Due to the recent change about entropy sources strength, it is no longer
acceptable to just disable the platform source. So, instead "fix" it so that
it is clear to MemSan that memory is initialized.
I tried __attribute__((no_sanitize_memory)) and MemSan's blacklist file, but
couldn't seem to get them to work.
* set_hs:
Add tests for mbedtls_set_hs_ca_chain()
Add tests for mbedtls_ssl_set_hs_authmode()
Add support for SNI CA and authmode in ssl_server2
Add mbedtls_ssl_set_hs_authmode
While at it, fix the following:
- on server with RSA_PSK, we don't want to set flags (client auth happens via
the PSK, no cert is expected).
- use safer tests (eg == OPTIONAL vs != REQUIRED)
* snprintf:
Rationalize other snprintf() uses
Rationalize snprintf() usage in X.509 modules
Add tests for snprintf
Include fixed snprintf for Windows in platform.c
- Added in each tests program to be sure they are run (putting them in a test
suite/function specific to the platform layer would cause them to be skipped
when PLATFORM_C is not defined).
- Platforms have already moved from a standard to a broken snprintf in the
past [1], so make sure to catch that if it ever happens again.
[1]: http://sourceforge.net/p/mingw-w64/mailman/message/31241434/
openssl s_server up to 1.0.2.a included uses a 512-bit prime for DH by
default. Since we now require 1024 bit at least, make s_server use decent
params. (1.0.2b and up use acceptable params by default.)
Just applying rename.pl with this file:
mbedtls_cipher_get_key_size mbedtls_cipher_get_key_bitlen
mbedtls_pk_get_size mbedtls_pk_get_bitlen
MBEDTLS_BLOWFISH_MIN_KEY MBEDTLS_BLOWFISH_MIN_KEY_BITS
MBEDTLS_BLOWFISH_MAX_KEY MBEDTLS_BLOWFISH_MAX_KEY_BITS
* profiles:
Update Changelog for the profiles branch
Add SSL presets.
Implement sig_hashes
Create API for mbedtls_ssl_conf_sig_hashes().
Small internal changes in curve checking
Extra check in verify_with_profile()
Clarify a point in the documentation
Fix define for ssl_conf_curves()
Add mbedtls_ssl_conf_cert_profile()
Implement cert profile checking
Change data structure of profiles to bitfields
Add pre-defined profiles for cert verification
Create cert profile API (unimplemented yet)
Remove duplicated tests for x509_verify_info()
Add tests for dhm_min_bitlen
Add dhmlen option in ssl_client2.c
Add ssl_conf_dhm_min_bitlen()
- allows to express 'none' or 'all' more easily than lists
- more compact and easier to declare statically
- easier to check too
Only drawback: if we ever have more than 32 curves, we'll need an ABI change to
make that field a uint64_t.