project/ustream-ssl.git
4 years agoustream-ssl: openssl: fix bio memory leak
Pan Chen [Mon, 2 Nov 2020 01:53:28 +0000 (09:53 +0800)]
ustream-ssl: openssl: fix bio memory leak

free memory of bio method when ustream be freed

Signed-off-by: Pan Chen <serial115200@outlook.com>
4 years agoustream-openssl: clear error stack before SSL_read/SSL_write
Jo-Philipp Wich [Fri, 13 Mar 2020 09:37:06 +0000 (10:37 +0100)]
ustream-openssl: clear error stack before SSL_read/SSL_write

The OpenSSL library uses a global error queue per thread which needs to
be cleared prior to calling I/O functions in order to get reliable error
results.

Failure to do so will lead to stray errors reported by SSL_get_error()
when an unrelated connection within the same thread encountered a TLS
error since the last SSL_read() or SSL_write() on the current connection.

This issue was frequently triggered by Google Chrome which usually
initiates simultaneous TLS connections (presumably for protocol support
probing) and subsequently closes most of them with a "certificate unknown"
TLS error, causing the next SSL_get_error() to report an SSL library error
instead of the expected SSL_WANT_READ or SSL_WANT_WRITE error states.

Solve this issue by invoking ERR_clear_error() prior to invoking SSL_read()
or SSL_write() to ensure that the subsequent SSL_get_error() returns
current valid results.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
4 years agoadd support for specifying usable ciphers
Jo-Philipp Wich [Sat, 15 Feb 2020 20:25:26 +0000 (21:25 +0100)]
add support for specifying usable ciphers

Implement a new ustream_ssl_ops.context_set_ciphers() function which allows
to specify the usable ciphers for TLS context which is useful to restrict
the accepted cipher subset especially for ustream-ssl server applications.

For the OpenSSL backend, the given cipher string is passed as-is to the
SSL_CTX_set_cipher_list().

For mbedTLS, the given string is split on colons and each item of the list
is resolved through mbedtls_ssl_get_ciphersuite_id() to construct a numeric
list of allowed ciphers.

Note that OpenSSL and mbedTLS use different names for their ciphers but both
implementations simply ignore unknown names, so it is possible to specify
cipherstrings which are applicable to either library, e.g. `-ALL:ECDHE-
ECDSA-AES128-GCM-SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256` would
enable ChaCha20/Poly1305 in both OpenSSL and mbedTLS.

Another crucial difference between the libraries is that the cipherstring
in mbedTLS is effectively a whitelist of allowed ciphers while, without
additional syntax elements, OpenSSL's cipherstring merely appends ciphers
to the default selection.

Ref: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html
Ref: https://tls.mbed.org/api/ssl_8h.html#a9914cdf5533e813e1ea7ca52981aa006
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
4 years agoustream-ssl: mbedtls: fix ssl client verification
Daniel Danzberger [Sun, 8 Dec 2019 20:14:08 +0000 (21:14 +0100)]
ustream-ssl: mbedtls: fix ssl client verification

The ustream_ssl_update_own_cert() function should, like the name suggests, only
update the local ssl peer's own certificate and not the any of the CA's.

By overwriting the CA's certifcates when setting the own certificate, the code
broke SSL client verification.

This bug was only triggerd when:
 ustream_ssl_context_set_crt_file()
was called after
 ustream_ssl_context_add_ca_crt_file()

Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
4 years agoustream-ssl: mbedtls: fix net_sockets.h include warning
Daniel Danzberger [Sun, 8 Dec 2019 16:14:18 +0000 (17:14 +0100)]
ustream-ssl: mbedtls: fix net_sockets.h include warning

mbedtls/net.h is deprecated in favor of mbedtls/net_sockets.h

Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
5 years agoustream-ssl: skip writing pending data if .eof is true after connect
Jo-Philipp Wich [Wed, 11 Sep 2019 19:09:59 +0000 (21:09 +0200)]
ustream-ssl: skip writing pending data if .eof is true after connect

Check the .eof member of the underlying ustream after the call to
__ustream_ssl_connect() since existing users of the library appear
to set the eof flag as a way to signal connection termination upon
failing certificate verification.

