lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

Merge commit 'd7e2483' into dtls

Browse Source 
* commit 'd7e2483': (57 commits)
  Skip signature_algorithms ext if PSK only
  Fix bug in ssl_client2 reconnect option
  Cosmetics in ssl_server2
  Improve debugging message.
  Fix net_usleep for durations greater than 1 second
  Use pk_load_file() in X509
  Create ticket keys only if enabled
  Fix typo in #ifdef
  Clarify documentation a bit
  Fix comment on resumption
  Update comment from draft to RFC
  Use more #ifdef's on CLI_C and SRV_C in ssl_tls.c
  Add recursion.pl to all.sh
  Allow x509_crt_verify_child() in recursion.pl
  Set a compile-time limit to X.509 chain length
  Fix 3DES -> DES in all.sh (+ time estimates)
  Add curves.pl to all.sh
  Rework all.sh to use MSan instead of valgrind
  Fix depends on individual curves in tests
  Add script to test depends on individual curves
  ...

Conflicts:
	CMakeLists.txt
	programs/ssl/ssl_client2.c
This commit is contained in:
Manuel Pégourié-Gonnard
2015-01-20 16:45:20 +00:00
parent f9c8a606b5 d7e2483bfc
commit edb7ed3a43
56 changed files with 1279 additions and 365 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
include/polarssl/config.h
View File

@ -781,6 +781,18 @@
*/
#define POLARSSL_SELF_TEST
/**
* \def POLARSSL_SSL_AEAD_RANDOM_IV
*
* Generate a random IV rather than using the record sequence number as a
* nonce for ciphersuites using and AEAD algorithm (GCM or CCM).
*
* Using the sequence number is generally recommended.
*
* Uncomment this macro to always use random IVs with AEAD ciphersuites.
*/
//#define POLARSSL_SSL_AEAD_RANDOM_IV
/**
* \def POLARSSL_SSL_ALL_ALERT_MESSAGES
*
@ -974,8 +986,7 @@
/**
* \def POLARSSL_SSL_ALPN
*
* Enable support for Application Layer Protocol Negotiation.
* draft-ietf-tls-applayerprotoneg-05
* Enable support for RFC 7301 Application Layer Protocol Negotiation.
*
* Comment this macro to disable support for ALPN.
*/
@ -2306,6 +2317,9 @@
/* Debug options */
//#define POLARSSL_DEBUG_DFL_MODE POLARSSL_DEBUG_LOG_FULL /**< Default log: Full or Raw */
/* X509 options */
//#define POLARSSL_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
/* \} name SECTION: Module configuration options */
#include "check_config.h"

16
include/polarssl/ecp.h
View File

@ -413,6 +413,8 @@ int ecp_point_read_binary( const ecp_group *grp, ecp_point *P,
* \param buf $(Start of input buffer)
* \param len Buffer length
*
* \note buf is updated to point right after the ECPoint on exit
*
* \return O if successful,
* POLARSSL_ERR_MPI_XXX if initialization failed
* POLARSSL_ERR_ECP_BAD_INPUT_DATA if input is invalid
@ -479,6 +481,8 @@ int ecp_use_known_dp( ecp_group *grp, ecp_group_id index );
* \param buf &(Start of input buffer)
* \param len Buffer length
*
* \note buf is updated to point right after ECParameters on exit
*
* \return O if successful,
* POLARSSL_ERR_MPI_XXX if initialization failed
* POLARSSL_ERR_ECP_BAD_INPUT_DATA if input is invalid
@ -635,6 +639,18 @@ int ecp_gen_keypair( ecp_group *grp, mpi *d, ecp_point *Q,
int ecp_gen_key( ecp_group_id grp_id, ecp_keypair *key,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
/**
* \brief Check a public-private key pair
*
* \param pub Keypair structure holding a public key
* \param prv Keypair structure holding a private (plus public) key
*
* \return 0 if successfull (keys are valid and match), or
* POLARSSL_ERR_ECP_BAD_INPUT_DATA, or
* a POLARSSL_ERR_ECP_XXX or POLARSSL_ERR_MPI_XXX code.
*/
int ecp_check_pub_priv( const ecp_keypair *pub, const ecp_keypair *prv );
#if defined(POLARSSL_SELF_TEST)
/**
* \brief Checkup routine

