yuzu-mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-mirror/mbedtls.git synced 2026-04-04 14:08:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge tag 'mbedtls-2.14.0' into feature-psa

Browse source 
Mbed TLS version 2.14.0

Resolved conflicts in include/mbedtls/config.h,
tests/scripts/check-files.py, and yotta/create-module.sh by removing yotta.

Resolved conflicts in tests/.jenkins/Jenkinsfile by continuing to run
mbedtls-psa job.
This commit is contained in:
Jaeden Amero 2018-11-16 11:28:57 +00:00
commit 818eab2e76
167 changed files with 8508 additions and 4543 deletions
Download patch file Download diff file Expand all files Collapse all files

125
programs/README.md Normal file
View file

@ -0,0 +1,125 @@
Mbed TLS sample programs
========================
This subdirectory mostly contains sample programs that illustrate specific features of the library, as well as a few test and support programs.
## Symmetric cryptography (AES) examples
* [`aes/aescrypt2.c`](aes/aescrypt2.c): file encryption and authentication with a key derived from a low-entropy secret, demonstrating the low-level AES interface, the digest interface and HMAC.
Warning: this program illustrates how to use low-level functions in the library. It should not be taken as an example of how to build a secure encryption mechanism. To derive a key from a low-entropy secret such as a password, use a standard key stretching mechanism such as PBKDF2 (provided by the `pkcs5` module). To encrypt and authenticate data, use a standard mode such as GCM or CCM (both available as library module).
* [`aes/crypt_and_hash.c`](aes/crypt_and_hash.c): file encryption and authentication, demonstrating the generic cipher interface and the generic hash interface.
## Hash (digest) examples
* [`hash/generic_sum.c`](hash/generic_sum.c): file hash calculator and verifier, demonstrating the message digest (`md`) interface.
* [`hash/hello.c`](hash/hello.c): hello-world program for MD5.
## Public-key cryptography examples
### Generic public-key cryptography (`pk`) examples
* [`pkey/gen_key.c`](pkey/gen_key.c): generates a key for any of the supported public-key algorithms (RSA or ECC) and writes it to a file that can be used by the other pk sample programs.
* [`pkey/key_app.c`](pkey/key_app.c): loads a PEM or DER public key or private key file and dumps its content.
* [`pkey/key_app_writer.c`](pkey/key_app_writer.c): loads a PEM or DER public key or private key file and writes it to a new PEM or DER file.
* [`pkey/pk_encrypt.c`](pkey/pk_encrypt.c), [`pkey/pk_decrypt.c`](pkey/pk_decrypt.c): loads a PEM or DER public/private key file and uses the key to encrypt/decrypt a short string through the generic public-key interface.
* [`pkey/pk_sign.c`](pkey/pk_sign.c), [`pkey/pk_verify.c`](pkey/pk_verify.c): loads a PEM or DER private/public key file and uses the key to sign/verify a short string.
### ECDSA and RSA signature examples
* [`pkey/ecdsa.c`](pkey/ecdsa.c): generates an ECDSA key, signs a fixed message and verifies the signature.
* [`pkey/rsa_encrypt.c`](pkey/rsa_encrypt.c), [`pkey/rsa_decrypt.c`](pkey/rsa_decrypt.c): loads an RSA public/private key and uses it to encrypt/decrypt a short string through the low-level RSA interface.
* [`pkey/rsa_genkey.c`](pkey/rsa_genkey.c): generates an RSA key and writes it to a file that can be used with the other RSA sample programs.
* [`pkey/rsa_sign.c`](pkey/rsa_sign.c), [`pkey/rsa_verify.c`](pkey/rsa_verify.c): loads an RSA private/public key and uses it to sign/verify a short string with the RSA PKCS#1 v1.5 algorithm.
* [`pkey/rsa_sign_pss.c`](pkey/rsa_sign_pss.c), [`pkey/rsa_verify_pss.c`](pkey/rsa_verify_pss.c): loads an RSA private/public key and uses it to sign/verify a short string with the RSASSA-PSS algorithm.
### Diffie-Hellman key exchange examples
* [`pkey/dh_client.c`](pkey/dh_client.c), [`pkey/dh_server.c`](pkey/dh_server.c): secure channel demonstrators (client, server). This pair of programs illustrates how to set up a secure channel using RSA for authentication and Diffie-Hellman to generate a shared AES session key.
* [`pkey/ecdh_curve25519.c`](pkey/ecdh_curve25519.c): demonstration of a elliptic curve Diffie-Hellman (ECDH) key agreement.
### Bignum (`mpi`) usage examples
* [`pkey/dh_genprime.c`](pkey/dh_genprime.c): shows how to use the bignum (`mpi`) interface to generate Diffie-Hellman parameters.
* [`pkey/mpi_demo.c`](pkey/mpi_demo.c): demonstrates operations on big integers.
## Random number generator (RNG) examples
* [`random/gen_entropy.c`](random/gen_entropy.c): shows how to use the default entropy sources to generate random data.
Note: most applications should only use the entropy generator to seed a cryptographic pseudorandom generator, as illustrated by `random/gen_random_ctr_drbg.c`.