This is a stop-gap measure to address TALOS-2019-0893 but a proper
API redesign is required to give applications proper control over
whether certificate failures are to be ignored or not and the default
implementation without custom callbacks should always terminate on
verification failures.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
5 years agowolfssl: adjust to new API in v4.2.0
Eneas U de Queiroz [Tue, 29 Oct 2019 21:24:16 +0000 (18:24 -0300)]
wolfssl: adjust to new API in v4.2.0

WolfSSL has recently added many openssl 1.1+ calls, including
TLS_server_method & TLS_client_method, which were being redefined,
causing compilation failure:
ustream-openssl.c:113:0: error: "TLS_server_method" redefined [-Werror]
ustream-openssl.c:114:0: error: "TLS_client_method" redefined [-Werror]

Only define the symbols if not previously defined.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
5 years agoUpdate example certificate & key, fix typo
Eneas U de Queiroz [Thu, 19 Sep 2019 13:13:01 +0000 (10:13 -0300)]
Update example certificate & key, fix typo

The current crypto libraries will fail to load small RSA keys, so a new
certificate was generated with a 2048-bit RSA key.

Also fixed a typo in ustream-example-client.c

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
5 years agowolfssl: enable CN validation
Eneas U de Queiroz [Thu, 19 Sep 2019 02:18:03 +0000 (23:18 -0300)]
wolfssl: enable CN validation

WolfSSL added a wolfSSL_X509_check_host function to perform CN
validation in v3.10.4, depending on the build-time configure options:
--enable-nginx enables it for all supported versions;
--enable-opensslextra, since v3.14.2.

If the function is unavailable, then SSL_get_verify_result will be
called, and 'valid_cert' will be true if that call suceeds and we
have a peer certificate, just as it happens with openssl. Only
'valid_cn' will not be set.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
5 years agoustream-io-cyassl.c: fix client-mode connections
Eneas U de Queiroz [Thu, 19 Sep 2019 02:18:02 +0000 (23:18 -0300)]
ustream-io-cyassl.c: fix client-mode connections

Starting in v3.13.2, wolfSSL stores the BIO send and recv callbacks
in the SSL struct.  When the SSL session is created, it inherits the
calls from the SSL_CTX, but they do not get updated when the SSL_CTX
callbacks are changed.

Currently, ustream-ssl sets the callbacks after the SSL session is
created, causing failures.  Client apps, such as uclient-fetch fail
immediately to connect to https URLs with a 'Connection failed' error
message.  uhttpd seems unaffected.

New calls to set them directly to the SSL struct were added in 4.1.0, so
we can use them, with a check in CMakeLists.txt to detect their
presence.  Otherwise, another call to ustream_set_io is done before
creating the SSL session to properly set the callbacks.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
5 years agoRemove CyaSSL, WolfSSL < 3.10.4 support
Eneas U de Queiroz [Thu, 19 Sep 2019 02:18:01 +0000 (23:18 -0300)]
Remove CyaSSL, WolfSSL < 3.10.4 support

This updates the CyaSSL names to wolfSSL, and removes obsolete code to
support old versions of the library < v3.10.4.

Some #include statements were moved around, so that wolfssl/options.h is
loaded before any other wolfssl/openssl header.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
5 years agoRevise supported ciphersuites
Eneas U de Queiroz [Mon, 5 Aug 2019 20:07:48 +0000 (17:07 -0300)]
Revise supported ciphersuites

CBC ciphersuites have been under scrutiny because of the many padding
oracle vulnerabilities that keep popping up; it seems that we won't be
able to patch up the inherent wakness of MAC-then-encrypt forever.  They
have been blacklisted by HTTP/2, and recently dropped from Mozilla's
Security/Serverside TLS intermediate compatibility list:
https://wiki.mozilla.org/Security/Server_Side_TLS

This commit removes ECDSA-CBC ciphersuites.  Basically, you can choose a
level of ciphersuite security, using the private-key type as a switch:

For RSA keys, CBC and RSA-key exchange ciphers will be enabled--mostly
matching Mozilla's Old backward compatibility list.

If you use an EC private key, then only ephemeral-key, authenticated
ciphers will be used, along the lines of what Mozilla's Intermediate
compatibility list prescribes.

The order does not match Mozilla's list 100% because in most embedded
systems, the server is going to be the least-capable machine.  So,
chacha20-poly1305 is moved ahead of AES, and the cipher preference is
always given to the server.  Also, DHE ciphers are not used for server.

The client list had the order changed to prioritize authenticated
ciphers, so DHE-chacha and DHE-GCM were moved ahead of ECDHE-CBC.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
5 years agowolfssl, openssl: use TLS 1.3, set ciphersuites
Eneas U de Queiroz [Mon, 5 Aug 2019 20:07:47 +0000 (17:07 -0300)]
wolfssl, openssl: use TLS 1.3, set ciphersuites

For wolfssl, instead of hard-coding TLS 1.2, use generic method and
disable older protocols, adding the necessary ciphersuites.