21
include/polarssl/pk.h
View File

@ -177,6 +177,9 @@ typedef struct
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
/** Check public-private key pair */
int (*check_pair_func)( const void *pub, const void *prv );
/** Allocate a new context */
void * (*ctx_alloc_func)( void );
@ -426,6 +429,16 @@ int pk_encrypt( pk_context *ctx,
unsigned char *output, size_t *olen, size_t osize,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
/**
* \brief Check if a public-private pair of keys matches.
*
* \param pub Context holding a public key.
* \param prv Context holding a private (and public) key.
*
* \return 0 on success or POLARSSL_ERR_PK_BAD_INPUT_DATA
*/
int pk_check_pair( const pk_context *pub, const pk_context *prv );
/**
* \brief Export debug information
*
@ -625,6 +638,14 @@ int pk_write_pubkey( unsigned char **p, unsigned char *start,
const pk_context *key );
#endif /* POLARSSL_PK_WRITE_C */
/*
* Internal module functions. You probably do not want to use these unless you
* know you do.
*/
#if defined(POLARSSL_FS_IO)
int pk_load_file( const char *path, unsigned char **buf, size_t *n );
#endif
#ifdef __cplusplus
}
#endif

13
include/polarssl/rsa.h
View File

@ -99,10 +99,8 @@ typedef struct
mpi RP; /*!< cached R^2 mod P */
mpi RQ; /*!< cached R^2 mod Q */
#if !defined(POLARSSL_RSA_NO_CRT)
mpi Vi; /*!< cached blinding value */
mpi Vf; /*!< cached un-blinding value */
#endif
int padding; /*!< RSA_PKCS_V15 for 1.5 padding and
RSA_PKCS_v21 for OAEP/PSS */
@ -191,6 +189,17 @@ int rsa_check_pubkey( const rsa_context *ctx );
*/
int rsa_check_privkey( const rsa_context *ctx );
/**
* \brief Check a public-private RSA key pair.
* Check each of the contexts, and make sure they match.
*
* \param pub RSA context holding the public key
* \param prv RSA context holding the private key
*
* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
*/
int rsa_check_pub_priv( const rsa_context *pub, const rsa_context *prv );
/**
* \brief Do an RSA public key operation
*

11
include/polarssl/ssl.h
View File

@ -491,7 +491,7 @@ union _ssl_premaster_secret
#if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
unsigned char _pms_rsa_psk[52 + POLARSSL_PSK_MAX_LEN]; /* RFC 4279 4 */
#endif
#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
unsigned char _pms_ecdhe_psk[4 + POLARSSL_ECP_MAX_BYTES
+ POLARSSL_PSK_MAX_LEN]; /* RFC 5489 2 */
#endif
@ -1204,6 +1204,7 @@ void ssl_set_bio( ssl_context *ssl,
int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
int (*f_send)(void *, const unsigned char *, size_t), void *p_send );
#if defined(POLARSSL_SSL_SRV_C)
/**
* \brief Set the underlying BIO callbacks for write, read and
* read-with-timeout.
@ -1380,7 +1381,8 @@ void ssl_set_handshake_timeout( ssl_context *ssl, uint32_t min, uint32_t max );
/**
* \brief Set the session cache callbacks (server-side only)
* If not set, no session resuming is done.
* If not set, no session resuming is done (except if session
* tickets are enabled too).
*
* The session cache has the responsibility to check for stale
* entries based on timeout. See RFC 5246 for recommendations.
@ -1418,7 +1420,9 @@ void ssl_set_handshake_timeout( ssl_context *ssl, uint32_t min, uint32_t max );
void ssl_set_session_cache( ssl_context *ssl,
int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache );
#endif /* POLARSSL_SSL_SRV_C */
#if defined(POLARSSL_SSL_CLI_C)
/**
* \brief Request resumption of session (client-side only)
* Session data is copied from presented session structure.
@ -1434,6 +1438,7 @@ void ssl_set_session_cache( ssl_context *ssl,
* \sa ssl_get_session()
*/
int ssl_set_session( ssl_context *ssl, const ssl_session *session );
#endif /* POLARSSL_SSL_CLI_C */
/**
* \brief Set the list of allowed ciphersuites and the preference
@ -2011,6 +2016,7 @@ int ssl_get_record_expansion( const ssl_context *ssl );
const x509_crt *ssl_get_peer_cert( const ssl_context *ssl );
#endif /* POLARSSL_X509_CRT_PARSE_C */
#if defined(POLARSSL_SSL_CLI_C)
/**
* \brief Save session in order to resume it later (client-side only)
* Session data is copied to presented session structure.
@ -2028,6 +2034,7 @@ const x509_crt *ssl_get_peer_cert( const ssl_context *ssl );
* \sa ssl_set_session()
*/
int ssl_get_session( const ssl_context *ssl, ssl_session *session );
#endif /* POLARSSL_SSL_CLI_C */
/**
* \brief Perform the SSL handshake

