Merge pull request #403 from ourairquality/mbedtls251

Update mbed TLS to 2.5.1
This commit is contained in:
Ruslan V. Uss 2017-07-06 11:16:32 +05:00 committed by GitHub
commit 11ea727efa
6 changed files with 327 additions and 86 deletions

View file

@ -4,7 +4,7 @@
// this must be ahead of any mbedtls header files so the local mbedtls/config.h can be properly referenced // this must be ahead of any mbedtls header files so the local mbedtls/config.h can be properly referenced
#include "mbedtls/config.h" #include "mbedtls/config.h"
#include "mbedtls/net.h" #include "mbedtls/net_sockets.h"
#include "mbedtls/debug.h" #include "mbedtls/debug.h"
#include "mbedtls/ssl.h" #include "mbedtls/ssl.h"
#include "mbedtls/entropy.h" #include "mbedtls/entropy.h"

View file

@ -33,7 +33,7 @@
errors at link time if functions don't exist.) */ errors at link time if functions don't exist.) */
#include "mbedtls/config.h" #include "mbedtls/config.h"
#include "mbedtls/net.h" #include "mbedtls/net_sockets.h"
#include "mbedtls/debug.h" #include "mbedtls/debug.h"
#include "mbedtls/ssl.h" #include "mbedtls/ssl.h"
#include "mbedtls/entropy.h" #include "mbedtls/entropy.h"

View file

@ -43,7 +43,7 @@ extern const char *server_key;
errors at link time if functions don't exist.) */ errors at link time if functions don't exist.) */
#include "mbedtls/config.h" #include "mbedtls/config.h"
#include "mbedtls/net.h" #include "mbedtls/net_sockets.h"
#include "mbedtls/debug.h" #include "mbedtls/debug.h"
#include "mbedtls/ssl.h" #include "mbedtls/ssl.h"
#include "mbedtls/entropy.h" #include "mbedtls/entropy.h"
@ -216,6 +216,7 @@ void tls_server_task(void *pvParameters)
} }
len = ret; len = ret;
ret = 0;
printf(" %d bytes written. Closing socket on client.\n\n%s", len, (char *) buf); printf(" %d bytes written. Closing socket on client.\n\n%s", len, (char *) buf);
mbedtls_ssl_close_notify(&ssl); mbedtls_ssl_close_notify(&ssl);

View file

@ -3,6 +3,10 @@
* *
* \brief Configuration options (set of defines) * \brief Configuration options (set of defines)
* *
* This set of compile-time options may be used to enable
* or disable features selectively, and reduce the global
* memory footprint.
*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
* *
@ -21,11 +25,6 @@
* This file is part of mbed TLS (https://tls.mbed.org) * This file is part of mbed TLS (https://tls.mbed.org)
*/ */
/*
* This set of compile-time options may be used to enable
* or disable features selectively, and reduce the global
* memory footprint.
*/
#ifndef MBEDTLS_CONFIG_H #ifndef MBEDTLS_CONFIG_H
#define MBEDTLS_CONFIG_H #define MBEDTLS_CONFIG_H
@ -72,6 +71,10 @@
* The time does not need to be correct, only time differences are used, * The time does not need to be correct, only time differences are used,
* by contrast with MBEDTLS_HAVE_TIME_DATE * by contrast with MBEDTLS_HAVE_TIME_DATE
* *
* Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT,
* MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and
* MBEDTLS_PLATFORM_STD_TIME.
*
* Comment if your system does not support time functions * Comment if your system does not support time functions
*/ */
//#define MBEDTLS_HAVE_TIME //#define MBEDTLS_HAVE_TIME
@ -132,10 +135,10 @@
//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS //#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
/** /**
* \def MBEDTLS_PLATFORM_XXX_ALT * \def MBEDTLS_PLATFORM_EXIT_ALT
* *
* Uncomment a macro to let mbed TLS support the function in the platform * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let mbed TLS support the
* abstraction layer. * function in the platform abstraction layer.
* *
* Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will
* provide a function "mbedtls_platform_set_printf()" that allows you to set an * provide a function "mbedtls_platform_set_printf()" that allows you to set an
@ -149,13 +152,17 @@
* \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as * \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as
* MBEDTLS_PLATFORM_XXX_MACRO! * MBEDTLS_PLATFORM_XXX_MACRO!