Openssl already had TLS 1.3 compatiblity, but its ciphersuite ordering
needs a separate call, so this sets the ciphersuite preference when
using TLS 1.3.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
5 years agoustream-ssl: mbedtls: use chacha-poly ciphersuites
Eneas U de Queiroz [Wed, 1 Aug 2018 13:59:13 +0000 (10:59 -0300)]
ustream-ssl: mbedtls: use chacha-poly ciphersuites

These ciphersuites were added in mbedtls v2.12.0,
so we may add them to the ustream-ssl ciphersuite list.
They were already part of the list for openssl and wolfssl.
Chacha20-Poly1305 is a 256-bit cipher with AEAD, much faster than AES on
CPUs without special AES instructions (the case for most embedded
chips).

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
6 years agoopenssl, wolfssl: match mbedTLS ciphersuite list
Eneas U de Queiroz via openwrt-devel [Fri, 27 Jul 2018 19:11:36 +0000 (19:11 +0000)]
openssl, wolfssl: match mbedTLS ciphersuite list

The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Use the same ciphersuite list as mbedTLS.
wolfssl was not honoring setting the minimum protocol with
SSL_CTX_set_options, so we must use TLSv1_2_server_method.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
6 years agoustream-ssl: Revised security on mbedtls
Eneas U de Queiroz via openwrt-devel [Sat, 16 Jun 2018 04:04:52 +0000 (04:04 +0000)]
ustream-ssl: Revised security on mbedtls

The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
I've revised the security options, and made them more uniform across the
ssl libraries.

- use only TLS 1.2 in server mode
- changed the ciphersuite ordering

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
6 years agoustream-ssl: add openssl-1.1.0 compatibility
Eneas U de Queiroz via openwrt-devel [Sat, 16 Jun 2018 04:05:14 +0000 (04:05 +0000)]
ustream-ssl: add openssl-1.1.0 compatibility

The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Patch to compile ustream-ssl with openssl-1.1.0, maintaining
compatibility with openssl 1.0.2.

Fixed flag handling in ustream-io-openssl.c.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
6 years agodon't use SSL_CTX_set_ecdh_auto with wolfSSL
Daniel Golle [Thu, 24 May 2018 16:44:27 +0000 (18:44 +0200)]
don't use SSL_CTX_set_ecdh_auto with wolfSSL

SSL_CTX_set_ecdh_auto() isn't support by wolfSSL (yet).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
6 years agombedtls: Fix setting allowed cipher suites
Hauke Mehrtens [Mon, 21 May 2018 12:05:50 +0000 (14:05 +0200)]
mbedtls: Fix setting allowed cipher suites

The cipher suites should be set after the default settings are done,
otherwise the settings will be overwritten with the defaults later on
again.
Also make the list of supported cipher suites match what Chrome tries to
use.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
6 years agombedtls: Add support for a session cache
Hauke Mehrtens [Mon, 21 May 2018 12:02:44 +0000 (14:02 +0200)]
mbedtls: Add support for a session cache

This allows the client to reuse the settings from a previous session and
no full key exchange is needed.
The partially key exchange takes less than 0.1 seconds compared to over
a second needed for a full key exchange.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
6 years agoustream-ssl: Remove RC4 from ciphersuite in server mode.
Rosen Penev [Sun, 1 Apr 2018 01:37:29 +0000 (18:37 -0700)]
ustream-ssl: Remove RC4 from ciphersuite in server mode.

SSLlabs complains that RC4 is enabled as it is insecure, thereby capping the grade to B.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
6 years agoustream-ssl: Enable ECDHE with OpenSSL.
Rosen Penev [Sun, 1 Apr 2018 01:37:28 +0000 (18:37 -0700)]
ustream-ssl: Enable ECDHE with OpenSSL.

