_badmac_limit mbedtls_ssl_conf_dtls_badmac_limit
ssl_set_dtls_cookies mbedtls_ssl_conf_dtls_cookies
ssl_set_encrypt_then_mac mbedtls_ssl_conf_encrypt_then_mac
ssl_set_endpoint mbedtls_ssl_conf_endpoint
ssl_set_extended_master_secret mbedtls_ssl_conf_extended_master_secret
ssl_set_fallback mbedtls_ssl_conf_fallback
ssl_set_handshake_timeout mbedtls_ssl_conf_handshake_timeout
ssl_set_hostname mbedtls_ssl_set_hostname
ssl_set_max_frag_len mbedtls_ssl_set_max_frag_len
ssl_set_max_version mbedtls_ssl_set_max_version
ssl_set_min_version mbedtls_ssl_set_min_version
ssl_set_own_cert mbedtls_ssl_set_own_cert
ssl_set_max_frag_len mbedtls_ssl_conf_max_frag_len
ssl_set_max_version mbedtls_ssl_conf_max_version
ssl_set_min_version mbedtls_ssl_conf_min_version
ssl_set_own_cert mbedtls_ssl_conf_own_cert
ssl_set_own_cert_alt mbedtls_ssl_set_own_cert_alt
ssl_set_own_cert_rsa mbedtls_ssl_set_own_cert_rsa
ssl_set_psk mbedtls_ssl_set_psk
ssl_set_psk_cb mbedtls_ssl_set_psk_cb
ssl_set_renegotiation mbedtls_ssl_set_renegotiation
ssl_set_renegotiation_enforced mbedtls_ssl_set_renegotiation_enforced
ssl_set_renegotiation_period mbedtls_ssl_set_renegotiation_period
ssl_set_rng mbedtls_ssl_set_rng
ssl_set_psk mbedtls_ssl_conf_psk
ssl_set_psk_cb mbedtls_ssl_conf_psk_cb
ssl_set_renegotiation mbedtls_ssl_conf_renegotiation
ssl_set_renegotiation_enforced mbedtls_ssl_conf_renegotiation_enforced
ssl_set_renegotiation_period mbedtls_ssl_conf_renegotiation_period
ssl_set_rng mbedtls_ssl_conf_rng
ssl_set_session mbedtls_ssl_set_session
ssl_set_session_cache mbedtls_ssl_set_session_cache
ssl_set_session_ticket_lifetime mbedtls_ssl_set_session_ticket_lifetime
ssl_set_session_tickets mbedtls_ssl_set_session_tickets
ssl_set_sni mbedtls_ssl_set_sni
ssl_set_transport mbedtls_ssl_set_transport
ssl_set_truncated_hmac mbedtls_ssl_set_truncated_hmac
ssl_set_verify mbedtls_ssl_set_verify
ssl_set_session_cache mbedtls_ssl_conf_session_cache
ssl_set_session_ticket_lifetime mbedtls_ssl_conf_session_ticket_lifetime
ssl_set_session_tickets mbedtls_ssl_conf_session_tickets
ssl_set_sni mbedtls_ssl_conf_sni
ssl_set_transport mbedtls_ssl_conf_transport
ssl_set_truncated_hmac mbedtls_ssl_conf_truncated_hmac
ssl_set_verify mbedtls_ssl_conf_verify
ssl_sig_from_pk mbedtls_ssl_sig_from_pk
ssl_states mbedtls_ssl_states
ssl_ticket_keys mbedtls_ssl_ticket_keys

6
tests/ssl-opt.sh
View file

@ -626,8 +626,8 @@ run_test "Truncated HMAC: client enabled, server default" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
trunc_hmac=1" \
0 \
-S "dumping 'computed mac' (20 bytes)" \
-s "dumping 'computed mac' (10 bytes)"
-s "dumping 'computed mac' (20 bytes)" \
-S "dumping 'computed mac' (10 bytes)"
run_test "Truncated HMAC: client enabled, server disabled" \
"$P_SRV debug_level=4 trunc_hmac=0" \
@ -1044,7 +1044,7 @@ run_test "Session resume using cache: cache_max=1" \
-s "a session has been resumed" \
-c "a session has been resumed"
run_test "Session resume using cache: timemout > delay" \
run_test "Session resume using cache: timeout > delay" \
"$P_SRV debug_level=3 tickets=0" \
"$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
0 \