* *
* Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME
*
* Uncomment a macro to enable alternate implementation of specific base * Uncomment a macro to enable alternate implementation of specific base
* platform function * platform function
*/ */
//#define MBEDTLS_PLATFORM_EXIT_ALT //#define MBEDTLS_PLATFORM_EXIT_ALT
//#define MBEDTLS_PLATFORM_TIME_ALT
//#define MBEDTLS_PLATFORM_FPRINTF_ALT //#define MBEDTLS_PLATFORM_FPRINTF_ALT
//#define MBEDTLS_PLATFORM_PRINTF_ALT //#define MBEDTLS_PLATFORM_PRINTF_ALT
//#define MBEDTLS_PLATFORM_SNPRINTF_ALT //#define MBEDTLS_PLATFORM_SNPRINTF_ALT
//#define MBEDTLS_PLATFORM_NV_SEED_ALT
/** /**
* \def MBEDTLS_DEPRECATED_WARNING * \def MBEDTLS_DEPRECATED_WARNING
@ -208,19 +215,19 @@
//#define MBEDTLS_TIMING_ALT //#define MBEDTLS_TIMING_ALT
/** /**
* \def MBEDTLS__MODULE_NAME__ALT * \def MBEDTLS_AES_ALT
* *
* Uncomment a macro to let mbed TLS use your alternate core implementation of * MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your
* a symmetric crypto or hash module (e.g. platform specific assembly * alternate core implementation of a symmetric crypto, an arithmetic or hash
* optimized implementations). Keep in mind that the function prototypes * module (e.g. platform specific assembly optimized implementations). Keep
* should remain the same. * in mind that the function prototypes should remain the same.
* *
* This replaces the whole module. If you only want to replace one of the * This replaces the whole module. If you only want to replace one of the
* functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags. * functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags.
* *
* Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer * Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer
* provide the "struct mbedtls_aes_context" definition and omit the base function * provide the "struct mbedtls_aes_context" definition and omit the base
* declarations and implementations. "aes_alt.h" will be included from * function declarations and implementations. "aes_alt.h" will be included from
* "aes.h" to include the new function definitions. * "aes.h" to include the new function definitions.
* *
* Uncomment a macro to enable alternate implementation of the corresponding * Uncomment a macro to enable alternate implementation of the corresponding
@ -239,13 +246,23 @@
//#define MBEDTLS_SHA1_ALT //#define MBEDTLS_SHA1_ALT
//#define MBEDTLS_SHA256_ALT //#define MBEDTLS_SHA256_ALT
//#define MBEDTLS_SHA512_ALT //#define MBEDTLS_SHA512_ALT
/*
* When replacing the elliptic curve module, pleace consider, that it is
* implemented with two .c files:
* - ecp.c
* - ecp_curves.c
* You can replace them very much like all the other MBEDTLS__MODULE_NAME__ALT
* macros as described above. The only difference is that you have to make sure
* that you provide functionality for both .c files.
*/
//#define MBEDTLS_ECP_ALT
/** /**
* \def MBEDTLS__FUNCTION_NAME__ALT * \def MBEDTLS_MD2_PROCESS_ALT
* *
* Uncomment a macro to let mbed TLS use you alternate core implementation of * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you
* symmetric crypto or hash function. Keep in mind that function prototypes * alternate core implementation of symmetric crypto or hash function. Keep in
* should remain the same. * mind that function prototypes should remain the same.
* *
* This replaces only one function. The header file from mbed TLS is still * This replaces only one function. The header file from mbed TLS is still
* used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags. * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags.
@ -278,6 +295,76 @@
//#define MBEDTLS_AES_ENCRYPT_ALT //#define MBEDTLS_AES_ENCRYPT_ALT
//#define MBEDTLS_AES_DECRYPT_ALT //#define MBEDTLS_AES_DECRYPT_ALT
/**
* \def MBEDTLS_ECP_INTERNAL_ALT
*
* Expose a part of the internal interface of the Elliptic Curve Point module.
*
* MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use your
* alternative core implementation of elliptic curve arithmetic. Keep in mind
* that function prototypes should remain the same.
*
* This partially replaces one function. The header file from mbed TLS is still
* used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation
* is still present and it is used for group structures not supported by the
* alternative.
*
* Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT
* and implementing the following functions:
* unsigned char mbedtls_internal_ecp_grp_capable(
* const mbedtls_ecp_group *grp )
* int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp )
* void mbedtls_internal_ecp_deinit( const mbedtls_ecp_group *grp )
* The mbedtls_internal_ecp_grp_capable function should return 1 if the
* replacement functions implement arithmetic for the given group and 0
* otherwise.