When used with LuCI, SSLlabs complains that Forward Secrecy is not enabled and thus caps the score to a B.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
7 years agoremove polarssl support
Felix Fietkau [Mon, 9 Jan 2017 13:38:12 +0000 (14:38 +0100)]
remove polarssl support

polarssl (aka mbedTLS 1.3) has been EOL since end of 2016

Signed-off-by: Felix Fietkau <nbd@nbd.name>
8 years agocmake: Find libubox/ustream.h header file
Florian Fainelli [Fri, 1 Jul 2016 23:04:51 +0000 (16:04 -0700)]
cmake: Find libubox/ustream.h header file

Add a CMake FIND_PATH and INCLUDE_DIRECTORIES searching for
libubox/ustream-ssl.h.  Some external toolchains which do not include
standard locations would fail to find the header otherwise.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
8 years agoustream-ssl: cyassl compatibility with build time options
Karl Palsson [Mon, 6 Jun 2016 15:49:22 +0000 (15:49 +0000)]
ustream-ssl: cyassl compatibility with build time options

Adds a HAVE_CYASSL definition to be consistent with polar/mbedtls.
Uses that definition to include the wolfssl build time options.
This enables the correct pullin of the "remainder" of the wolfssl openssl
compatibility options, if they were enabled in the build of wolfssl in the
first place.

Signed-off-by: Karl Palsson <karlp@etactica.com>
8 years agoopenssl: keep compatibility with older TLS/SSL protocols
Felix Fietkau [Sun, 21 Feb 2016 20:28:58 +0000 (21:28 +0100)]
openssl: keep compatibility with older TLS/SSL protocols

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
8 years agoopenssl: force TLS v1.2 instead of v1
Felix Fietkau [Sun, 21 Feb 2016 08:10:46 +0000 (09:10 +0100)]
openssl: force TLS v1.2 instead of v1

Fixes some connection issues

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
8 years agoopenssl: use 1.0.2 openssl API for host name validation
Felix Fietkau [Tue, 26 Jan 2016 00:06:12 +0000 (01:06 +0100)]
openssl: use 1.0.2 openssl API for host name validation

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
8 years agopolarssl: fix handling SSL close notification
Felix Fietkau [Sat, 23 Jan 2016 18:37:57 +0000 (19:37 +0100)]
polarssl: fix handling SSL close notification

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
8 years agombedtls: fix handling SSL close notification
Felix Fietkau [Sat, 23 Jan 2016 18:37:13 +0000 (19:37 +0100)]
mbedtls: fix handling SSL close notification

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
8 years agombedtls: sync with polarssl ciphersuite changes
Felix Fietkau [Tue, 19 Jan 2016 22:33:01 +0000 (23:33 +0100)]
mbedtls: sync with polarssl ciphersuite changes

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
8 years agopolarssl: enable DHE in default client ciphersuite
Felix Fietkau [Tue, 19 Jan 2016 22:30:38 +0000 (23:30 +0100)]
polarssl: enable DHE in default client ciphersuite

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
8 years agopolarssl: init certificate storage
Felix Fietkau [Fri, 15 Jan 2016 23:04:45 +0000 (00:04 +0100)]
polarssl: init certificate storage

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
8 years agopolarssl: fix memory leak
Felix Fietkau [Fri, 15 Jan 2016 23:04:12 +0000 (00:04 +0100)]
polarssl: fix memory leak

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
8 years agoadd mbedtls variant
Felix Fietkau [Fri, 15 Jan 2016 19:42:25 +0000 (20:42 +0100)]
add mbedtls variant

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
8 years agopolarssl: remove support for version 1.2
Felix Fietkau [Fri, 15 Jan 2016 17:29:31 +0000 (18:29 +0100)]
polarssl: remove support for version 1.2

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
8 years agopolarssl: disable RC4 support (for security reasons)
Felix Fietkau [Fri, 15 Jan 2016 17:09:42 +0000 (18:09 +0100)]
polarssl: disable RC4 support (for security reasons)

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
9 years agoustream-ssl: make ustream_ssl.server_name const
Alexander Couzens [Thu, 6 Aug 2015 11:01:34 +0000 (13:01 +0200)]
ustream-ssl: make ustream_ssl.server_name const

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
9 years agopolarssl: add mising string include
Jo-Philipp Wich [Tue, 9 Jun 2015 16:50:08 +0000 (18:50 +0200)]
polarssl: add mising string include

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agopolarssl: fix long writes
Luka Perkov [Sat, 11 Apr 2015 21:43:03 +0000 (23:43 +0200)]
polarssl: fix long writes

Enable to write more data then defined in SSL_MAX_CONTENT_LEN.

