* development:
Bump yotta patch version
Merging iotssl-457-badtail with development branch
Moe top-level Readme to markdown
Changelog entry fro the previous commit
Add NULL checks to top-level SSL functions
Skip to trusted certs early in the chain
Add tests for verify callback
Improve mbedtls_ssl_write() documentation
Add mbedtls_ssl_get_max_frag_len()
Print "thread ID" in debug messages
Only use -Wshadow with GCC 4.8 or higher
Fix error reporting in pkey/pk_* programs
Fix more comments/outputs in verify programs
Fix hash buffer size in pkey programs
Change default RSA key size in rsa_genkey
Fix comments about filenames in some programs
Fix memory corruption in rsa sign/verify programs
Fix warning with MD/SHA ALT implementation
Fix handling of long PSK identities
Fix -Wshadow warnings
This helps in the case where an intermediate certificate is directly trusted.
In that case we want to ignore what comes after it in the chain, not only for
performance but also to avoid false negatives (eg an old root being no longer
trusted while the newer intermediate is directly trusted).
closes#220
Assume we have two trusted CAs with the same name, the first uses ECDSA 256
bits, the second RSA 2048; cert is signed by the second. If we do the keysize
check before we checked the key types match, we'll raise the badkey flags when
checking the EC-256 CA and it will remain up even when we finally find the
correct CA. So, move the check for the key size after signature verification,
which implicitly checks the key type.
Just applying rename.pl with this file:
mbedtls_cipher_get_key_size mbedtls_cipher_get_key_bitlen
mbedtls_pk_get_size mbedtls_pk_get_bitlen
MBEDTLS_BLOWFISH_MIN_KEY MBEDTLS_BLOWFISH_MIN_KEY_BITS
MBEDTLS_BLOWFISH_MAX_KEY MBEDTLS_BLOWFISH_MAX_KEY_BITS
- allows to express 'none' or 'all' more easily than lists
- more compact and easier to declare statically
- easier to check too
Only drawback: if we ever have more than 32 curves, we'll need an ABI change to
make that field a uint64_t.
* mbedtls-1.3:
Mark unused constant as such
Update ChangeLog for recent external bugfix
Serious bug fix in entropy.c
Fix memleak with repeated [gc]cm_setkey()
fix minor bug in path_cnt checks
Conflicts:
include/mbedtls/cipher.h
library/ccm.c
library/entropy.c
library/gcm.c
library/x509_crt.c
If the top certificate occurs twice in trust_ca (for example) it would
not be good for the second instance to be checked with check_path_cnt
reduced twice!
- more freedom for us to change it in the future
- enforces hygiene
- performance impact of making accessors no longer inline should really be
negligible