* [`random/gen_random_ctr_drbg.c`](random/gen_random_ctr_drbg.c): shows how to use the default entropy sources to seed a pseudorandom generator, and how to use the resulting random generator to generate random data.
* [`random/gen_random_havege.c`](random/gen_random_havege.c): demonstrates the HAVEGE entropy collector.
## SSL/TLS examples
### SSL/TLS sample applications
* [`ssl/dtls_client.c`](ssl/dtls_client.c): a simple DTLS client program, which sends one datagram to the server and reads one datagram in response.
* [`ssl/dtls_server.c`](ssl/dtls_server.c): a simple DTLS server program, which expects one datagram from the client and writes one datagram in response. This program supports DTLS cookies for hello verification.
* [`ssl/mini_client.c`](ssl/mini_client.c): a minimalistic SSL client, which sends a short string and disconnects. This is primarily intended as a benchmark; for a better example of a typical TLS client, see `ssl/ssl_client1.c`.
* [`ssl/ssl_client1.c`](ssl/ssl_client1.c): a simple HTTPS client that sends a fixed request and displays the response.
* [`ssl/ssl_fork_server.c`](ssl/ssl_fork_server.c): a simple HTTPS server using one process per client to send a fixed response. This program requires a Unix/POSIX environment implementing the `fork` system call.
* [`ssl/ssl_mail_client.c`](ssl/ssl_mail_client.c): a simple SMTP-over-TLS or SMTP-STARTTLS client. This client sends an email with fixed content.
* [`ssl/ssl_pthread_server.c`](ssl/ssl_pthread_server.c): a simple HTTPS server using one thread per client to send a fixed response. This program requires the pthread library.
* [`ssl/ssl_server.c`](ssl/ssl_server.c): a simple HTTPS server that sends a fixed response. It serves a single client at a time.
### SSL/TLS feature demonstrators
Note: unlike most of the other programs under the `programs/` directory, these two programs are not intended as a basis for writing an application. They combine most of the features supported by the library, and most applications require only a few features. To write a new application, we recommended that you start with `ssl_client1.c` or `ssl_server.c`, and then look inside `ssl/ssl_client2.c` or `ssl/ssl_server2.c` to see how to use the specific features that your application needs.
* [`ssl/ssl_client2.c`](ssl/ssl_client2.c): an HTTPS client that sends a fixed request and displays the response, with options to select TLS protocol features and Mbed TLS library features.
* [`ssl/ssl_server2.c`](ssl/ssl_server2.c): an HTTPS server that sends a fixed response, with options to select TLS protocol features and Mbed TLS library features.
In addition to providing options for testing client-side features, the `ssl_client2` program has options that allow you to trigger certain behaviors in the server. For example, there are options to select ciphersuites, or to force a renegotiation. These options are useful for testing the corresponding features in a TLS server. Likewise, `ssl_server2` has options to activate certain behaviors that are useful for testing a TLS client.
## Test utilities
* [`test/benchmark.c`](test/benchmark.c): benchmark for cryptographic algorithms.
* [`test/selftest.c`](test/selftest.c): runs the self-test function in each library module.
* [`test/ssl_cert_test.c`](test/ssl_cert_test.c): demonstrates how to verify X.509 certificates, and (for RSA keys only) how to check that each certificate matches the corresponding private key. This program requires some test data which is not provided.
* [`test/udp_proxy.c`](test/udp_proxy.c): a UDP proxy that can inject certain failures (delay, duplicate, drop). Useful for testing DTLS.
* [`test/zeroize.c`](test/zeroize.c): a test program for `mbedtls_platform_zeroize`, used by [`tests/scripts/test_zeroize.gdb`](tests/scripts/test_zeroize.gdb).
## Development utilities
* [`util/pem2der.c`](util/pem2der.c): a PEM to DER converter. Mbed TLS can read PEM files directly, but this utility can be useful for interacting with other tools or with minimal Mbed TLS builds that lack PEM support.
* [`util/strerror.c`](util/strerror.c): prints the error description corresponding to an integer status returned by an Mbed TLS function.
## X.509 certificate examples
* [`x509/cert_app.c`](x509/cert_app.c): connects to a TLS server and verifies its certificate chain.
* [`x509/cert_req.c`](x509/cert_req.c): generates a certificate signing request (CSR) for a private key.
* [`x509/cert_write.c`](x509/cert_write.c): signs a certificate signing request, or self-signs a certificate.
* [`x509/crl_app.c`](x509/crl_app.c): loads and dumps a certificate revocation list (CRL).
* [`x509/req_app.c`](x509/req_app.c): loads and dumps a certificate signing request (CSR).

