diff options
Diffstat (limited to 'include')
55 files changed, 573 insertions, 130 deletions
diff --git a/include/CMakeLists.txt b/include/CMakeLists.txt index 1b581a54..c2f2bd4e 100644 --- a/include/CMakeLists.txt +++ b/include/CMakeLists.txt @@ -11,6 +11,6 @@ if(INSTALL_MBEDTLS_HEADERS) endif(INSTALL_MBEDTLS_HEADERS) # Make config.h available in an out-of-source build. ssl-opt.sh requires it. -if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR}) +if (ENABLE_TESTING AND NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR}) link_to_source(mbedtls) endif() diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index b42e564e..94e7282d 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -655,6 +655,8 @@ MBEDTLS_DEPRECATED void mbedtls_aes_decrypt( mbedtls_aes_context *ctx, #undef MBEDTLS_DEPRECATED #endif /* !MBEDTLS_DEPRECATED_REMOVED */ + +#if defined(MBEDTLS_SELF_TEST) /** * \brief Checkup routine. * @@ -663,6 +665,8 @@ MBEDTLS_DEPRECATED void mbedtls_aes_decrypt( mbedtls_aes_context *ctx, */ int mbedtls_aes_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ + #ifdef __cplusplus } #endif diff --git a/include/mbedtls/aesni.h b/include/mbedtls/aesni.h index 0196f49b..a4ca012f 100644 --- a/include/mbedtls/aesni.h +++ b/include/mbedtls/aesni.h @@ -27,6 +27,12 @@ #ifndef MBEDTLS_AESNI_H #define MBEDTLS_AESNI_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "aes.h" #define MBEDTLS_AESNI_AES 0x02000000u diff --git a/include/mbedtls/arc4.h b/include/mbedtls/arc4.h index c43f4065..fb044d5b 100644 --- a/include/mbedtls/arc4.h +++ b/include/mbedtls/arc4.h @@ -123,6 +123,8 @@ void mbedtls_arc4_setup( mbedtls_arc4_context *ctx, const unsigned char *key, int mbedtls_arc4_crypt( mbedtls_arc4_context *ctx, size_t length, const unsigned char *input, unsigned char *output ); +#if defined(MBEDTLS_SELF_TEST) + /** * \brief Checkup routine * @@ -135,6 +137,8 @@ int mbedtls_arc4_crypt( mbedtls_arc4_context *ctx, size_t length, const unsigned */ int mbedtls_arc4_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ + #ifdef __cplusplus } #endif diff --git a/include/mbedtls/asn1write.h b/include/mbedtls/asn1write.h index 76c1780b..a1942436 100644 --- a/include/mbedtls/asn1write.h +++ b/include/mbedtls/asn1write.h @@ -24,14 +24,21 @@ #ifndef MBEDTLS_ASN1_WRITE_H #define MBEDTLS_ASN1_WRITE_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "asn1.h" #define MBEDTLS_ASN1_CHK_ADD(g, f) \ - do { \ - if( ( ret = f ) < 0 ) \ + do \ + { \ + if( ( ret = (f) ) < 0 ) \ return( ret ); \ else \ - g += ret; \ + (g) += ret; \ } while( 0 ) #ifdef __cplusplus diff --git a/include/mbedtls/base64.h b/include/mbedtls/base64.h index 7a64f521..0d024164 100644 --- a/include/mbedtls/base64.h +++ b/include/mbedtls/base64.h @@ -24,6 +24,12 @@ #ifndef MBEDTLS_BASE64_H #define MBEDTLS_BASE64_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include <stddef.h> #define MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL -0x002A /**< Output buffer too small. */ @@ -75,6 +81,7 @@ int mbedtls_base64_encode( unsigned char *dst, size_t dlen, size_t *olen, int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen, const unsigned char *src, size_t slen ); +#if defined(MBEDTLS_SELF_TEST) /** * \brief Checkup routine * @@ -82,6 +89,8 @@ int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen, */ int mbedtls_base64_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ + #ifdef __cplusplus } #endif diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h index 141a8e9a..1c860726 100644 --- a/include/mbedtls/bignum.h +++ b/include/mbedtls/bignum.h @@ -46,7 +46,12 @@ #define MBEDTLS_ERR_MPI_NOT_ACCEPTABLE -0x000E /**< The input arguments are not acceptable. */ #define MBEDTLS_ERR_MPI_ALLOC_FAILED -0x0010 /**< Memory allocation failed. */ -#define MBEDTLS_MPI_CHK(f) do { if( ( ret = f ) != 0 ) goto cleanup; } while( 0 ) +#define MBEDTLS_MPI_CHK(f) \ + do \ + { \ + if( ( ret = (f) ) != 0 ) \ + goto cleanup; \ + } while( 0 ) /* * Maximum size MPIs are allowed to grow to in number of limbs. @@ -943,6 +948,8 @@ int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int flags, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); +#if defined(MBEDTLS_SELF_TEST) + /** * \brief Checkup routine * @@ -950,6 +957,8 @@ int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int flags, */ int mbedtls_mpi_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ + #ifdef __cplusplus } #endif diff --git a/include/mbedtls/bn_mul.h b/include/mbedtls/bn_mul.h index 2f7b72fe..c33bd8d4 100644 --- a/include/mbedtls/bn_mul.h +++ b/include/mbedtls/bn_mul.h @@ -38,6 +38,12 @@ #ifndef MBEDTLS_BN_MUL_H #define MBEDTLS_BN_MUL_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "bignum.h" #if defined(MBEDTLS_HAVE_ASM) @@ -750,7 +756,7 @@ "sw $10, %2 \n\t" \ : "=m" (c), "=m" (d), "=m" (s) \ : "m" (s), "m" (d), "m" (c), "m" (b) \ - : "$9", "$10", "$11", "$12", "$13", "$14", "$15" \ + : "$9", "$10", "$11", "$12", "$13", "$14", "$15", "lo", "hi" \ ); #endif /* MIPS */ diff --git a/include/mbedtls/camellia.h b/include/mbedtls/camellia.h index 0f7c42c9..3eeb6636 100644 --- a/include/mbedtls/camellia.h +++ b/include/mbedtls/camellia.h @@ -308,6 +308,8 @@ int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx, unsigned char *output ); #endif /* MBEDTLS_CIPHER_MODE_CTR */ +#if defined(MBEDTLS_SELF_TEST) + /** * \brief Checkup routine * @@ -315,6 +317,8 @@ int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx, */ int mbedtls_camellia_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ + #ifdef __cplusplus } #endif diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h index 3f6b8f67..f03e3b58 100644 --- a/include/mbedtls/ccm.h +++ b/include/mbedtls/ccm.h @@ -49,6 +49,12 @@ #ifndef MBEDTLS_CCM_H #define MBEDTLS_CCM_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "cipher.h" #define MBEDTLS_ERR_CCM_BAD_INPUT -0x000D /**< Bad input parameters to the function. */ diff --git a/include/mbedtls/certs.h b/include/mbedtls/certs.h index 8dab7b5c..179ebbba 100644 --- a/include/mbedtls/certs.h +++ b/include/mbedtls/certs.h @@ -24,74 +24,226 @@ #ifndef MBEDTLS_CERTS_H #define MBEDTLS_CERTS_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include <stddef.h> #ifdef __cplusplus extern "C" { #endif +/* List of all PEM-encoded CA certificates, terminated by NULL; + * PEM encoded if MBEDTLS_PEM_PARSE_C is enabled, DER encoded + * otherwise. */ +extern const char * mbedtls_test_cas[]; +extern const size_t mbedtls_test_cas_len[]; + +/* List of all DER-encoded CA certificates, terminated by NULL */ +extern const unsigned char * mbedtls_test_cas_der[]; +extern const size_t mbedtls_test_cas_der_len[]; + #if defined(MBEDTLS_PEM_PARSE_C) /* Concatenation of all CA certificates in PEM format if available */ extern const char mbedtls_test_cas_pem[]; extern const size_t mbedtls_test_cas_pem_len; -#endif - -/* List of all CA certificates, terminated by NULL */ -extern const char * mbedtls_test_cas[]; -extern const size_t mbedtls_test_cas_len[]; +#endif /* MBEDTLS_PEM_PARSE_C */ /* - * Convenience for users who just want a certificate: - * RSA by default, or ECDSA if RSA is not available + * CA test certificates */ + +extern const char mbedtls_test_ca_crt_ec_pem[]; +extern const char mbedtls_test_ca_key_ec_pem[]; +extern const char mbedtls_test_ca_pwd_ec_pem[]; +extern const char mbedtls_test_ca_key_rsa_pem[]; +extern const char mbedtls_test_ca_pwd_rsa_pem[]; +extern const char mbedtls_test_ca_crt_rsa_sha1_pem[]; +extern const char mbedtls_test_ca_crt_rsa_sha256_pem[]; + +extern const unsigned char mbedtls_test_ca_crt_ec_der[]; +extern const unsigned char mbedtls_test_ca_key_ec_der[]; +extern const unsigned char mbedtls_test_ca_key_rsa_der[]; +extern const unsigned char mbedtls_test_ca_crt_rsa_sha1_der[]; +extern const unsigned char mbedtls_test_ca_crt_rsa_sha256_der[]; + +extern const size_t mbedtls_test_ca_crt_ec_pem_len; +extern const size_t mbedtls_test_ca_key_ec_pem_len; +extern const size_t mbedtls_test_ca_pwd_ec_pem_len; +extern const size_t mbedtls_test_ca_key_rsa_pem_len; +extern const size_t mbedtls_test_ca_pwd_rsa_pem_len; +extern const size_t mbedtls_test_ca_crt_rsa_sha1_pem_len; +extern const size_t mbedtls_test_ca_crt_rsa_sha256_pem_len; + +extern const size_t mbedtls_test_ca_crt_ec_der_len; +extern const size_t mbedtls_test_ca_key_ec_der_len; +extern const size_t mbedtls_test_ca_pwd_ec_der_len; +extern const size_t mbedtls_test_ca_key_rsa_der_len; +extern const size_t mbedtls_test_ca_pwd_rsa_der_len; +extern const size_t mbedtls_test_ca_crt_rsa_sha1_der_len; +extern const size_t mbedtls_test_ca_crt_rsa_sha256_der_len; + +/* Config-dependent dispatch between PEM and DER encoding + * (PEM if enabled, otherwise DER) */ + +extern const char mbedtls_test_ca_crt_ec[]; +extern const char mbedtls_test_ca_key_ec[]; +extern const char mbedtls_test_ca_pwd_ec[]; +extern const char mbedtls_test_ca_key_rsa[]; +extern const char mbedtls_test_ca_pwd_rsa[]; +extern const char mbedtls_test_ca_crt_rsa_sha1[]; +extern const char mbedtls_test_ca_crt_rsa_sha256[]; + +extern const size_t mbedtls_test_ca_crt_ec_len; +extern const size_t mbedtls_test_ca_key_ec_len; +extern const size_t mbedtls_test_ca_pwd_ec_len; +extern const size_t mbedtls_test_ca_key_rsa_len; +extern const size_t mbedtls_test_ca_pwd_rsa_len; +extern const size_t mbedtls_test_ca_crt_rsa_sha1_len; +extern const size_t mbedtls_test_ca_crt_rsa_sha256_len; + +/* Config-dependent dispatch between SHA-1 and SHA-256 + * (SHA-256 if enabled, otherwise SHA-1) */ + +extern const char mbedtls_test_ca_crt_rsa[]; +extern const size_t mbedtls_test_ca_crt_rsa_len; + +/* Config-dependent dispatch between EC and RSA + * (RSA if enabled, otherwise EC) */ + extern const char * mbedtls_test_ca_crt; -extern const size_t mbedtls_test_ca_crt_len; extern const char * mbedtls_test_ca_key; -extern const size_t mbedtls_test_ca_key_len; extern const char * mbedtls_test_ca_pwd; +extern const size_t mbedtls_test_ca_crt_len; +extern const size_t mbedtls_test_ca_key_len; extern const size_t mbedtls_test_ca_pwd_len; + +/* + * Server test certificates + */ + +extern const char mbedtls_test_srv_crt_ec_pem[]; +extern const char mbedtls_test_srv_key_ec_pem[]; +extern const char mbedtls_test_srv_pwd_ec_pem[]; +extern const char mbedtls_test_srv_key_rsa_pem[]; +extern const char mbedtls_test_srv_pwd_rsa_pem[]; +extern const char mbedtls_test_srv_crt_rsa_sha1_pem[]; +extern const char mbedtls_test_srv_crt_rsa_sha256_pem[]; + +extern const unsigned char mbedtls_test_srv_crt_ec_der[]; +extern const unsigned char mbedtls_test_srv_key_ec_der[]; +extern const unsigned char mbedtls_test_srv_key_rsa_der[]; +extern const unsigned char mbedtls_test_srv_crt_rsa_sha1_der[]; +extern const unsigned char mbedtls_test_srv_crt_rsa_sha256_der[]; + +extern const size_t mbedtls_test_srv_crt_ec_pem_len; +extern const size_t mbedtls_test_srv_key_ec_pem_len; +extern const size_t mbedtls_test_srv_pwd_ec_pem_len; +extern const size_t mbedtls_test_srv_key_rsa_pem_len; +extern const size_t