* The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_deinit are
* called before and after each point operation and provide an opportunity to
* implement optimized set up and tear down instructions.
*
* Example: In case you uncomment MBEDTLS_ECP_INTERNAL_ALT and
* MBEDTLS_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_jac
* function, but will use your mbedtls_internal_ecp_double_jac if the group is
* supported (your mbedtls_internal_ecp_grp_capable function returns 1 when
* receives it as an argument). If the group is not supported then the original
* implementation is used. The other functions and the definition of
* mbedtls_ecp_group and mbedtls_ecp_point will not change, so your
* implementation of mbedtls_internal_ecp_double_jac and
* mbedtls_internal_ecp_grp_capable must be compatible with this definition.
*
* Uncomment a macro to enable alternate implementation of the corresponding
* function.
*/
/* Required for all the functions in this section */
//#define MBEDTLS_ECP_INTERNAL_ALT
/* Support for Weierstrass curves with Jacobi representation */
//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT
//#define MBEDTLS_ECP_ADD_MIXED_ALT
//#define MBEDTLS_ECP_DOUBLE_JAC_ALT
//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT
//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT
/* Support for curves with Montgomery arithmetic */
//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT
//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT
//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT
/**
* \def MBEDTLS_TEST_NULL_ENTROPY
*
* Enables testing and use of mbed TLS without any configured entropy sources.
* This permits use of the library on platforms before an entropy source has
* been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the
* MBEDTLS_ENTROPY_NV_SEED switches).
*
* WARNING! This switch MUST be disabled in production builds, and is suitable
* only for development.
* Enabling the switch negates any security provided by the library.
*
* Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
*
*/
//#define MBEDTLS_TEST_NULL_ENTROPY
/** /**
* \def MBEDTLS_ENTROPY_HARDWARE_ALT * \def MBEDTLS_ENTROPY_HARDWARE_ALT
* *
@ -365,10 +452,11 @@
//#define MBEDTLS_CIPHER_NULL_CIPHER //#define MBEDTLS_CIPHER_NULL_CIPHER
/** /**
* \def MBEDTLS_CIPHER_PADDING_XXX * \def MBEDTLS_CIPHER_PADDING_PKCS7
* *
* Uncomment or comment macros to add support for specific padding modes * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for
* in the cipher layer with cipher modes that support padding (e.g. CBC) * specific padding modes in the cipher layer with cipher modes that support
* padding (e.g. CBC)
* *
* If you disable all padding modes, only full blocks can be used with CBC. * If you disable all padding modes, only full blocks can be used with CBC.
* *
@ -408,10 +496,10 @@
#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
/** /**
* \def MBEDTLS_ECP_XXXX_ENABLED * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
* *
* Enables specific curves within the Elliptic Curve module. * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve
* By default all supported curves are enabled. * module. By default all supported curves are enabled.
* *
* Comment macros to disable the curve and functions for it * Comment macros to disable the curve and functions for it
*/ */
@ -695,6 +783,25 @@
*/ */
#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
/**
* \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
*
* Enable the ECJPAKE based ciphersuite modes in SSL / TLS.
*
* \warning This is currently experimental. EC J-PAKE support is based on the
* Thread v1.0.0 specification; incompatible changes to the specification
* might still happen. For this reason, this is disabled by default.
*
* Requires: MBEDTLS_ECJPAKE_C
* MBEDTLS_SHA256_C
* MBEDTLS_ECP_DP_SECP256R1_ENABLED
*
* This enables the following ciphersuites (if other requisites are
* enabled as well):
* MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
*/
//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
/** /**
* \def MBEDTLS_PK_PARSE_EC_EXTENDED * \def MBEDTLS_PK_PARSE_EC_EXTENDED
* *
@ -780,6 +887,34 @@
*/ */
#define MBEDTLS_ENTROPY_FORCE_SHA256 #define MBEDTLS_ENTROPY_FORCE_SHA256
/**
* \def MBEDTLS_ENTROPY_NV_SEED
*
* Enable the non-volatile (NV) seed file-based entropy source.
* (Also enables the NV seed read/write functions in the platform layer)
*
* This is crucial (if not required) on systems that do not have a
* cryptographic entropy source (in hardware or kernel) available.