13
programs/aes/aescrypt2.c
View file

@ -43,6 +43,7 @@
#include "mbedtls/aes.h"
#include "mbedtls/md.h"
#include "mbedtls/platform_util.h"
#include <stdio.h>
#include <stdlib.h>
@ -450,13 +451,13 @@ exit:
the case when the user has missed or reordered some,
in which case the key might not be in argv[4]. */
for( i = 0; i < (unsigned int) argc; i++ )
memset( argv[i], 0, strlen( argv[i] ) );
mbedtls_platform_zeroize( argv[i], strlen( argv[i] ) );
memset( IV, 0, sizeof( IV ) );
memset( key, 0, sizeof( key ) );
memset( tmp, 0, sizeof( tmp ) );
memset( buffer, 0, sizeof( buffer ) );
memset( digest, 0, sizeof( digest ) );
mbedtls_platform_zeroize( IV, sizeof( IV ) );
mbedtls_platform_zeroize( key, sizeof( key ) );
mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
mbedtls_platform_zeroize( buffer, sizeof( buffer ) );
mbedtls_platform_zeroize( digest, sizeof( digest ) );
mbedtls_aes_free( &aes_ctx );
mbedtls_md_free( &sha_ctx );

13
programs/aes/crypt_and_hash.c
View file

@ -46,6 +46,7 @@
defined(MBEDTLS_FS_IO)
#include "mbedtls/cipher.h"
#include "mbedtls/md.h"
#include "mbedtls/platform_util.h"
#include <stdio.h>
#include <stdlib.h>
@ -547,13 +548,13 @@ exit:
the case when the user has missed or reordered some,
in which case the key might not be in argv[6]. */
for( i = 0; i < argc; i++ )
memset( argv[i], 0, strlen( argv[i] ) );
mbedtls_platform_zeroize( argv[i], strlen( argv[i] ) );
memset( IV, 0, sizeof( IV ) );
memset( key, 0, sizeof( key ) );
memset( buffer, 0, sizeof( buffer ) );
memset( output, 0, sizeof( output ) );
memset( digest, 0, sizeof( digest ) );
mbedtls_platform_zeroize( IV, sizeof( IV ) );
mbedtls_platform_zeroize( key, sizeof( key ) );
mbedtls_platform_zeroize( buffer, sizeof( buffer ) );
mbedtls_platform_zeroize( output, sizeof( output ) );
mbedtls_platform_zeroize( digest, sizeof( digest ) );
mbedtls_cipher_free( &cipher_ctx );
mbedtls_md_free( &md_ctx );