mbedtls_test_srv_pwd_rsa_pem_len; +extern const size_t mbedtls_test_srv_crt_rsa_sha1_pem_len; +extern const size_t mbedtls_test_srv_crt_rsa_sha256_pem_len; + +extern const size_t mbedtls_test_srv_crt_ec_der_len; +extern const size_t mbedtls_test_srv_key_ec_der_len; +extern const size_t mbedtls_test_srv_pwd_ec_der_len; +extern const size_t mbedtls_test_srv_key_rsa_der_len; +extern const size_t mbedtls_test_srv_pwd_rsa_der_len; +extern const size_t mbedtls_test_srv_crt_rsa_sha1_der_len; +extern const size_t mbedtls_test_srv_crt_rsa_sha256_der_len; + +/* Config-dependent dispatch between PEM and DER encoding + * (PEM if enabled, otherwise DER) */ + +extern const char mbedtls_test_srv_crt_ec[]; +extern const char mbedtls_test_srv_key_ec[]; +extern const char mbedtls_test_srv_pwd_ec[]; +extern const char mbedtls_test_srv_key_rsa[]; +extern const char mbedtls_test_srv_pwd_rsa[]; +extern const char mbedtls_test_srv_crt_rsa_sha1[]; +extern const char mbedtls_test_srv_crt_rsa_sha256[]; + +extern const size_t mbedtls_test_srv_crt_ec_len; +extern const size_t mbedtls_test_srv_key_ec_len; +extern const size_t mbedtls_test_srv_pwd_ec_len; +extern const size_t mbedtls_test_srv_key_rsa_len; +extern const size_t mbedtls_test_srv_pwd_rsa_len; +extern const size_t mbedtls_test_srv_crt_rsa_sha1_len; +extern const size_t mbedtls_test_srv_crt_rsa_sha256_len; + +/* Config-dependent dispatch between SHA-1 and SHA-256 + * (SHA-256 if enabled, otherwise SHA-1) */ + +extern const char mbedtls_test_srv_crt_rsa[]; +extern const size_t mbedtls_test_srv_crt_rsa_len; + +/* Config-dependent dispatch between EC and RSA + * (RSA if enabled, otherwise EC) */ + extern const char * mbedtls_test_srv_crt; -extern const size_t mbedtls_test_srv_crt_len; extern const char * mbedtls_test_srv_key; +extern const char * mbedtls_test_srv_pwd; +extern const size_t mbedtls_test_srv_crt_len; extern const size_t mbedtls_test_srv_key_len; -extern const char * mbedtls_test_cli_crt; -extern const size_t mbedtls_test_cli_crt_len; -extern const char * mbedtls_test_cli_key; -extern const size_t mbedtls_test_cli_key_len; +extern const size_t mbedtls_test_srv_pwd_len; + +/* + * Client test certificates + */ + +extern const char mbedtls_test_cli_crt_ec_pem[]; +extern const char mbedtls_test_cli_key_ec_pem[]; +extern const char mbedtls_test_cli_pwd_ec_pem[]; +extern const char mbedtls_test_cli_key_rsa_pem[]; +extern const char mbedtls_test_cli_pwd_rsa_pem[]; +extern const char mbedtls_test_cli_crt_rsa_pem[]; + +extern const unsigned char mbedtls_test_cli_crt_ec_der[]; +extern const unsigned char mbedtls_test_cli_key_ec_der[]; +extern const unsigned char mbedtls_test_cli_key_rsa_der[]; +extern const unsigned char mbedtls_test_cli_crt_rsa_der[]; + +extern const size_t mbedtls_test_cli_crt_ec_pem_len; +extern const size_t mbedtls_test_cli_key_ec_pem_len; +extern const size_t mbedtls_test_cli_pwd_ec_pem_len; +extern const size_t mbedtls_test_cli_key_rsa_pem_len; +extern const size_t mbedtls_test_cli_pwd_rsa_pem_len; +extern const size_t mbedtls_test_cli_crt_rsa_pem_len; + +extern const size_t mbedtls_test_cli_crt_ec_der_len; +extern const size_t mbedtls_test_cli_key_ec_der_len; +extern const size_t mbedtls_test_cli_key_rsa_der_len; +extern const size_t mbedtls_test_cli_crt_rsa_der_len; + +/* Config-dependent dispatch between PEM and DER encoding + * (PEM if enabled, otherwise DER) */ + +extern const char mbedtls_test_cli_crt_ec[]; +extern const char mbedtls_test_cli_key_ec[]; +extern const char mbedtls_test_cli_pwd_ec[]; +extern const char mbedtls_test_cli_key_rsa[]; +extern const char mbedtls_test_cli_pwd_rsa[]; +extern const char mbedtls_test_cli_crt_rsa[]; -#if defined(MBEDTLS_ECDSA_C) -extern const char mbedtls_test_ca_crt_ec[]; -extern const size_t mbedtls_test_ca_crt_ec_len; -extern const char mbedtls_test_ca_key_ec[]; -extern const size_t mbedtls_test_ca_key_ec_len; -extern const char mbedtls_test_ca_pwd_ec[]; -extern const size_t mbedtls_test_ca_pwd_ec_len; -extern const char mbedtls_test_srv_crt_ec[]; -extern const size_t mbedtls_test_srv_crt_ec_len; -extern const char mbedtls_test_srv_key_ec[]; -extern const size_t mbedtls_test_srv_key_ec_len; -extern const char mbedtls_test_cli_crt_ec[]; extern const size_t mbedtls_test_cli_crt_ec_len; -extern const char mbedtls_test_cli_key_ec[]; extern const size_t mbedtls_test_cli_key_ec_len; -#endif - -#if defined(MBEDTLS_RSA_C) -extern const char mbedtls_test_ca_crt_rsa[]; -extern const size_t mbedtls_test_ca_crt_rsa_len; -extern const char mbedtls_test_ca_key_rsa[]; -extern const size_t mbedtls_test_ca_key_rsa_len; -extern const char mbedtls_test_ca_pwd_rsa[]; -extern const size_t mbedtls_test_ca_pwd_rsa_len; -extern const char mbedtls_test_srv_crt_rsa[]; -extern const size_t mbedtls_test_srv_crt_rsa_len; -extern const char mbedtls_test_srv_key_rsa[]; -extern const size_t mbedtls_test_srv_key_rsa_len; -extern const char mbedtls_test_cli_crt_rsa[]; -extern const size_t mbedtls_test_cli_crt_rsa_len; -extern const char mbedtls_test_cli_key_rsa[]; +extern const size_t mbedtls_test_cli_pwd_ec_len; extern const size_t mbedtls_test_cli_key_rsa_len; -#endif +extern const size_t mbedtls_test_cli_pwd_rsa_len; +extern const size_t mbedtls_test_cli_crt_rsa_len; + +/* Config-dependent dispatch between EC and RSA + * (RSA if enabled, otherwise EC) */ + +extern const char * mbedtls_test_cli_crt; +extern const char * mbedtls_test_cli_key; +extern const char * mbedtls_test_cli_pwd; +extern const size_t mbedtls_test_cli_crt_len; +extern const size_t