*
* Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
*
* \note The read/write functions that are used by the entropy source are
* determined in the platform layer, and can be modified at runtime and/or
* compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
*
* \note If you use the default implementation functions that read a seedfile
* with regular fopen(), please make sure you make a seedfile with the
* proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
* least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
* and written to or you will get an entropy source error! The default
* implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
* bytes from the file.
*
* \note The entropy collector will write to the seed file before entropy is
* given to an external source, to update it.
*/
//#define MBEDTLS_ENTROPY_NV_SEED
/** /**
* \def MBEDTLS_MEMORY_DEBUG * \def MBEDTLS_MEMORY_DEBUG
* *
@ -869,18 +1004,6 @@
*/ */
#define MBEDTLS_SHA256_SMALLER #define MBEDTLS_SHA256_SMALLER
/**
* \def MBEDTLS_SSL_AEAD_RANDOM_IV
*
* Generate a random IV rather than using the record sequence number as a
* nonce for ciphersuites using and AEAD algorithm (GCM or CCM).
*
* Using the sequence number is generally recommended.
*
* Uncomment this macro to always use random IVs with AEAD ciphersuites.
*/
//#define MBEDTLS_SSL_AEAD_RANDOM_IV
/** /**
* \def MBEDTLS_SSL_ALL_ALERT_MESSAGES * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
* *
@ -1040,7 +1163,7 @@
* *
* Comment this macro to disable support for SSL 3.0 * Comment this macro to disable support for SSL 3.0
*/ */
#define MBEDTLS_SSL_PROTO_SSL3 //#define MBEDTLS_SSL_PROTO_SSL3
/** /**
* \def MBEDTLS_SSL_PROTO_TLS1 * \def MBEDTLS_SSL_PROTO_TLS1
@ -1135,6 +1258,22 @@
*/ */
#define MBEDTLS_SSL_DTLS_HELLO_VERIFY #define MBEDTLS_SSL_DTLS_HELLO_VERIFY
/**
* \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
*
* Enable server-side support for clients that reconnect from the same port.
*
* Some clients unexpectedly close the connection and try to reconnect using the
* same source port. This needs special support from the server to handle the
* new connection securely, as described in section 4.2.8 of RFC 6347. This
* flag enables that support.
*
* Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY
*
* Comment this to disable support for clients reusing the source port.
*/
#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
/** /**
* \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT
* *
@ -1160,6 +1299,16 @@
*/ */
#define MBEDTLS_SSL_SESSION_TICKETS #define MBEDTLS_SSL_SESSION_TICKETS
/**
* \def MBEDTLS_SSL_EXPORT_KEYS
*
* Enable support for exporting key block and master secret.
* This is required for certain users of TLS, e.g. EAP-TLS.
*
* Comment this macro to disable support for key export
*/
#define MBEDTLS_SSL_EXPORT_KEYS
/** /**
* \def MBEDTLS_SSL_SERVER_NAME_INDICATION * \def MBEDTLS_SSL_SERVER_NAME_INDICATION
* *
@ -1231,6 +1380,8 @@
* If set, the X509 parser will not break-off when parsing an X509 certificate * If set, the X509 parser will not break-off when parsing an X509 certificate
* and encountering an unknown critical extension. * and encountering an unknown critical extension.
* *
* \warning Depending on your PKI use, enabling this can be a security risk!
*
* Uncomment to prevent an error. * Uncomment to prevent an error.
*/ */
//#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION //#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
@ -1438,7 +1589,7 @@
* library/pkwrite.c * library/pkwrite.c
* library/x509_create.c * library/x509_create.c
* library/x509write_crt.c * library/x509write_crt.c
* library/mbedtls_x509write_csr.c * library/x509write_csr.c
*/ */
#define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_ASN1_WRITE_C
@ -1572,6 +1723,19 @@
*/ */
#define MBEDTLS_CIPHER_C #define MBEDTLS_CIPHER_C
/**
* \def MBEDTLS_CMAC_C
*
* Enable the CMAC (Cipher-based Message Authentication Code) mode for block
* ciphers.
*
* Module: library/cmac.c
*
* Requires: MBEDTLS_AES_C or MBEDTLS_DES_C
*
*/
//#define MBEDTLS_CMAC_C
/** /**
* \def MBEDTLS_CTR_DRBG_C * \def MBEDTLS_CTR_DRBG_C
* *
@ -1671,6 +1835,25 @@
*/ */
#define MBEDTLS_ECDSA_C #define MBEDTLS_ECDSA_C
/**
* \def MBEDTLS_ECJPAKE_C
*
* Enable the elliptic curve J-PAKE library.