2
programs/pkey/dh_genprime.c
View file

@ -156,7 +156,7 @@ int main( int argc, char **argv )
goto exit;
}
if( ( ret = mbedtls_mpi_is_prime( &Q, mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
if( ( ret = mbedtls_mpi_is_prime_ext( &Q, 50, mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_mpi_is_prime returned %d\n\n", ret );
goto exit;

11
programs/ssl/dtls_client.c
View file

@ -60,9 +60,18 @@ int main( void )
#include "mbedtls/certs.h"
#include "mbedtls/timing.h"
/* Uncomment out the following line to default to IPv4 and disable IPv6 */
//#define FORCE_IPV4
#define SERVER_PORT "4433"
#define SERVER_NAME "localhost"
#define SERVER_ADDR "127.0.0.1" /* forces IPv4 */
#ifdef FORCE_IPV4
#define SERVER_ADDR "127.0.0.1" /* Forces IPv4 */
#else
#define SERVER_ADDR "::1"
#endif
#define MESSAGE "Echo this"
#define READ_TIMEOUT_MS 1000

11
programs/ssl/dtls_server.c
View file

@ -34,6 +34,15 @@
#define mbedtls_time_t time_t
#endif
/* Uncomment out the following line to default to IPv4 and disable IPv6 */
//#define FORCE_IPV4
#ifdef FORCE_IPV4
#define BIND_IP "0.0.0.0" /* Forces IPv4 */
#else
#define BIND_IP "::"
#endif
#if !defined(MBEDTLS_SSL_SRV_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) || \
!defined(MBEDTLS_SSL_COOKIE_C) || !defined(MBEDTLS_NET_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
@ -170,7 +179,7 @@ int main( void )
printf( " . Bind on udp/*/4433 ..." );
fflush( stdout );
if( ( ret = mbedtls_net_bind( &listen_fd, NULL, "4433", MBEDTLS_NET_PROTO_UDP ) ) != 0 )
if( ( ret = mbedtls_net_bind( &listen_fd, BIND_IP, "4433", MBEDTLS_NET_PROTO_UDP ) ) != 0 )
{
printf( " failed\n ! mbedtls_net_bind returned %d\n\n", ret );
goto exit;