Signed-off-by: Luka Perkov <luka@openwrt.org>
9 years agopolarssl: fix return code of entropy function
Felix Fietkau [Mon, 30 Mar 2015 12:55:47 +0000 (14:55 +0200)]
polarssl: fix return code of entropy function

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agocmake: Do not hardcode /opt/local/include for Apple.
Yousong Zhou [Tue, 11 Nov 2014 10:34:01 +0000 (18:34 +0800)]
cmake: Do not hardcode /opt/local/include for Apple.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
10 years agoexamples: add .notify_write callback.
Yousong Zhou [Tue, 11 Nov 2014 10:33:59 +0000 (18:33 +0800)]
examples: add .notify_write callback.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
10 years agoAdd support for Server Name Indication
Christoph Ziebuhr [Mon, 1 Dec 2014 13:41:36 +0000 (14:41 +0100)]
Add support for Server Name Indication

Signed-off-by: Christoph Ziebuhr <chris@codefrickler.de>
10 years agoopenssl: Fix host_pattern_match
Christoph Ziebuhr [Mon, 1 Dec 2014 13:41:35 +0000 (14:41 +0100)]
openssl: Fix host_pattern_match

Signed-off-by: Christoph Ziebuhr <chris@codefrickler.de>
10 years agoFix ustream_ssl_poll
Christoph Ziebuhr [Mon, 1 Dec 2014 13:41:34 +0000 (14:41 +0100)]
Fix ustream_ssl_poll

Signed-off-by: Christoph Ziebuhr <chris@codefrickler.de>
10 years agoopenssl: set quiet shutdown flag to ensure that shutdown always succeeds
Felix Fietkau [Thu, 3 Apr 2014 21:15:04 +0000 (23:15 +0200)]
openssl: set quiet shutdown flag to ensure that shutdown always succeeds

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agoopenssl: un-inline ustream_ssl_session_free
Felix Fietkau [Thu, 3 Apr 2014 21:14:05 +0000 (23:14 +0200)]
openssl: un-inline ustream_ssl_session_free

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agoopenssl: fix subjectAltNames leak
Felix Fietkau [Thu, 3 Apr 2014 14:57:38 +0000 (16:57 +0200)]
openssl: fix subjectAltNames leak

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agoopenssl: free peer certificate after validating it
Felix Fietkau [Thu, 3 Apr 2014 14:53:40 +0000 (16:53 +0200)]
openssl: free peer certificate after validating it

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agoadd missing include files
Felix Fietkau [Tue, 25 Mar 2014 15:03:44 +0000 (16:03 +0100)]
add missing include files

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agoopenssl: disable host CN checks for cyassl (TODO)
Felix Fietkau [Tue, 25 Mar 2014 15:03:27 +0000 (16:03 +0100)]
openssl: disable host CN checks for cyassl (TODO)

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agopolarssl: check us->notify_verify_error for NULL before calling it
Felix Fietkau [Tue, 25 Mar 2014 09:14:14 +0000 (10:14 +0100)]
polarssl: check us->notify_verify_error for NULL before calling it

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agoustream-example-client: fix usage information
Felix Fietkau [Tue, 25 Mar 2014 08:45:28 +0000 (09:45 +0100)]
ustream-example-client: fix usage information

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agoimplement certificate validation (including CN verification)
Felix Fietkau [Tue, 25 Mar 2014 08:02:39 +0000 (09:02 +0100)]
implement certificate validation (including CN verification)

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agofix CyaSSL build
Felix Fietkau [Fri, 21 Mar 2014 23:39:02 +0000 (00:39 +0100)]
fix CyaSSL build

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agoWrite pending data after connecting
Felix Fietkau [Mon, 17 Mar 2014 22:21:53 +0000 (23:21 +0100)]
Write pending data after connecting

fixes issues with incoming writes before the ssl negotiation is complete

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agoadd client example code
Felix Fietkau [Sat, 15 Mar 2014 15:16:24 +0000 (16:16 +0100)]
add client example code

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agopolarssl: enable client side ssl verification if a certificate was loaded
Felix Fietkau [Sat, 15 Mar 2014 15:01:06 +0000 (16:01 +0100)]
polarssl: enable client side ssl verification if a certificate was loaded

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agogive the main context a type instead of making it void *
Felix Fietkau [Sat, 15 Mar 2014 13:23:49 +0000 (14:23 +0100)]
give the main context a type instead of making it void *

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agoustream-ssl: always check connection at the beginning of a session
Felix Fietkau [Sat, 15 Mar 2014 12:59:07 +0000 (13:59 +0100)]
ustream-ssl: always check connection at the beginning of a session

