* development:
Bump yotta patch version
Merging iotssl-457-badtail with development branch
Moe top-level Readme to markdown
Changelog entry fro the previous commit
Add NULL checks to top-level SSL functions
Skip to trusted certs early in the chain
Add tests for verify callback
Improve mbedtls_ssl_write() documentation
Add mbedtls_ssl_get_max_frag_len()
Print "thread ID" in debug messages
Only use -Wshadow with GCC 4.8 or higher
Fix error reporting in pkey/pk_* programs
Fix more comments/outputs in verify programs
Fix hash buffer size in pkey programs
Change default RSA key size in rsa_genkey
Fix comments about filenames in some programs
Fix memory corruption in rsa sign/verify programs
Fix warning with MD/SHA ALT implementation
Fix handling of long PSK identities
Fix -Wshadow warnings
This is not very useful for TLS as mbedtls_ssl_write() will automatically
fragment and return the length used, and the application should check for that
anyway, but this is useful for DTLS where mbedtls_ssl_write() returns an
error, and the application needs to be able to query the maximum length
instead of just guessing.
This is not required nor recommended by the protocol, and it's a layering
violation, but it's a know flaw in the protocol that you can't detect a PSK
auth error in any other way, so it is probably the right thing to do.
closes#227
We document that either of recv or recv_timeout may be NULL, but for TLS we
always used recv... Thanks Coverity for catching that.
(Not remotely trigerrable: local configuration.)
Also made me notice net_recv_timeout didn't do its job properly.
While at it, fix the following:
- on server with RSA_PSK, we don't want to set flags (client auth happens via
the PSK, no cert is expected).
- use safer tests (eg == OPTIONAL vs != REQUIRED)
- DTLS_HELLO_VERIFY no longer depends on SRV_C
- SSL_COOKIE_C no longer depends on DTLS_HELLO_VERIFY
Not that much work for us, and easier on users (esp. since it allows just
disabling SRV_C alone).
- Only the server needs to generate/parse tickets
- Only the client needs to store them
Also adjust prototype of ssl_conf_session_tickets() while at it.