58
programs/ssl/ssl_client2.c
View file

@ -83,6 +83,7 @@ int main( void )
#define DFL_PSK ""
#define DFL_PSK_IDENTITY "Client_identity"
#define DFL_ECJPAKE_PW NULL
#define DFL_EC_MAX_OPS -1
#define DFL_FORCE_CIPHER 0
#define DFL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION_DISABLED
#define DFL_ALLOW_LEGACY -2
@ -245,6 +246,13 @@ int main( void )
#define USAGE_ECJPAKE ""
#endif
#if defined(MBEDTLS_ECP_RESTARTABLE)
#define USAGE_ECRESTART \
" ec_max_ops=%%s default: library default (restart disabled)\n"
#else
#define USAGE_ECRESTART ""
#endif
#define USAGE \
"\n usage: ssl_client2 param=<>...\n" \
"\n acceptable parameters:\n" \
@ -274,6 +282,7 @@ int main( void )
"\n" \
USAGE_PSK \
USAGE_ECJPAKE \
USAGE_ECRESTART \
"\n" \
" allow_legacy=%%d default: (library default: no)\n" \
USAGE_RENEGO \
@ -327,6 +336,7 @@ struct options
const char *psk; /* the pre-shared key */
const char *psk_identity; /* the pre-shared key identity */
const char *ecjpake_pw; /* the EC J-PAKE password */
int ec_max_ops; /* EC consecutive operations limit */
int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
int renegotiation; /* enable / disable renegotiation */
int allow_legacy; /* allow legacy renegotiation */
@ -602,6 +612,7 @@ int main( int argc, char *argv[] )
opt.psk = DFL_PSK;
opt.psk_identity = DFL_PSK_IDENTITY;
opt.ecjpake_pw = DFL_ECJPAKE_PW;
opt.ec_max_ops = DFL_EC_MAX_OPS;
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
opt.renegotiation = DFL_RENEGOTIATION;
opt.allow_legacy = DFL_ALLOW_LEGACY;
@ -703,6 +714,8 @@ int main( int argc, char *argv[] )
opt.psk_identity = q;
else if( strcmp( p, "ecjpake_pw" ) == 0 )
opt.ecjpake_pw = q;
else if( strcmp( p, "ec_max_ops" ) == 0 )
opt.ec_max_ops = atoi( q );
else if( strcmp( p, "force_ciphersuite" ) == 0 )
{
opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id( q );
@ -1523,6 +1536,11 @@ int main( int argc, char *argv[] )
mbedtls_timing_get_delay );
#endif
#if defined(MBEDTLS_ECP_RESTARTABLE)
if( opt.ec_max_ops != DFL_EC_MAX_OPS )
mbedtls_ecp_set_max_ops( opt.ec_max_ops );
#endif
mbedtls_printf( " ok\n" );
/*
@ -1534,7 +1552,8 @@ int main( int argc, char *argv[] )
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n",
-ret );
@ -1550,6 +1569,11 @@ int main( int argc, char *argv[] )
goto exit;
}
#if defined(MBEDTLS_ECP_RESTARTABLE)
if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
continue;
#endif
/* For event-driven IO, wait for socket to become available */
if( opt.event == 1 /* level triggered IO */ )
{
@ -1642,13 +1666,19 @@ int main( int argc, char *argv[] )
while( ( ret = mbedtls_ssl_renegotiate( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_renegotiate returned %d\n\n",
ret );
goto exit;
}
#if defined(MBEDTLS_ECP_RESTARTABLE)
if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
continue;
#endif
/* For event-driven IO, wait for socket to become available */
if( opt.event == 1 /* level triggered IO */ )
{
@ -1709,7 +1739,8 @@ send_request:
len - written ) ) < 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_write returned -0x%x\n\n",
-ret );
@ -1738,6 +1769,11 @@ send_request:
{
ret = mbedtls_ssl_write( &ssl, buf, len );
#if defined(MBEDTLS_ECP_RESTARTABLE)
if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
continue;
#endif
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
break;
@ -1798,6 +1834,11 @@ send_request:
memset( buf, 0, sizeof( buf ) );
ret = mbedtls_ssl_read( &ssl, buf, len );
#if defined(MBEDTLS_ECP_RESTARTABLE)
if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
continue;
#endif
if( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE )
{
@ -1858,6 +1899,11 @@ send_request:
{
ret = mbedtls_ssl_read( &ssl, buf, len );
#if defined(MBEDTLS_ECP_RESTARTABLE)
if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
continue;
#endif
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
break;
@ -1920,7 +1966,8 @@ send_request:
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n",
-ret );
@ -2018,7 +2065,8 @@ reconnect:
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n",
-ret );