15
include/polarssl/ssl_ciphersuites.h
View File

@ -233,7 +233,9 @@ extern "C" {
#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE /**< TLS 1.2 */
#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 0xC0AF /**< TLS 1.2 */
/* Reminder: update _ssl_premaster_secret when adding a new key exchange */
/* Reminder: update _ssl_premaster_secret when adding a new key exchange.
* Reminder: update POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED below.
*/
typedef enum {
POLARSSL_KEY_EXCHANGE_NONE = 0,
POLARSSL_KEY_EXCHANGE_RSA,
@ -248,6 +250,17 @@ typedef enum {
POLARSSL_KEY_EXCHANGE_ECDH_ECDSA,
} key_exchange_type_t;
#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
#define POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED
#endif
typedef struct _ssl_ciphersuite_t ssl_ciphersuite_t;
#define POLARSSL_CIPHERSUITE_WEAK 0x01 /**< Weak ciphersuite flag */

13
include/polarssl/x509.h
View File

@ -45,6 +45,18 @@
* \{
*/
#if !defined(POLARSSL_X509_MAX_INTERMEDIATE_CA)
/**
* Maximum number of intermediate CAs in a verification chain.
* That is, maximum length of the chain, excluding the end-entity certificate
* and the trusted root certificate.
*
* Set this to a low value to prevent an adversary from making you waste
* resources verifying an overlong certificate chain.
*/
#define POLARSSL_X509_MAX_INTERMEDIATE_CA 8
#endif
/**
* \name X509 Error codes
* \{
@ -295,7 +307,6 @@ int x509_get_serial( unsigned char **p, const unsigned char *end,
x509_buf *serial );
int x509_get_ext( unsigned char **p, const unsigned char *end,
x509_buf *ext, int tag );
int x509_load_file( const char *path, unsigned char **buf, size_t *n );
int x509_sig_alg_gets( char *buf, size_t size, const x509_buf *sig_oid,
pk_type_t pk_alg, md_type_t md_alg,
const void *sig_opts );

25
include/polarssl/x509_crl.h
View File

@ -100,11 +100,23 @@ typedef struct _x509_crl
x509_crl;
/**
* \brief Parse one or more CRLs and add them
* to the chained list
* \brief Parse a DER-encoded CRL and append it to the chained list
*
* \param chain points to the start of the chain
* \param buf buffer holding the CRL data
* \param buf buffer holding the CRL data in DER format
* \param buflen size of the buffer
*
* \return 0 if successful, or a specific X509 or PEM error code
*/
int x509_crl_parse_der( x509_crl *chain,
const unsigned char *buf, size_t buflen );
/**
* \brief Parse one or more CRLs and append them to the chained list
*
* \note Mutliple CRLs are accepted only if using PEM format
*
* \param chain points to the start of the chain
* \param buf buffer holding the CRL data in PEM or DER format
* \param buflen size of the buffer
*
* \return 0 if successful, or a specific X509 or PEM error code
@ -113,11 +125,12 @@ int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen );
#if defined(POLARSSL_FS_IO)
/**
* \brief Load one or more CRLs and add them
* to the chained list
* \brief Load one or more CRLs and append them to the chained list
*
* \note Mutliple CRLs are accepted only if using PEM format
*
* \param chain points to the start of the chain
* \param path filename to read the CRLs from
* \param path filename to read the CRLs from (in PEM or DER encoding)
*
* \return 0 if successful, or a specific X509 or PEM error code
*/