mbedtls_test_cli_key_len; +extern const size_t mbedtls_test_cli_pwd_len; #ifdef __cplusplus } diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index 922b6c32..082a6917 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -36,7 +36,7 @@ #endif #include <stddef.h> -#include "mbedtls/platform_util.h" +#include "platform_util.h" #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) #define MBEDTLS_CIPHER_MODE_AEAD diff --git a/include/mbedtls/cmac.h b/include/mbedtls/cmac.h index c1967935..9d42b3f2 100644 --- a/include/mbedtls/cmac.h +++ b/include/mbedtls/cmac.h @@ -28,6 +28,12 @@ #ifndef MBEDTLS_CMAC_H #define MBEDTLS_CMAC_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "cipher.h" #ifdef __cplusplus diff --git a/include/mbedtls/compat-1.3.h b/include/mbedtls/compat-1.3.h index 213b6914..a58b4724 100644 --- a/include/mbedtls/compat-1.3.h +++ b/include/mbedtls/compat-1.3.h @@ -25,6 +25,12 @@ * This file is part of mbed TLS (https://tls.mbed.org) */ +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #if ! defined(MBEDTLS_DEPRECATED_REMOVED) #if defined(MBEDTLS_DEPRECATED_WARNING) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 91cc5bdd..654f9725 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -687,6 +687,26 @@ #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES /** + * \def MBEDTLS_REMOVE_3DES_CIPHERSUITES + * + * Remove 3DES ciphersuites by default in SSL / TLS. + * This flag removes the ciphersuites based on 3DES from the default list as + * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible + * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including + * them explicitly. + * + * A man-in-the-browser attacker can recover authentication tokens sent through + * a TLS connection using a 3DES based cipher suite (see "On the Practical + * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaƫtan + * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls + * in your threat model or you are unsure, then you should keep this option + * enabled to remove 3DES based cipher suites. + * + * Comment this macro to keep 3DES in the default ciphersuite list. + */ +#define MBEDTLS_REMOVE_3DES_CIPHERSUITES + +/** * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED * * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve diff --git a/include/mbedtls/ctr_drbg.h b/include/mbedtls/ctr_drbg.h index 10f9389d..cc3df7b1 100644 --- a/include/mbedtls/ctr_drbg.h +++ b/include/mbedtls/ctr_drbg.h @@ -36,6 +36,12 @@ #ifndef MBEDTLS_CTR_DRBG_H #define MBEDTLS_CTR_DRBG_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "aes.h" #if defined(MBEDTLS_THREADING_C) @@ -350,6 +356,8 @@ int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path ); #endif /* MBEDTLS_FS_IO */ +#if defined(MBEDTLS_SELF_TEST) + /** * \brief The CTR_DRBG checkup routine. * @@ -358,6 +366,8 @@ int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char */ int mbedtls_ctr_drbg_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ + /* Internal functions (do not call directly) */ int mbedtls_ctr_drbg_seed_entropy_len( mbedtls_ctr_drbg_context *, int (*)(void *, unsigned char *, size_t), void *, diff --git a/include/mbedtls/des.h b/include/mbedtls/des.h index d62042d1..54e6b789 100644 --- a/include/mbedtls/des.h +++ b/include/mbedtls/des.h @@ -338,6 +338,8 @@ int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx, void mbedtls_des_setkey( uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE] ); +#if defined(MBEDTLS_SELF_TEST) + /** * \brief Checkup routine * @@ -345,6 +347,8 @@ void mbedtls_des_setkey( uint32_t SK[32], */ int mbedtls_des_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ + #ifdef __cplusplus } #endif diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index a5452c19..2909f5fb 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -334,6 +334,8 @@ int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path ); #endif /* MBEDTLS_FS_IO */ #endif /* MBEDTLS_ASN1_PARSE_C */ +#if defined(MBEDTLS_SELF_TEST) + /** * \brief The DMH checkup routine. * @@ -342,6 +344,7 @@ int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path ); */ int mbedtls_dhm_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ #ifdef __cplusplus } #endif diff --git a/include/mbedtls/ecdh.h b/include/mbedtls/ecdh.h index 05b2b039..4479a1d4 100644 --- a/include/mbedtls/ecdh.h +++ b/include/mbedtls/ecdh.h @@ -34,6 +34,12 @@ #ifndef MBEDTLS_ECDH_H #define MBEDTLS_ECDH_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "ecp.h" /* diff --git a/include/mbedtls/ecdsa.h b/include/mbedtls/ecdsa.h index 40fdab37..f8b28507 100644 --- a/include/mbedtls/ecdsa.h +++ b/include/mbedtls/ecdsa.h @@ -32,6 +32,12 @@ #ifndef MBEDTLS_ECDSA_H #define MBEDTLS_ECDSA_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "ecp.h" #include "md.h" diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index b967af83..3d8d02ae 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -40,6 +40,11 @@ * The payloads are serialized in a way suitable for use in TLS, but could * also be use outside TLS. */ +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif #include "ecp.h" #include "md.h" diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index de3a343c..065a4cc0 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -36,6 +36,12 @@ #ifndef MBEDTLS_ECP_H #define MBEDTLS_ECP_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "bignum.h" /* @@ -189,6 +195,68 @@ typedef struct mbedtls_ecp_group } mbedtls_ecp_group; +/** + * \name SECTION: Module settings + * + * The configuration