57
tests/suites/test_suite_debug.function
View file

@ -34,20 +34,28 @@ void debug_print_msg_threshold( int threshold, int level, char *file, int line,
char *result_str )
{
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
struct buffer_data buffer;
memset( &ssl, 0, sizeof( mbedtls_ssl_context ) );
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
memset( buffer.buf, 0, 2000 );
buffer.ptr = buffer.buf;
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
mbedtls_debug_set_log_mode( MBEDTLS_DEBUG_LOG_FULL );
mbedtls_debug_set_threshold( threshold );
mbedtls_ssl_set_dbg(&ssl, string_debug, &buffer);
mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer);
mbedtls_debug_print_msg( &ssl, level, file, line,
mbedtls_debug_fmt("Text message, 2 == %d", 2 ) );
TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 );
exit:
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
}
/* END_CASE */
@ -56,18 +64,26 @@ void mbedtls_debug_print_ret( int mode, char *file, int line, char *text, int va
char *result_str )
{
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
struct buffer_data buffer;
memset( &ssl, 0, sizeof( mbedtls_ssl_context ) );
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
memset( buffer.buf, 0, 2000 );
buffer.ptr = buffer.buf;
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
mbedtls_debug_set_log_mode( mode );
mbedtls_ssl_set_dbg(&ssl, string_debug, &buffer);
mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer);
mbedtls_debug_print_ret( &ssl, 0, file, line, text, value);
TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 );
exit:
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
}
/* END_CASE */
@ -77,22 +93,30 @@ void mbedtls_debug_print_buf( int mode, char *file, int line, char *text,
{
unsigned char data[10000];
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
struct buffer_data buffer;
size_t data_len;
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
memset( &data, 0, sizeof( data ) );
memset( &ssl, 0, sizeof( mbedtls_ssl_context ) );
memset( buffer.buf, 0, 2000 );
buffer.ptr = buffer.buf;
data_len = unhexify( data, data_string );
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
mbedtls_debug_set_log_mode( mode );
mbedtls_ssl_set_dbg(&ssl, string_debug, &buffer);
mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer);
mbedtls_debug_print_buf( &ssl, 0, file, line, text, data, data_len );
TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 );
exit:
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
}
/* END_CASE */
@ -102,15 +126,19 @@ void mbedtls_debug_print_crt( int mode, char *crt_file, char *file, int line,
{
mbedtls_x509_crt crt;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
struct buffer_data buffer;
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_x509_crt_init( &crt );
memset( &ssl, 0, sizeof( mbedtls_ssl_context ) );
memset( buffer.buf, 0, 2000 );
buffer.ptr = buffer.buf;
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
mbedtls_debug_set_log_mode( mode );
mbedtls_ssl_set_dbg(&ssl, string_debug, &buffer);
mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer);
TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 );
mbedtls_debug_print_crt( &ssl, 0, file, line, prefix, &crt);
@ -119,6 +147,8 @@ void mbedtls_debug_print_crt( int mode, char *crt_file, char *file, int line,
exit:
mbedtls_x509_crt_free( &crt );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
}
/* END_CASE */
@ -127,19 +157,22 @@ void mbedtls_debug_print_mpi( int mode, int radix, char *value, char *file, int
char *prefix, char *result_str )
{
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
struct buffer_data buffer;
mbedtls_mpi val;
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_mpi_init( &val );
memset( &ssl, 0, sizeof( mbedtls_ssl_context ) );
memset( buffer.buf, 0, 2000 );
buffer.ptr = buffer.buf;
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
TEST_ASSERT( mbedtls_mpi_read_string( &val, radix, value ) == 0 );
mbedtls_debug_set_log_mode( mode );
mbedtls_ssl_set_dbg(&ssl, string_debug, &buffer);
mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer);
mbedtls_debug_print_mpi( &ssl, 0, file, line, prefix, &val);
@ -147,5 +180,7 @@ void mbedtls_debug_print_mpi( int mode, int radix, char *value, char *file, int
exit:
mbedtls_mpi_free( &val );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
}
/* END_CASE */

9
tests/suites/test_suite_ssl.function
View file

@ -11,12 +11,16 @@
void ssl_dtls_replay( char *prevs, char *new, int ret )
{
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
char *end_prevs = prevs + strlen( prevs ) + 1;
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
TEST_ASSERT( mbedtls_ssl_setup( &ssl ) == 0 );
TEST_ASSERT( mbedtls_ssl_set_transport( &ssl, MBEDTLS_SSL_TRANSPORT_DATAGRAM ) == 0 );
TEST_ASSERT( mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_DATAGRAM ) == 0 );
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
/* Read previous record numbers */
for( ; end_prevs - prevs >= 13; prevs += 13 )
@ -31,5 +35,6 @@ void ssl_dtls_replay( char *prevs, char *new, int ret )
TEST_ASSERT( mbedtls_ssl_dtls_replay_check( &ssl ) == ret );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
}
/* END_CASE */