*
* \warning This is currently experimental. EC J-PAKE support is based on the
* Thread v1.0.0 specification; incompatible changes to the specification
* might still happen. For this reason, this is disabled by default.
*
* Module: library/ecjpake.c
* Caller:
*
* This module is used by the following key exchanges:
* ECJPAKE
*
* Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C
*/
//#define MBEDTLS_ECJPAKE_C
/** /**
* \def MBEDTLS_ECP_C * \def MBEDTLS_ECP_C
* *
@ -1679,6 +1862,7 @@
* Module: library/ecp.c * Module: library/ecp.c
* Caller: library/ecdh.c * Caller: library/ecdh.c
* library/ecdsa.c * library/ecdsa.c
* library/ecjpake.c
* *
* Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
*/ */
@ -1766,7 +1950,7 @@
* *
* Enable the generic message digest layer. * Enable the generic message digest layer.
* *
* Module: library/mbedtls_md.c * Module: library/md.c
* Caller: * Caller:
* *
* Uncomment to enable generic message digest wrappers. * Uncomment to enable generic message digest wrappers.
@ -1778,7 +1962,7 @@
* *
* Enable the MD2 hash algorithm. * Enable the MD2 hash algorithm.
* *
* Module: library/mbedtls_md2.c * Module: library/md2.c
* Caller: * Caller:
* *
* Uncomment to enable support for (rare) MD2-signed X.509 certs. * Uncomment to enable support for (rare) MD2-signed X.509 certs.
@ -1790,7 +1974,7 @@
* *
* Enable the MD4 hash algorithm. * Enable the MD4 hash algorithm.
* *
* Module: library/mbedtls_md4.c * Module: library/md4.c
* Caller: * Caller:
* *
* Uncomment to enable support for (rare) MD4-signed X.509 certs. * Uncomment to enable support for (rare) MD4-signed X.509 certs.
@ -1802,8 +1986,8 @@
* *
* Enable the MD5 hash algorithm. * Enable the MD5 hash algorithm.
* *
* Module: library/mbedtls_md5.c * Module: library/md5.c
* Caller: library/mbedtls_md.c * Caller: library/md.c
* library/pem.c * library/pem.c
* library/ssl_tls.c * library/ssl_tls.c
* *
@ -1831,11 +2015,19 @@
/** /**
* \def MBEDTLS_NET_C * \def MBEDTLS_NET_C
* *
* Enable the TCP/IP networking routines. * Enable the TCP and UDP over IPv6/IPv4 networking routines.
* *
* Module: library/net.c * \note This module only works on POSIX/Unix (including Linux, BSD and OS X)
* and Windows. For other platforms, you'll want to disable it, and write your
* own networking callbacks to be passed to \c mbedtls_ssl_set_bio().
* *
* This module provides TCP/IP networking routines. * \note See also our Knowledge Base article about porting to a new
* environment:
* https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
*
* Module: library/net_sockets.c
*
* This module provides networking routines.
*/ */
#define MBEDTLS_NET_C #define MBEDTLS_NET_C
@ -1852,11 +2044,11 @@
* library/rsa.c * library/rsa.c
* library/x509.c * library/x509.c
* library/x509_create.c * library/x509_create.c
* library/mbedtls_x509_crl.c * library/x509_crl.c
* library/mbedtls_x509_crt.c * library/x509_crt.c
* library/mbedtls_x509_csr.c * library/x509_csr.c
* library/x509write_crt.c * library/x509write_crt.c
* library/mbedtls_x509write_csr.c * library/x509write_csr.c
* *
* This modules translates between OIDs and internal values. * This modules translates between OIDs and internal values.
*/ */
@ -1884,9 +2076,9 @@
* Module: library/pem.c * Module: library/pem.c
* Caller: library/dhm.c * Caller: library/dhm.c
* library/pkparse.c * library/pkparse.c
* library/mbedtls_x509_crl.c * library/x509_crl.c
* library/mbedtls_x509_crt.c * library/x509_crt.c
* library/mbedtls_x509_csr.c * library/x509_csr.c
* *
* Requires: MBEDTLS_BASE64_C * Requires: MBEDTLS_BASE64_C
* *
@ -1902,7 +2094,7 @@
* Module: library/pem.c * Module: library/pem.c
* Caller: library/pkwrite.c * Caller: library/pkwrite.c
* library/x509write_crt.c * library/x509write_crt.c
* library/mbedtls_x509write_csr.c * library/x509write_csr.c
* *
* Requires: MBEDTLS_BASE64_C * Requires: MBEDTLS_BASE64_C
* *
@ -1932,8 +2124,8 @@
* Enable the generic public (asymetric) key parser. * Enable the generic public (asymetric) key parser.