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agoustream-server-example: close connection on error
Felix Fietkau [Sat, 15 Mar 2014 12:29:28 +0000 (13:29 +0100)]
ustream-server-example: close connection on error

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agoexample: rename to ustream-example-server
Felix Fietkau [Sat, 15 Mar 2014 12:26:32 +0000 (13:26 +0100)]
example: rename to ustream-example-server

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agopolarssl: fix error check on write
Felix Fietkau [Sat, 15 Mar 2014 12:19:01 +0000 (13:19 +0100)]
polarssl: fix error check on write

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agopolarssl: add support for version 1.3
Felix Fietkau [Fri, 14 Mar 2014 13:20:59 +0000 (14:20 +0100)]
polarssl: add support for version 1.3

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agoAdd version detection of CyaSSL and make the cyassl backend compatible with both...
Jo-Philipp Wich [Wed, 30 Oct 2013 12:53:45 +0000 (13:53 +0100)]
Add version detection of CyaSSL and make the cyassl backend compatible with both legacy and current CyaSSL versions

11 years agoavoid installing internal header files
Felix Fietkau [Wed, 25 Sep 2013 07:06:36 +0000 (09:06 +0200)]
avoid installing internal header files

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agopolarssl: disable perfect forward secrecy, it slows down each connection handshake...
Felix Fietkau [Wed, 24 Jul 2013 16:36:11 +0000 (18:36 +0200)]
polarssl: disable perfect forward secrecy, it slows down each connection handshake by about 130 ms of cpu-bound activity

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agoconsume all data after a socket write error
Felix Fietkau [Tue, 18 Jun 2013 10:47:18 +0000 (12:47 +0200)]
consume all data after a socket write error

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agoadd polarssl support
Felix Fietkau [Mon, 4 Feb 2013 21:13:24 +0000 (22:13 +0100)]
add polarssl support

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agosplit cyassl and openssl sources, add ssl library abstraction
Felix Fietkau [Mon, 4 Feb 2013 16:41:54 +0000 (17:41 +0100)]
split cyassl and openssl sources, add ssl library abstraction

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agoexample: ignore SIGPIPE
Felix Fietkau [Mon, 4 Feb 2013 19:25:22 +0000 (20:25 +0100)]
example: ignore SIGPIPE

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agobuild: remove install prefix override
Felix Fietkau [Wed, 23 Jan 2013 14:24:08 +0000 (15:24 +0100)]
build: remove install prefix override

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agofix read polling by putting the buffer prepare in a loop
Felix Fietkau [Tue, 22 Jan 2013 14:24:28 +0000 (15:24 +0100)]
fix read polling by putting the buffer prepare in a loop

allow user to process more than a single buffer's worth of data in one call

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agoadd s->poll wrapper
Felix Fietkau [Tue, 22 Jan 2013 12:38:35 +0000 (13:38 +0100)]
add s->poll wrapper

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agouse libm with cyassl
Felix Fietkau [Sun, 13 Jan 2013 08:59:58 +0000 (09:59 +0100)]
use libm with cyassl

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agoremove commented out include/link directories
Felix Fietkau [Sun, 13 Jan 2013 08:52:34 +0000 (09:52 +0100)]
remove commented out include/link directories

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agoadd copyright info and license
Felix Fietkau [Sun, 13 Jan 2013 08:41:55 +0000 (09:41 +0100)]
add copyright info and license

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agofix compile errors on linux
Felix Fietkau [Fri, 4 Jan 2013 22:17:35 +0000 (23:17 +0100)]
fix compile errors on linux

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agoreturn -1/0 instead of ssl specific return codes when setting crt/key files
Felix Fietkau [Fri, 4 Jan 2013 17:27:05 +0000 (18:27 +0100)]
return -1/0 instead of ssl specific return codes when setting crt/key files

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agoonly export one symbol from the lib, containing a struct with all functions. useful...
Felix Fietkau [Fri, 4 Jan 2013 16:37:49 +0000 (17:37 +0100)]
only export one symbol from the lib, containing a struct with all functions. useful for using ustream-ssl as a plugin

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agoinstall headers and library
Felix Fietkau [Thu, 27 Dec 2012 18:09:41 +0000 (19:09 +0100)]
install headers and library

12 years agofix logic inversion
Felix Fietkau [Tue, 23 Oct 2012 15:59:52 +0000 (17:59 +0200)]
fix logic inversion

12 years agoInitial import
Felix Fietkau [Tue, 23 Oct 2012 02:01:09 +0000 (04:01 +0200)]
Initial import