options you can set for this module are in this section. + * Either change them in config.h, or define them using the compiler command line. + * \{ + */ + +#if !defined(MBEDTLS_ECP_MAX_BITS) +/** + * The maximum size of the groups, that is, of \c N and \c P. + */ +#define MBEDTLS_ECP_MAX_BITS 521 /**< The maximum size of groups, in bits. */ +#endif + +#define MBEDTLS_ECP_MAX_BYTES ( ( MBEDTLS_ECP_MAX_BITS + 7 ) / 8 ) +#define MBEDTLS_ECP_MAX_PT_LEN ( 2 * MBEDTLS_ECP_MAX_BYTES + 1 ) + +#if !defined(MBEDTLS_ECP_WINDOW_SIZE) +/* + * Maximum "window" size used for point multiplication. + * Default: 6. + * Minimum value: 2. Maximum value: 7. + * + * Result is an array of at most ( 1 << ( MBEDTLS_ECP_WINDOW_SIZE - 1 ) ) + * points used for point multiplication. This value is directly tied to EC + * peak memory usage, so decreasing it by one should roughly cut memory usage + * by two (if large curves are in use). + * + * Reduction in size may reduce speed, but larger curves are impacted first. + * Sample performances (in ECDHE handshakes/s, with FIXED_POINT_OPTIM = 1): + * w-size: 6 5 4 3 2 + * 521 145 141 135 120 97 + * 384 214 209 198 177 146 + * 256 320 320 303 262 226 + * 224 475 475 453 398 342 + * 192 640 640 633 587 476 + */ +#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< The maximum window size used. */ +#endif /* MBEDTLS_ECP_WINDOW_SIZE */ + +#if !defined(MBEDTLS_ECP_FIXED_POINT_OPTIM) +/* + * Trade memory for speed on fixed-point multiplication. + * + * This speeds up repeated multiplication of the generator (that is, the + * multiplication in ECDSA signatures, and half of the multiplications in + * ECDSA verification and ECDHE) by a factor roughly 3 to 4. + * + * The cost is increasing EC peak memory usage by a factor roughly 2. + * + * Change this value to 0 to reduce peak memory usage. + */ +#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up. */ +#endif /* MBEDTLS_ECP_FIXED_POINT_OPTIM */ + +/* \} name SECTION: Module settings */ + +#else /* MBEDTLS_ECP_ALT */ +#include "ecp_alt.h" +#endif /* MBEDTLS_ECP_ALT */ + #if defined(MBEDTLS_ECP_RESTARTABLE) /** @@ -254,68 +322,6 @@ typedef void mbedtls_ecp_restart_ctx; #endif /* MBEDTLS_ECP_RESTARTABLE */ /** - * \name SECTION: Module settings - * - * The configuration options you can set for this module are in this section. - * Either change them in config.h, or define them using the compiler command line. - * \{ - */ - -#if !defined(MBEDTLS_ECP_MAX_BITS) -/** - * The maximum size of the groups, that is, of \c N and \c P. - */ -#define MBEDTLS_ECP_MAX_BITS 521 /**< The maximum size of groups, in bits. */ -#endif - -#define MBEDTLS_ECP_MAX_BYTES ( ( MBEDTLS_ECP_MAX_BITS + 7 ) / 8 ) -#define MBEDTLS_ECP_MAX_PT_LEN ( 2 * MBEDTLS_ECP_MAX_BYTES + 1 ) - -#if !defined(MBEDTLS_ECP_WINDOW_SIZE) -/* - * Maximum "window" size used for point multiplication. - * Default: 6. - * Minimum value: 2. Maximum value: 7. - * - * Result is an array of at most ( 1 << ( MBEDTLS_ECP_WINDOW_SIZE - 1 ) ) - * points used for point multiplication. This value is directly tied to EC - * peak memory usage, so decreasing it by one should roughly cut memory usage - * by two (if large curves are in use). - * - * Reduction in size may reduce speed, but larger curves are impacted first. - * Sample performances (in ECDHE handshakes/s, with FIXED_POINT_OPTIM = 1): - * w-size: 6 5 4 3 2 - * 521 145 141 135 120 97 - * 384 214 209 198 177 146 - * 256 320 320 303 262 226 - * 224 475 475 453 398 342 - * 192 640 640 633 587 476 - */ -#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< The maximum window size used. */ -#endif /* MBEDTLS_ECP_WINDOW_SIZE */ - -#if !defined(MBEDTLS_ECP_FIXED_POINT_OPTIM) -/* - * Trade memory for speed on fixed-point multiplication. - * - * This speeds up repeated multiplication of the generator (that is, the - * multiplication in ECDSA signatures, and half of the multiplications in - * ECDSA verification and ECDHE) by a factor roughly 3 to 4. - * - * The cost is increasing EC peak memory usage by a factor roughly 2. - * - * Change this value to 0 to reduce peak memory usage. - */ -#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up. */ -#endif /* MBEDTLS_ECP_FIXED_POINT_OPTIM */ - -/* \} name SECTION: Module settings */ - -#else /* MBEDTLS_ECP_ALT */ -#include "ecp_alt.h" -#endif /* MBEDTLS_ECP_ALT */ - -/** * \brief The ECP key-pair structure. * * A generic key-pair that may be used for ECDSA and fixed ECDH, for example. @@ -476,7 +482,7 @@ void mbedtls_ecp_point_init( mbedtls_ecp_point *pt ); * * \note After this function is called, domain parameters * for various ECP groups can be loaded through the - * mbedtls_ecp_load() or mbedtls_ecp_tls_read_group() + * mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group() * functions. */ void mbedtls_ecp_group_init( mbedtls_ecp_group *grp ); diff --git a/include/mbedtls/ecp_internal.h b/include/mbedtls/ecp_internal.h index 18040697..7625ed48 100644 --- a/include/mbedtls/ecp_internal.h +++ b/include/mbedtls/ecp_internal.h @@ -61,6 +61,12 @@ #ifndef MBEDTLS_ECP_INTERNAL_H #define MBEDTLS_ECP_INTERNAL_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #if defined(MBEDTLS_ECP_INTERNAL_ALT) /** diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 647a11a5..bee0fe48 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -24,6 +24,12 @@ #ifndef MBEDTLS_ERROR_H #define MBEDTLS_ERROR_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include <stddef.h> /** diff --git a/include/mbedtls/gcm.h b/include/mbedtls/gcm.h