Commit graph

3995 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard 655a964539 Adapt check_key_usage to new weird bits 2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard 9a702255f4 Add parsing/printing for new X.509 keyUsage flags 2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard b80d16d171 Fix return convention of x509_wildcard_verify() 2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard 07894338a0 Rename M255 to Curve25519 2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard 7320eb46d4 Remove references to some Montgomery curves
After all it looks like those won't become standard.
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard 9386664543 Move from inttypes.h to stdint.h
Some toolchains do not have inttypes.h, and we only need stdint.h which is a
subset of it.
2015-06-22 23:41:26 +02:00
Manuel Pégourié-Gonnard e7e89844d6 Fix and document corner-cases of time checking 2015-06-22 23:41:24 +02:00
Manuel Pégourié-Gonnard 57e10d71be Fix potential NULL dereference.
Introduced when moving from gmtime_r() to gmtime().
Found with fbinfer.
2015-06-22 23:40:44 +02:00
Manuel Pégourié-Gonnard e91e21cf1b Simplify code in test suites
Hopefully makes it easier on static analyzers
2015-06-22 18:47:07 +02:00
Manuel Pégourié-Gonnard f9b85d96a9 Fix potential resource leak in X.509 parse dir
Found with fbinfer.
2015-06-22 18:39:57 +02:00
Manuel Pégourié-Gonnard bcf13bab5d Fix issue with MemSan and entropy
Due to the recent change about entropy sources strength, it is no longer
acceptable to just disable the platform source. So, instead "fix" it so that
it is clear to MemSan that memory is initialized.

I tried __attribute__((no_sanitize_memory)) and MemSan's blacklist file, but
couldn't seem to get them to work.
2015-06-22 18:25:41 +02:00
Manuel Pégourié-Gonnard 96aba64e13 Merge branch 'set_hs' into development
* set_hs:
  Add tests for mbedtls_set_hs_ca_chain()
  Add tests for mbedtls_ssl_set_hs_authmode()
  Add support for SNI CA and authmode in ssl_server2
  Add mbedtls_ssl_set_hs_authmode
2015-06-22 18:20:56 +02:00
Manuel Pégourié-Gonnard 6ea831dcf4 Add tests for mbedtls_set_hs_ca_chain() 2015-06-22 17:30:18 +02:00
Manuel Pégourié-Gonnard c948a798bd Add tests for mbedtls_ssl_set_hs_authmode() 2015-06-22 16:04:20 +02:00
Manuel Pégourié-Gonnard 4d6f178376 Add support for SNI CA and authmode in ssl_server2 2015-06-22 14:52:40 +02:00
Manuel Pégourié-Gonnard cdc26ae099 Add mbedtls_ssl_set_hs_authmode
While at it, fix the following:
- on server with RSA_PSK, we don't want to set flags (client auth happens via
  the PSK, no cert is expected).
- use safer tests (eg == OPTIONAL vs != REQUIRED)
2015-06-22 14:52:40 +02:00
Manuel Pégourié-Gonnard a752d8780c Merge branch 'snprintf' into development
* snprintf:
  Rationalize other snprintf() uses
  Rationalize snprintf() usage in X.509 modules
  Add tests for snprintf
  Include fixed snprintf for Windows in platform.c
2015-06-22 14:51:28 +02:00
Manuel Pégourié-Gonnard 9dbaf400ef Rationalize other snprintf() uses 2015-06-22 14:42:04 +02:00
Manuel Pégourié-Gonnard 1685368408 Rationalize snprintf() usage in X.509 modules 2015-06-22 14:42:04 +02:00
Manuel Pégourié-Gonnard 7b6dcbe993 Add tests for snprintf
- Added in each tests program to be sure they are run (putting them in a test
  suite/function specific to the platform layer would cause them to be skipped
when PLATFORM_C is not defined).
- Platforms have already moved from a standard to a broken snprintf in the
  past [1], so make sure to catch that if it ever happens again.

[1]: http://sourceforge.net/p/mingw-w64/mailman/message/31241434/
2015-06-22 14:42:04 +02:00
Manuel Pégourié-Gonnard 6c0c8e0d3d Include fixed snprintf for Windows in platform.c
Use _WIN32 to detect it rather that _MSC_VER as it turns out MSYS2 uses the
broken MS version by default too.
2015-06-22 14:42:04 +02:00
Manuel Pégourié-Gonnard bbc60db221 Adjustments for armcc in all.sh
- no HAVE_TIME -> no HAVE_TIME_DATE
- check if --help works, so that the test is cleanly skipped if license server
  cannot be reached
2015-06-22 14:41:37 +02:00
Manuel Pégourié-Gonnard 8ba88f0460 Fix stupid typo in documentation 2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard f9cbd73191 Update generated files 2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard d5f38b045d Fix dependencies on time on x509 test suite 2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard 7580ba475d Add a concept of entropy source strength.
The main goal is, we want and error if cycle counter is the only source.
2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard 3f77dfbd52 Add MBEDTLS_ENTROPY_HARDWARE_ALT
Makes it easier for an external module to plug its hardware entropy collector.
2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard bf82ff0209 Fix entropy thresholds 2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard 60c793bdc9 Split HAVE_TIME into HAVE_TIME + HAVE_TIME_DATE
First one means we have time() but it may not return the actual wall clock
time, second means it does.
2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard 6195767554 Fix default of openssl s_server
openssl s_server up to 1.0.2.a included uses a 512-bit prime for DH by
default. Since we now require 1024 bit at least, make s_server use decent
params. (1.0.2b and up use acceptable params by default.)
2015-06-22 14:40:55 +02:00
Manuel Pégourié-Gonnard c0696c216b Rename mbedtls_mpi_msb to mbedtls_mpi_bitlen 2015-06-18 16:49:37 +02:00
Manuel Pégourié-Gonnard 097c7bb05b Rename relevant global symbols from size to bitlen
Just applying rename.pl with this file:

mbedtls_cipher_get_key_size mbedtls_cipher_get_key_bitlen
mbedtls_pk_get_size mbedtls_pk_get_bitlen
MBEDTLS_BLOWFISH_MIN_KEY MBEDTLS_BLOWFISH_MIN_KEY_BITS
MBEDTLS_BLOWFISH_MAX_KEY MBEDTLS_BLOWFISH_MAX_KEY_BITS
2015-06-18 16:43:38 +02:00
Manuel Pégourié-Gonnard fb317c5221 Rename parameter in a x509 helper 2015-06-18 16:41:13 +02:00
Manuel Pégourié-Gonnard 39a48f4934 Internal renamings in PK
+ an unrelated comment in SSL
2015-06-18 16:06:55 +02:00
Manuel Pégourié-Gonnard 12ad798c87 Rename ssl_session.length to id_len 2015-06-18 15:50:37 +02:00
Manuel Pégourié-Gonnard 797f48ace6 Rename ecp_curve_info.size to bit_size 2015-06-18 15:45:05 +02:00
Manuel Pégourié-Gonnard 898e0aa210 Rename key_length in cipher_info 2015-06-18 15:31:10 +02:00
Manuel Pégourié-Gonnard b8186a5e54 Rename len to bitlen in function parameters
Clarify a few comments too.
2015-06-18 14:58:58 +02:00
Manuel Pégourié-Gonnard 6934afa234 Merge branch 'profiles' into development
* profiles:
  Update Changelog for the profiles branch
  Add SSL presets.
  Implement sig_hashes
  Create API for mbedtls_ssl_conf_sig_hashes().
  Small internal changes in curve checking
  Extra check in verify_with_profile()
  Clarify a point in the documentation
  Fix define for ssl_conf_curves()
  Add mbedtls_ssl_conf_cert_profile()
  Implement cert profile checking
  Change data structure of profiles to bitfields
  Add pre-defined profiles for cert verification
  Create cert profile API (unimplemented yet)
  Remove duplicated tests for x509_verify_info()
  Add tests for dhm_min_bitlen
  Add dhmlen option in ssl_client2.c
  Add ssl_conf_dhm_min_bitlen()
2015-06-17 15:49:36 +02:00
Manuel Pégourié-Gonnard 88d37859b6 Update Changelog for the profiles branch 2015-06-17 14:59:27 +02:00
Manuel Pégourié-Gonnard b31c5f68b1 Add SSL presets.
No need to use a separate profile as in X.509, everything we need is already
in ssl_config. Just load appropriate values.
2015-06-17 14:59:27 +02:00
Manuel Pégourié-Gonnard 7bfc122703 Implement sig_hashes 2015-06-17 14:34:48 +02:00
Manuel Pégourié-Gonnard 36a8b575a9 Create API for mbedtls_ssl_conf_sig_hashes().
Not implemented yet.
2015-06-17 14:27:39 +02:00
Manuel Pégourié-Gonnard 9d412d872c Small internal changes in curve checking
- switch from is_acceptable to the more usual check
- add NULL check just in case user screwed up config
2015-06-17 14:27:39 +02:00
Manuel Pégourié-Gonnard a83e4e2bf5 Extra check in verify_with_profile()
This could happen if someone doesn't set the SSL configuration properly. In
that case we don't want to segfault...
2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard 27716cc1da Clarify a point in the documentation 2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard b541da6ef3 Fix define for ssl_conf_curves()
This is a security feature, it shouldn't be optional.
2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard 6e3ee3ad43 Add mbedtls_ssl_conf_cert_profile() 2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard cbb1f6e5cb Implement cert profile checking 2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard f8ea856296 Change data structure of profiles to bitfields
- allows to express 'none' or 'all' more easily than lists
- more compact and easier to declare statically
- easier to check too

Only drawback: if we ever have more than 32 curves, we'll need an ABI change to
make that field a uint64_t.
2015-06-17 14:27:38 +02:00