* *
* Module: library/pkparse.c * Module: library/pkparse.c
* Caller: library/mbedtls_x509_crt.c * Caller: library/x509_crt.c
* library/mbedtls_x509_csr.c * library/x509_csr.c
* *
* Requires: MBEDTLS_PK_C * Requires: MBEDTLS_PK_C
* *
@ -2024,8 +2216,8 @@
* *
* Enable the RIPEMD-160 hash algorithm. * Enable the RIPEMD-160 hash algorithm.
* *
* Module: library/mbedtls_ripemd160.c * Module: library/ripemd160.c
* Caller: library/mbedtls_md.c * Caller: library/md.c
* *
*/ */
#define MBEDTLS_RIPEMD160_C #define MBEDTLS_RIPEMD160_C
@ -2053,14 +2245,15 @@
* *
* Enable the SHA1 cryptographic hash algorithm. * Enable the SHA1 cryptographic hash algorithm.
* *
* Module: library/mbedtls_sha1.c * Module: library/sha1.c
* Caller: library/mbedtls_md.c * Caller: library/md.c
* library/ssl_cli.c * library/ssl_cli.c
* library/ssl_srv.c * library/ssl_srv.c
* library/ssl_tls.c * library/ssl_tls.c
* library/x509write_crt.c * library/x509write_crt.c
* *
* This module is required for SSL/TLS and SHA1-signed certificates. * This module is required for SSL/TLS up to version 1.1, for TLS 1.2
* depending on the handshake parameters, and for SHA1-signed certificates.
*/ */
#define MBEDTLS_SHA1_C #define MBEDTLS_SHA1_C
@ -2069,9 +2262,9 @@
* *
* Enable the SHA-224 and SHA-256 cryptographic hash algorithms. * Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
* *
* Module: library/mbedtls_sha256.c * Module: library/sha256.c
* Caller: library/entropy.c * Caller: library/entropy.c
* library/mbedtls_md.c * library/md.c
* library/ssl_cli.c * library/ssl_cli.c
* library/ssl_srv.c * library/ssl_srv.c
* library/ssl_tls.c * library/ssl_tls.c
@ -2086,9 +2279,9 @@
* *
* Enable the SHA-384 and SHA-512 cryptographic hash algorithms. * Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
* *
* Module: library/mbedtls_sha512.c * Module: library/sha512.c
* Caller: library/entropy.c * Caller: library/entropy.c
* library/mbedtls_md.c * library/md.c
* library/ssl_cli.c * library/ssl_cli.c
* library/ssl_srv.c * library/ssl_srv.c
* *
@ -2181,7 +2374,8 @@
* By default mbed TLS assumes it is used in a non-threaded environment or that * By default mbed TLS assumes it is used in a non-threaded environment or that
* contexts are not shared between threads. If you do intend to use contexts * contexts are not shared between threads. If you do intend to use contexts
* between threads, you will need to enable this layer to prevent race * between threads, you will need to enable this layer to prevent race
* conditions. * conditions. See also our Knowledge Base article about threading:
* https://tls.mbed.org/kb/development/thread-safety-and-multi-threading
* *
* Module: library/threading.c * Module: library/threading.c
* *
@ -2198,7 +2392,18 @@
/** /**
* \def MBEDTLS_TIMING_C * \def MBEDTLS_TIMING_C
* *
* Enable the portable timing interface. * Enable the semi-portable timing interface.
*
* \note The provided implementation only works on POSIX/Unix (including Linux,
* BSD and OS X) and Windows. On other platforms, you can either disable that
* module and provide your own implementations of the callbacks needed by
* \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide
* your own implementation of the whole module by setting
* \c MBEDTLS_TIMING_ALT in the current file.
*
* \note See also our Knowledge Base article about porting to a new
* environment:
* https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
* *
* Module: library/timing.c * Module: library/timing.c
* Caller: library/havege.c * Caller: library/havege.c
@ -2224,9 +2429,9 @@
* Enable X.509 core for using certificates. * Enable X.509 core for using certificates.