index fccabb0d..fd130abd 100644 --- a/include/mbedtls/gcm.h +++ b/include/mbedtls/gcm.h @@ -33,6 +33,12 @@ #ifndef MBEDTLS_GCM_H #define MBEDTLS_GCM_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "cipher.h" #include <stdint.h> @@ -300,6 +306,8 @@ int mbedtls_gcm_finish( mbedtls_gcm_context *ctx, */ void mbedtls_gcm_free( mbedtls_gcm_context *ctx ); +#if defined(MBEDTLS_SELF_TEST) + /** * \brief The GCM checkup routine. * @@ -308,6 +316,8 @@ void mbedtls_gcm_free( mbedtls_gcm_context *ctx ); */ int mbedtls_gcm_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ + #ifdef __cplusplus } #endif diff --git a/include/mbedtls/havege.h b/include/mbedtls/havege.h index 57e8c409..4c1c8608 100644 --- a/include/mbedtls/havege.h +++ b/include/mbedtls/havege.h @@ -24,6 +24,12 @@ #ifndef MBEDTLS_HAVEGE_H #define MBEDTLS_HAVEGE_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include <stddef.h> #define MBEDTLS_HAVEGE_COLLECT_SIZE 1024 diff --git a/include/mbedtls/hkdf.h b/include/mbedtls/hkdf.h index e6ed7cde..40ee64eb 100644 --- a/include/mbedtls/hkdf.h +++ b/include/mbedtls/hkdf.h @@ -27,6 +27,12 @@ #ifndef MBEDTLS_HKDF_H #define MBEDTLS_HKDF_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "md.h" /** diff --git a/include/mbedtls/hmac_drbg.h b/include/mbedtls/hmac_drbg.h index 146367b9..7eae32bb 100644 --- a/include/mbedtls/hmac_drbg.h +++ b/include/mbedtls/hmac_drbg.h @@ -24,6 +24,12 @@ #ifndef MBEDTLS_HMAC_DRBG_H #define MBEDTLS_HMAC_DRBG_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "md.h" #if defined(MBEDTLS_THREADING_C) diff --git a/include/mbedtls/md2.h b/include/mbedtls/md2.h index f9bd98f8..fe97cf08 100644 --- a/include/mbedtls/md2.h +++ b/include/mbedtls/md2.h @@ -283,6 +283,8 @@ MBEDTLS_DEPRECATED void mbedtls_md2( const unsigned char *input, #undef MBEDTLS_DEPRECATED #endif /* !MBEDTLS_DEPRECATED_REMOVED */ +#if defined(MBEDTLS_SELF_TEST) + /** * \brief Checkup routine * @@ -295,6 +297,8 @@ MBEDTLS_DEPRECATED void mbedtls_md2( const unsigned char *input, */ int mbedtls_md2_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ + #ifdef __cplusplus } #endif diff --git a/include/mbedtls/md4.h b/include/mbedtls/md4.h index dc3c0489..ce703c0b 100644 --- a/include/mbedtls/md4.h +++ b/include/mbedtls/md4.h @@ -288,6 +288,8 @@ MBEDTLS_DEPRECATED void mbedtls_md4( const unsigned char *input, #undef MBEDTLS_DEPRECATED #endif /* !MBEDTLS_DEPRECATED_REMOVED */ +#if defined(MBEDTLS_SELF_TEST) + /** * \brief Checkup routine * @@ -300,6 +302,8 @@ MBEDTLS_DEPRECATED void mbedtls_md4( const unsigned char *input, */ int mbedtls_md4_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ + #ifdef __cplusplus } #endif diff --git a/include/mbedtls/md5.h b/include/mbedtls/md5.h index 6c3354fd..6eed6cc8 100644 --- a/include/mbedtls/md5.h +++ b/include/mbedtls/md5.h @@ -288,6 +288,8 @@ MBEDTLS_DEPRECATED void mbedtls_md5( const unsigned char *input, #undef MBEDTLS_DEPRECATED #endif /* !MBEDTLS_DEPRECATED_REMOVED */ +#if defined(MBEDTLS_SELF_TEST) + /** * \brief Checkup routine * @@ -300,6 +302,8 @@ MBEDTLS_DEPRECATED void mbedtls_md5( const unsigned char *input, */ int mbedtls_md5_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ + #ifdef __cplusplus } #endif diff --git a/include/mbedtls/net.h b/include/mbedtls/net.h index 6c13b53f..8cead58e 100644 --- a/include/mbedtls/net.h +++ b/include/mbedtls/net.h @@ -23,6 +23,11 @@ * * This file is part of mbed TLS (https://tls.mbed.org) */ +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif #if !defined(MBEDTLS_DEPRECATED_REMOVED) #include "net_sockets.h" diff --git a/include/mbedtls/nist_kw.h b/include/mbedtls/nist_kw.h index 5a0f656a..3b67b59c 100644 --- a/include/mbedtls/nist_kw.h +++ b/include/mbedtls/nist_kw.h @@ -37,6 +37,12 @@ #ifndef MBEDTLS_NIST_KW_H #define MBEDTLS_NIST_KW_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "cipher.h" #ifdef __cplusplus diff --git a/include/mbedtls/padlock.h b/include/mbedtls/padlock.h index 7a5d083a..721a5d49 100644 --- a/include/mbedtls/padlock.h +++ b/include/mbedtls/padlock.h @@ -28,6 +28,12 @@ #ifndef MBEDTLS_PADLOCK_H #define MBEDTLS_PADLOCK_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "aes.h" #define MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED -0x0030 /**< Input data should be aligned. */ @@ -53,7 +59,7 @@ #define MBEDTLS_PADLOCK_PHE 0x0C00 #define MBEDTLS_PADLOCK_PMM 0x3000 -#define MBEDTLS_PADLOCK_ALIGN16(x) (uint32_t *) (16 + ((int32_t) x & ~15)) +#define MBEDTLS_PADLOCK_ALIGN16(x) (uint32_t *) (16 + ((int32_t) (x) & ~15)) #ifdef __cplusplus extern "C" { diff --git a/include/mbedtls/pem.h b/include/mbedtls/pem.h index fa82f7bd..a29e9ce3 100644 --- a/include/mbedtls/pem.h +++ b/include/mbedtls/pem.h @@ -24,6 +24,12 @@ #ifndef MBEDTLS_PEM_H #define MBEDTLS_PEM_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include <stddef.h> /** diff --git a/include/mbedtls/pkcs12.h b/include/mbedtls/pkcs12.h index 69f04177..d441357b 100644 --- a/include/mbedtls/pkcs12.h +++ b/include/mbedtls/pkcs12.h @@ -24,6 +24,12 @@ #ifndef MBEDTLS_PKCS12_H #define MBEDTLS_PKCS12_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "md.h" #include "cipher.h" #include "asn1.h" diff --git a/include/mbedtls/pkcs5.h b/include/mbedtls/pkcs5.h index d4bb36df..c92185f7 100644 --- a/include/mbedtls/pkcs5.h +++ b/include/mbedtls/pkcs5.h @@ -26,6 +26,12 @@ #ifndef MBEDTLS_PKCS5_H #define MBEDTLS_PKCS5_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "asn1.h" #include "md.h" @@ -85,6 +91,8 @@ int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, const unsigned char *p unsigned int iteration_count, uint32_t key_length, unsigned char *output ); +#if defined(MBEDTLS_SELF_TEST) + /** * \brief Checkup routine * @@ -92,6 +100,8 @@ int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, const unsigned char *p */ int mbedtls_pkcs5_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ + #ifdef __cplusplus } #endif diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h index b0e72ad1..dba6d459 100644 --- a/include/mbedtls/platform_util.h +++ b/include/mbedtls/platform_util.h @@ -26,14 +26,14 @@ #define MBEDTLS_PLATFORM_UTIL_H #if !defined(MBEDTLS_CONFIG_FILE) -#include "mbedtls/config.h" +#include "config.h" #else #include MBEDTLS_CONFIG_FILE #endif #include <stddef.h> #if defined(MBEDTLS_HAVE_TIME_DATE) -#include "mbedtls/platform_time.h" +#include "platform_time.h" #include <time.h> #endif /* MBEDTLS_HAVE_TIME_DATE */ diff --git a/include/mbedtls/poly1305.h b/include/mbedtls/poly1305.h index 05866a2d..f0ec44c9 100644 --- a/include/mbedtls/poly1305.h +++ b/include/mbedtls/poly1305.h @@ -34,7 +34,7 @@ #define MBEDTLS_POLY1305_H #if !defined(MBEDTLS_CONFIG_FILE) -#include "mbedtls/config.h" +#include "config.h" #else #include MBEDTLS_CONFIG_FILE #endif diff --git a/include/mbedtls/ripemd160.h b/include/mbedtls/ripemd160.h index c74b7d2c..b42f6d2a 100644 --- a/include/mbedtls/ripemd160.h +++ b/include/mbedtls/ripemd160.h @@ -219,6 +219,8 @@ MBEDTLS_DEPRECATED void mbedtls_ripemd160( const unsigned char *input, #undef MBEDTLS_DEPRECATED #endif /* !MBEDTLS_DEPRECATED_REMOVED */ +#if defined(MBEDTLS_SELF_TEST) + /** * \brief Checkup routine * @@ -226,6 +228,8 @@ MBEDTLS_DEPRECATED void mbedtls_ripemd160( const unsigned char *input, */ int mbedtls_ripemd160_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ + #ifdef __cplusplus } #endif diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index ed65a344..906c4273 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -1252,6 +1252,8 @@ int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src ) */ void mbedtls_rsa_free( mbedtls_rsa_context *ctx ); +#if defined(MBEDTLS_SELF_TEST) + /** * \brief The RSA checkup routine. * @@ -1260,6 +1262,8 @@ void mbedtls_rsa_free( mbedtls_rsa_context *ctx ); */ int mbedtls_rsa_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ + #ifdef __cplusplus } #endif diff --git a/include/mbedtls/sha1.h b/include/mbedtls/sha1.h index 38ea10b1..bb6ecf05 100644 --- a/include/mbedtls/sha1.h +++ b/include/mbedtls/sha1.h @@ -328,6 +328,8 @@ MBEDTLS_DEPRECATED void mbedtls_sha1( const unsigned char *input, #undef MBEDTLS_DEPRECATED #endif /* !MBEDTLS_DEPRECATED_REMOVED */ +#if defined(MBEDTLS_SELF_TEST) + /** * \brief The SHA-1 checkup routine. * @@ -341,6 +343,8 @@ MBEDTLS_DEPRECATED void mbedtls_sha1( const unsigned char *input, */ int mbedtls_sha1_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ + #ifdef __cplusplus } #endif diff --git a/include/mbedtls/sha256.h b/include/mbedtls/sha256.h index 0e42f0ab..d6473982 100644 --- a/include/mbedtls/sha256.h +++ b/include/mbedtls/sha256.h @@ -278,6 +278,8 @@ MBEDTLS_DEPRECATED void mbedtls_sha256( const unsigned char *input, #undef MBEDTLS_DEPRECATED #endif /* !MBEDTLS_DEPRECATED_REMOVED */ +#if defined(MBEDTLS_SELF_TEST) + /** * \brief The SHA-224 and SHA-256 checkup routine. * @@ -286,6 +288,8 @@ MBEDTLS_DEPRECATED void mbedtls_sha256( const unsigned char *input, */ int mbedtls_sha256_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ + #ifdef __cplusplus } #endif diff --git a/include/mbedtls/sha512.h b/include/mbedtls/sha512.h index 7b26cf5c..c06ceed1 100644 --- a/include/mbedtls/sha512.h +++ b/include/mbedtls/sha512.h @@ -253,6 +253,7 @@ int mbedtls_sha512_ret( const unsigned char *input, #else #define MBEDTLS_DEPRECATED #endif + /** * \brief This function calculates the SHA-512 or SHA-384 * checksum of a buffer. @@ -280,6 +281,9 @@ MBEDTLS_DEPRECATED void mbedtls_sha512( const unsigned char *input, #undef MBEDTLS_DEPRECATED #endif /* !MBEDTLS_DEPRECATED_REMOVED */ + +#if defined(MBEDTLS_SELF_TEST) + /** * \brief The SHA-384 or SHA-512 checkup routine. * @@ -287,6 +291,7 @@ MBEDTLS_DEPRECATED void mbedtls_sha512( const unsigned char *input, * \return \c 1 on failure. */ int mbedtls_sha512_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ #ifdef __cplusplus } diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 8106bb4a..d31f6cdd 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2532,22 +2532,28 @@ void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf, #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) /** - * \brief Set the maximum fragment length to emit and/or negotiate - * (Default: the smaller of MBEDTLS_SSL_IN_CONTENT_LEN and - * MBEDTLS_SSL_OUT_CONTENT_LEN, usually 2^14 bytes) + * \brief Set the maximum fragment length to emit and/or negotiate. + * (Typical: the smaller of #MBEDTLS_SSL_IN_CONTENT_LEN and + * #MBEDTLS_SSL_OUT_CONTENT_LEN, usually `2^14` bytes) * (Server: set maximum fragment length to emit, - * usually negotiated by the client during handshake + * usually negotiated by the client during handshake) * (Client: set maximum fragment length to emit *and* * negotiate with the server during handshake) + * (Default: #MBEDTLS_SSL_MAX_FRAG_LEN_NONE) * - * \note With TLS, this currently only affects ApplicationData (sent - * with \c mbedtls_ssl_read()), not handshake messages. - * With DTLS, this affects both ApplicationData and handshake. + * \note On the client