64
programs/ssl/ssl_server2.c
View file

@ -103,6 +103,7 @@ int main( void )
#define DFL_SERVER_ADDR NULL
#define DFL_SERVER_PORT "4433"
#define DFL_RESPONSE_SIZE -1
#define DFL_DEBUG_LEVEL 0
#define DFL_NBIO 0
#define DFL_EVENT 0
@ -177,7 +178,7 @@ int main( void )
* You will need to adapt the mbedtls_ssl_get_bytes_avail() test in ssl-opt.sh
* if you change this value to something outside the range <= 100 or > 500
*/
#define IO_BUF_LEN 200
#define DFL_IO_BUF_LEN 200
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#if defined(MBEDTLS_FS_IO)
@ -356,6 +357,11 @@ int main( void )
" server_addr=%%s default: (all interfaces)\n" \
" server_port=%%d default: 4433\n" \
" debug_level=%%d default: 0 (disabled)\n" \
" buffer_size=%%d default: 200 \n" \
" (minimum: 1, max: 16385)\n" \
" response_size=%%d default: about 152 (basic response)\n" \
" (minimum: 0, max: 16384)\n" \
" increases buffer_size if bigger\n"\
" nbio=%%d default: 0 (blocking I/O)\n" \
" options: 1 (non-blocking), 2 (added delays)\n" \
" event=%%d default: 0 (loop)\n" \
@ -431,6 +437,8 @@ struct options
int nbio; /* should I/O be blocking? */
int event; /* loop or event-driven IO? level or edge triggered? */
uint32_t read_timeout; /* timeout on mbedtls_ssl_read() in milliseconds */
int response_size; /* pad response with header to requested size */
uint16_t buffer_size; /* IO buffer size */
const char *ca_file; /* the file with the CA certificate(s) */
const char *ca_path; /* the path with the CA certificate(s) reside */
const char *crt_file; /* the file with the server certificate */
@ -1166,7 +1174,7 @@ int main( int argc, char *argv[] )
{
int ret = 0, len, written, frags, exchanges_left;
int version_suites[4][2];
unsigned char buf[IO_BUF_LEN];
unsigned char* buf = 0;
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
unsigned char psk[MBEDTLS_PSK_MAX_LEN];
size_t psk_len = 0;
@ -1297,10 +1305,12 @@ int main( int argc, char *argv[] )
goto exit;
}
opt.buffer_size = DFL_IO_BUF_LEN;
opt.server_addr = DFL_SERVER_ADDR;
opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL;
opt.event = DFL_EVENT;
opt.response_size = DFL_RESPONSE_SIZE;
opt.nbio = DFL_NBIO;
opt.read_timeout = DFL_READ_TIMEOUT;
opt.ca_file = DFL_CA_FILE;
@ -1393,6 +1403,20 @@ int main( int argc, char *argv[] )
}
else if( strcmp( p, "read_timeout" ) == 0 )
opt.read_timeout = atoi( q );
else if( strcmp( p, "buffer_size" ) == 0 )
{
opt.buffer_size = atoi( q );
if( opt.buffer_size < 1 || opt.buffer_size > MBEDTLS_SSL_MAX_CONTENT_LEN + 1 )
goto usage;
}
else if( strcmp( p, "response_size" ) == 0 )
{
opt.response_size = atoi( q );
if( opt.response_size < 0 || opt.response_size > MBEDTLS_SSL_MAX_CONTENT_LEN )
goto usage;
if( opt.buffer_size < opt.response_size )
opt.buffer_size = opt.response_size;
}
else if( strcmp( p, "ca_file" ) == 0 )
opt.ca_file = q;
else if( strcmp( p, "ca_path" ) == 0 )
@ -1729,6 +1753,13 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold( opt.debug_level );
#endif
buf = mbedtls_calloc( 1, opt.buffer_size + 1 );
if( buf == NULL )
{
mbedtls_printf( "Could not allocate %u bytes\n", opt.buffer_size );
ret = 3;
goto exit;
}
if( opt.force_ciphersuite[0] > 0 )
{
@ -2745,8 +2776,8 @@ data_exchange:
do
{
int terminated = 0;
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
len = opt.buffer_size - 1;
memset( buf, 0, opt.buffer_size );
ret = mbedtls_ssl_read( &ssl, buf, len );
if( mbedtls_status_is_ssl_in_progress( ret ) )
@ -2846,8 +2877,8 @@ data_exchange:
}
else /* Not stream, so datagram */
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
len = opt.buffer_size - 1;
memset( buf, 0, opt.buffer_size );
do
{
@ -2945,6 +2976,25 @@ data_exchange:
len = sprintf( (char *) buf, HTTP_RESPONSE,
mbedtls_ssl_get_ciphersuite( &ssl ) );
/* Add padding to the response to reach opt.response_size in length */
if( opt.response_size != DFL_RESPONSE_SIZE &&
len < opt.response_size )
{
memset( buf + len, 'B', opt.response_size - len );
len += opt.response_size - len;
}
/* Truncate if response size is smaller than the "natural" size */
if( opt.response_size != DFL_RESPONSE_SIZE &&
len > opt.response_size )
{
len = opt.response_size;
/* Still end with \r\n unless that's really not possible */
if( len >= 2 ) buf[len - 2] = '\r';
if( len >= 1 ) buf[len - 1] = '\n';
}
if( opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM )
{
for( written = 0, frags = 0; written < len; written += ret, frags++ )
@ -3096,6 +3146,8 @@ exit:
mbedtls_ssl_cookie_free( &cookie_ctx );
#endif
mbedtls_free( buf );
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
#if defined(MBEDTLS_MEMORY_DEBUG)
mbedtls_memory_buffer_alloc_status();