* *
* Module: library/x509.c * Module: library/x509.c
* Caller: library/mbedtls_x509_crl.c * Caller: library/x509_crl.c
* library/mbedtls_x509_crt.c * library/x509_crt.c
* library/mbedtls_x509_csr.c * library/x509_csr.c
* *
* Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C,
* MBEDTLS_PK_PARSE_C * MBEDTLS_PK_PARSE_C
@ -2240,7 +2445,7 @@
* *
* Enable X.509 certificate parsing. * Enable X.509 certificate parsing.
* *
* Module: library/mbedtls_x509_crt.c * Module: library/x509_crt.c
* Caller: library/ssl_cli.c * Caller: library/ssl_cli.c
* library/ssl_srv.c * library/ssl_srv.c
* library/ssl_tls.c * library/ssl_tls.c
@ -2256,8 +2461,8 @@
* *
* Enable X.509 CRL parsing. * Enable X.509 CRL parsing.
* *
* Module: library/mbedtls_x509_crl.c * Module: library/x509_crl.c
* Caller: library/mbedtls_x509_crt.c * Caller: library/x509_crt.c
* *
* Requires: MBEDTLS_X509_USE_C * Requires: MBEDTLS_X509_USE_C
* *
@ -2270,7 +2475,7 @@
* *
* Enable X.509 Certificate Signing Request (CSR) parsing. * Enable X.509 Certificate Signing Request (CSR) parsing.
* *
* Module: library/mbedtls_x509_csr.c * Module: library/x509_csr.c
* Caller: library/x509_crt_write.c * Caller: library/x509_crt_write.c
* *
* Requires: MBEDTLS_X509_USE_C * Requires: MBEDTLS_X509_USE_C
@ -2371,6 +2576,7 @@
/* Entropy options */ /* Entropy options */
//#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */ //#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */
//#define MBEDTLS_ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */ //#define MBEDTLS_ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */
//#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 /**< Default minimum number of bytes required for the hardware entropy source mbedtls_hardware_poll() before entropy is released */
/* Memory buffer allocator options */ /* Memory buffer allocator options */
//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of this value */ //#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of this value */
@ -2380,20 +2586,30 @@
//#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */
/* Note: your snprintf must correclty zero-terminate the buffer! */ /* Note: your snprintf must correclty zero-terminate the buffer! */
//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /**< Default exit value to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /**< Default exit value to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" /**< Seed file to read/write with default implementation */
/* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */ /* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */
/* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */ /* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */
//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined */ //#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined */ //#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */ //#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_TIME_MACRO time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */ //#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */ //#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */
/* Note: your snprintf must correclty zero-terminate the buffer! */ /* Note: your snprintf must correclty zero-terminate the buffer! */
//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */ //#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
/* SSL Cache options */ /* SSL Cache options */
//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */ //#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */
@ -2421,11 +2637,35 @@
/* X509 options */ /* X509 options */
//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */ //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */
/* \} name SECTION: Module configuration options */ /**
* Allow SHA-1 in the default TLS configuration for certificate signing.
* Without this build-time option, SHA-1 support must be activated explicitly
* through mbedtls_ssl_conf_cert_profile. Turning on this option is not
* recommended because of it is possible to generte SHA-1 collisions, however
* this may be safe for legacy infrastructure where additional controls apply.
*/
// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
#if defined(TARGET_LIKE_MBED) /**
#include "mbedtls/target_config.h" * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
* signature and ciphersuite selection. Without this build-time option, SHA-1
* support must be activated explicitly through mbedtls_ssl_conf_sig_hashes.
* The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
* default. At the time of writing, there is no practical attack on the use
* of SHA-1 in handshake signatures, hence this option is turned on by default
* for compatibility with existing peers.
*/
#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
/* \} name SECTION: Customisation configuration options */
/* Target and application specific configurations */
//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "mbedtls/target_config.h"
#if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE)
#include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE
#endif #endif
/* /*

@ -1 +1 @@
Subproject commit 0a0c22e0efcf2f8f71d7e16712f80b8f77326f72 Subproject commit f2a597fa3dd1c7b15e0fee62f6932b253295803d

View file

@ -29,7 +29,7 @@
#if defined(MBEDTLS_NET_C) #if defined(MBEDTLS_NET_C)
#include "mbedtls/net.h" #include "mbedtls/net_sockets.h"
#include <string.h> #include <string.h>