side, the maximum fragment length extension + * *will not* be used, unless the maximum fragment length has + * been set via this function to a value different than + * #MBEDTLS_SSL_MAX_FRAG_LEN_NONE. * * \note This sets the maximum length for a record's payload, * excluding record overhead that will be added to it, see * \c mbedtls_ssl_get_record_expansion(). * + * \note With TLS, this currently only affects ApplicationData (sent + * with \c mbedtls_ssl_read()), not handshake messages. + * With DTLS, this affects both ApplicationData and handshake. + * * \note For DTLS, it is also possible to set a limit for the total * size of daragrams passed to the transport layer, including * record overhead, see \c mbedtls_ssl_set_mtu(). diff --git a/include/mbedtls/ssl_cache.h b/include/mbedtls/ssl_cache.h index ec081e6d..52ba0948 100644 --- a/include/mbedtls/ssl_cache.h +++ b/include/mbedtls/ssl_cache.h @@ -24,6 +24,12 @@ #ifndef MBEDTLS_SSL_CACHE_H #define MBEDTLS_SSL_CACHE_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "ssl.h" #if defined(MBEDTLS_THREADING_C) diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index cda8b483..71053e5b 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -24,6 +24,12 @@ #ifndef MBEDTLS_SSL_CIPHERSUITES_H #define MBEDTLS_SSL_CIPHERSUITES_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "pk.h" #include "cipher.h" #include "md.h" diff --git a/include/mbedtls/ssl_cookie.h b/include/mbedtls/ssl_cookie.h index 6a0ad4fa..e34760ae 100644 --- a/include/mbedtls/ssl_cookie.h +++ b/include/mbedtls/ssl_cookie.h @@ -24,6 +24,12 @@ #ifndef MBEDTLS_SSL_COOKIE_H #define MBEDTLS_SSL_COOKIE_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "ssl.h" #if defined(MBEDTLS_THREADING_C) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 97abb9f9..bd5ad94d 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -24,6 +24,12 @@ #ifndef MBEDTLS_SSL_INTERNAL_H #define MBEDTLS_SSL_INTERNAL_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #include "ssl.h" #include "cipher.h" diff --git a/include/mbedtls/ssl_ticket.h b/include/mbedtls/ssl_ticket.h index b2686df0..a84e7816 100644 --- a/include/mbedtls/ssl_ticket.h +++ b/include/mbedtls/ssl_ticket.h @@ -24,6 +24,12 @@ #ifndef MBEDTLS_SSL_TICKET_H #define MBEDTLS_SSL_TICKET_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + /* * This implementation of the session ticket callbacks includes key * management, rotating the keys periodically in order to preserve forward diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h index 56e7398a..ef8e4c1f 100644 --- a/include/mbedtls/version.h +++ b/include/mbedtls/version.h @@ -40,16 +40,16 @@ */ #define MBEDTLS_VERSION_MAJOR 2 #define MBEDTLS_VERSION_MINOR 16 -#define MBEDTLS_VERSION_PATCH 0 +#define MBEDTLS_VERSION_PATCH 2 /** * The single version number has the following structure: * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x02100000 -#define MBEDTLS_VERSION_STRING "2.16.0" -#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.16.0" +#define MBEDTLS_VERSION_NUMBER 0x02100200 +#define MBEDTLS_VERSION_STRING "2.16.2" +#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.16.2" #if defined(MBEDTLS_VERSION_C) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index d6db9c6e..9ae825c1 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -269,6 +269,8 @@ int mbedtls_x509_time_is_past( const mbedtls_x509_time *to ); */ int mbedtls_x509_time_is_future( const mbedtls_x509_time *from ); +#if defined(MBEDTLS_SELF_TEST) + /** * \brief Checkup routine * @@ -276,6 +278,8 @@ int mbedtls_x509_time_is_future( const mbedtls_x509_time *from ); */ int mbedtls_x509_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ + /* * Internal module functions. You probably do not want to use these unless you * know you do. diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 3dd59224..670bd10d 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -98,7 +98,7 @@ mbedtls_x509_crt; * Build flag from an algorithm/curve identifier (pk, md, ecp) * Since 0 is always XXX_NONE, ignore it. */ -#define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( id - 1 ) ) +#define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( (id) - 1 ) ) /** * Security profile for certificate verification. diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h index 0c6ccad7..a3c28048 100644 --- a/include/mbedtls/x509_csr.h +++ b/include/mbedtls/x509_csr.h @@ -205,6 +205,14 @@ void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_ty * \param key_usage key usage flags to set * * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * + * \note The <code>decipherOnly</code> flag from the Key Usage + * extension is represented by bit 8 (i.e. + * <code>0x8000</code>), which cannot typically be represented + * in an unsigned char. Therefore, the flag + * <code>decipherOnly</code> (i.e. + * #MBEDTLS_X509_KU_DECIPHER_ONLY) cannot be set using this + * function. */ int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage ); diff --git a/include/mbedtls/xtea.h b/include/mbedtls/xtea.h index 6430c131..b47f5535 100644 --- a/include/mbedtls/xtea.h +++ b/include/mbedtls/xtea.h @@ -121,6 +121,8 @@ int mbedtls_xtea_crypt_cbc( mbedtls_xtea_context *ctx, unsigned char *output); #endif /* MBEDTLS_CIPHER_MODE_CBC */ +#if defined(MBEDTLS_SELF_TEST) + /** * \brief Checkup routine * @@ -128,6 +130,8 @@ int mbedtls_xtea_crypt_cbc( mbedtls_xtea_context *ctx, */ int mbedtls_xtea_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ + #ifdef __cplusplus } #endif |