5
programs/test/benchmark.c
View file

@ -700,7 +700,6 @@ int main( int argc, char *argv[] )
mbedtls_exit(1);
TIME_AND_TSC( "HMAC_DRBG SHA-1 (NOPR)",
mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) );
mbedtls_hmac_drbg_free( &hmac_drbg );
if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 )
mbedtls_exit(1);
@ -708,7 +707,6 @@ int main( int argc, char *argv[] )
MBEDTLS_HMAC_DRBG_PR_ON );
TIME_AND_TSC( "HMAC_DRBG SHA-1 (PR)",
mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) );
mbedtls_hmac_drbg_free( &hmac_drbg );
#endif
#if defined(MBEDTLS_SHA256_C)
@ -719,7 +717,6 @@ int main( int argc, char *argv[] )
mbedtls_exit(1);
TIME_AND_TSC( "HMAC_DRBG SHA-256 (NOPR)",
mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) );
mbedtls_hmac_drbg_free( &hmac_drbg );
if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 )
mbedtls_exit(1);
@ -727,8 +724,8 @@ int main( int argc, char *argv[] )
MBEDTLS_HMAC_DRBG_PR_ON );
TIME_AND_TSC( "HMAC_DRBG SHA-256 (PR)",
mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) );
mbedtls_hmac_drbg_free( &hmac_drbg );
#endif
mbedtls_hmac_drbg_free( &hmac_drbg );
}
#endif

67
programs/x509/cert_req.c
View file

@ -59,16 +59,19 @@ int main( void )
#include <string.h>
#define DFL_FILENAME "keyfile.key"
#define DFL_PASSWORD NULL
#define DFL_DEBUG_LEVEL 0
#define DFL_OUTPUT_FILENAME "cert.req"
#define DFL_SUBJECT_NAME "CN=Cert,O=mbed TLS,C=UK"
#define DFL_KEY_USAGE 0
#define DFL_NS_CERT_TYPE 0
#define DFL_MD_ALG MBEDTLS_MD_SHA256
#define USAGE \
"\n usage: cert_req param=<>...\n" \
"\n acceptable parameters:\n" \
" filename=%%s default: keyfile.key\n" \
" password=%%s default: NULL\n" \
" debug_level=%%d default: 0 (disabled)\n" \
" output_file=%%s default: cert.req\n" \
" subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \
@ -90,6 +93,11 @@ int main( void )
" ssl_ca\n" \
" email_ca\n" \
" object_signing_ca\n" \
" md=%%s default: SHA256\n" \
" possible values:\n" \
" MD4, MD5, SHA1\n" \
" SHA224, SHA256\n" \
" SHA384, SHA512\n" \
"\n"
/*
@ -98,11 +106,13 @@ int main( void )
struct options
{
const char *filename; /* filename of the key file */
const char *password; /* password for the key file */
int debug_level; /* level of debugging */
const char *output_file; /* where to store the constructed key file */
const char *subject_name; /* subject name for certificate request */
unsigned char key_usage; /* key usage flags */
unsigned char ns_cert_type; /* NS cert type */
mbedtls_md_type_t md_alg; /* Hash algorithm used for signature. */
} opt;
int write_certificate_request( mbedtls_x509write_csr *req, const char *output_file,
@ -151,7 +161,6 @@ int main( int argc, char *argv[] )
* Set to sane values
*/
mbedtls_x509write_csr_init( &req );
mbedtls_x509write_csr_set_md_alg( &req, MBEDTLS_MD_SHA256 );
mbedtls_pk_init( &key );
mbedtls_ctr_drbg_init( &ctr_drbg );
memset( buf, 0, sizeof( buf ) );
@ -164,11 +173,13 @@ int main( int argc, char *argv[] )
}
opt.filename = DFL_FILENAME;
opt.password = DFL_PASSWORD;
opt.debug_level = DFL_DEBUG_LEVEL;
opt.output_file = DFL_OUTPUT_FILENAME;
opt.subject_name = DFL_SUBJECT_NAME;
opt.key_usage = DFL_KEY_USAGE;
opt.ns_cert_type = DFL_NS_CERT_TYPE;
opt.md_alg = DFL_MD_ALG;
for( i = 1; i < argc; i++ )
{
@ -180,6 +191,8 @@ int main( int argc, char *argv[] )
if( strcmp( p, "filename" ) == 0 )
opt.filename = q;
else if( strcmp( p, "password" ) == 0 )
opt.password = q;
else if( strcmp( p, "output_file" ) == 0 )
opt.output_file = q;
else if( strcmp( p, "debug_level" ) == 0 )
@ -192,6 +205,54 @@ int main( int argc, char *argv[] )
{
opt.subject_name = q;
}
else if( strcmp( p, "md" ) == 0 )
{
if( strcmp( q, "SHA256" ) == 0 )
{
opt.md_alg = MBEDTLS_MD_SHA256;
}
else if( strcmp( q, "SHA224" ) == 0 )
{
opt.md_alg = MBEDTLS_MD_SHA224;
}
else
#if defined(MBEDTLS_MD5_C)
if( strcmp( q, "MD5" ) == 0 )
{
opt.md_alg = MBEDTLS_MD_MD5;
}
else
#endif /* MBEDTLS_MD5_C */
#if defined(MBEDTLS_MD4_C)
if( strcmp( q, "MD4" ) == 0 )
{
opt.md_alg = MBEDTLS_MD_MD4;
}
else
#endif /* MBEDTLS_MD5_C */
#if defined(MBEDTLS_SHA1_C)
if( strcmp( q, "SHA1" ) == 0 )
{
opt.md_alg = MBEDTLS_MD_SHA1;
}
else
#endif /* MBEDTLS_SHA1_C */
#if defined(MBEDTLS_SHA512_C)
if( strcmp( q, "SHA384" ) == 0 )
{
opt.md_alg = MBEDTLS_MD_SHA384;
}
else
if( strcmp( q, "SHA512" ) == 0 )
{
opt.md_alg = MBEDTLS_MD_SHA512;
}
else
#endif /* MBEDTLS_SHA512_C */
{
goto usage;
}
}
else if( strcmp( p, "key_usage" ) == 0 )
{
while( q != NULL )
@ -250,6 +311,8 @@ int main( int argc, char *argv[] )
goto usage;
}
mbedtls_x509write_csr_set_md_alg( &req, opt.md_alg );
if( opt.key_usage )
mbedtls_x509write_csr_set_key_usage( &req, opt.key_usage );
@ -293,7 +356,7 @@ int main( int argc, char *argv[] )
mbedtls_printf( " . Loading the private key ..." );
fflush( stdout );
ret = mbedtls_pk_parse_keyfile( &key, opt.filename, NULL );
ret = mbedtls_pk_parse_keyfile( &key, opt.filename, opt.password );
if( ret != 0 )
{

6
programs/x509/cert_write.c
View file

@ -242,6 +242,7 @@ int main( int argc, char *argv[] )
mbedtls_pk_init( &loaded_subject_key );
mbedtls_mpi_init( &serial );
mbedtls_ctr_drbg_init( &ctr_drbg );
mbedtls_entropy_init( &entropy );
#if defined(MBEDTLS_X509_CSR_PARSE_C)
mbedtls_x509_csr_init( &csr );
#endif
@ -475,7 +476,6 @@ int main( int argc, char *argv[] )
mbedtls_printf( " . Seeding the random number generator..." );
fflush( stdout );
mbedtls_entropy_init( &entropy );
if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
@ -789,6 +789,10 @@ int main( int argc, char *argv[] )
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
#if defined(MBEDTLS_X509_CSR_PARSE_C)
mbedtls_x509_csr_free( &csr );
#endif /* MBEDTLS_X509_CSR_PARSE_C */
mbedtls_x509_crt_free( &issuer_crt );
mbedtls_x509write_crt_free( &crt );
mbedtls_pk_free( &loaded_subject_key );
mbedtls_pk_free( &loaded_issuer_key );