ssl/tls1.c: ssl_read: Don't send TLS alert on SSL_EAGAIN.

SSL_EAGAIN is of course a transient condition of non-blocking socket,
not a real error, so there's no need to send any TLS alerts on it.

This fixes (somewhat) operation over non-blocking sockets.

.gitignore

@@ -0,0 +1,11 @@
+*.o
+_stage
+.depend
+.config*
+config/config.h
+config/scripts/config/conf
+config/scripts/config/lex.zconf.c
+config/scripts/config/lkc_defs.h
+config/scripts/config/zconf.tab.c
+config/scripts/config/zconf.tab.h
+ssl/version.h

config/Rules.mak

@@ -174,7 +174,8 @@ ifeq ($(strip $(CONFIG_DEBUG)),y)
 else
     CFLAGS+=$(WARNINGS) $(OPTIMIZATIONS) -D_GNU_SOURCE -DNDEBUG
     LDFLAGS += -Wl,-warn-common
-    STRIPCMD:=$(STRIP) -s --remove-section=.note --remove-section=.comment
+    STRIPCMD:=echo
+    #$(STRIP) -s --remove-section=.note --remove-section=.comment
 endif
 ifeq ($(strip $(CONFIG_STATIC)),y)
     LDFLAGS += --static

config/makefile.conf

@@ -84,7 +84,7 @@ else    # Not Win32
 
 -include .depend
 
-CFLAGS += -I$(AXTLS_HOME)/config -I$(AXTLS_HOME)/ssl -I$(AXTLS_HOME)/crypto
+CFLAGS += -I$(AXTLS_HOME)/config -I$(AXTLS_HOME)/ssl -I$(AXTLS_HOME)/crypto $(CFLAGS_EXTRA)
 LD=$(CC)
 STRIP=$(CROSS)strip
 
@@ -101,7 +101,7 @@ LDSHARED = -shared
 # Linux
 ifndef CONFIG_PLATFORM_CYGWIN
 ifndef CONFIG_PLATFORM_NOMMU
-CFLAGS += -fPIC 
+#CFLAGS += -fPIC 
 
 # Cygwin
 else
@@ -114,11 +114,15 @@ endif
 ifdef CONFIG_DEBUG
 CFLAGS += -g
 else
-LDFLAGS += -s
+#-m32
+# -pg
+LDFLAGS += -g -Wl,--gc-sections,--print-gc-sections,-Map,map.lst -fno-unwind-tables -fno-asynchronous-unwind-tables
 ifdef CONFIG_PLATFORM_SOLARIS
 CFLAGS += -O 
 else
-CFLAGS += -O3
+#-m32
+#-pg
+CFLAGS += -g -Os -ffunction-sections -fdata-sections -fno-unwind-tables -fno-asynchronous-unwind-tables
 endif
 
 endif	# CONFIG_DEBUG

config/upyconfig

@@ -0,0 +1,117 @@
+#
+# Automatically generated make config: don't edit
+#
+HAVE_DOT_CONFIG=y
+CONFIG_PLATFORM_LINUX=y
+# CONFIG_PLATFORM_CYGWIN is not set
+# CONFIG_PLATFORM_WIN32 is not set
+
+#
+# General Configuration
+#
+PREFIX="/usr/local"
+# CONFIG_DEBUG is not set
+# CONFIG_STRIP_UNWANTED_SECTIONS is not set
+# CONFIG_VISUAL_STUDIO_7_0 is not set
+# CONFIG_VISUAL_STUDIO_8_0 is not set
+# CONFIG_VISUAL_STUDIO_10_0 is not set
+CONFIG_VISUAL_STUDIO_7_0_BASE=""
+CONFIG_VISUAL_STUDIO_8_0_BASE=""
+CONFIG_VISUAL_STUDIO_10_0_BASE=""
+CONFIG_EXTRA_CFLAGS_OPTIONS=""
+CONFIG_EXTRA_LDFLAGS_OPTIONS=""
+
+#
+# SSL Library
+#
+# CONFIG_SSL_SERVER_ONLY is not set
+# CONFIG_SSL_CERT_VERIFICATION is not set
+# CONFIG_SSL_FULL_MODE is not set
+CONFIG_SSL_SKELETON_MODE=y
+CONFIG_SSL_ENABLE_SERVER=y
+CONFIG_SSL_ENABLE_CLIENT=y
+# CONFIG_SSL_DIAGNOSTICS is not set
+CONFIG_SSL_PROT_LOW=y
+# CONFIG_SSL_PROT_MEDIUM is not set
+# CONFIG_SSL_PROT_HIGH is not set
+CONFIG_SSL_AES=y
+CONFIG_SSL_USE_DEFAULT_KEY=y
+CONFIG_SSL_PRIVATE_KEY_LOCATION=""
+CONFIG_SSL_PRIVATE_KEY_PASSWORD=""
+CONFIG_SSL_X509_CERT_LOCATION=""
+# CONFIG_SSL_GENERATE_X509_CERT is not set
+CONFIG_SSL_X509_COMMON_NAME=""
+CONFIG_SSL_X509_ORGANIZATION_NAME=""
+CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME=""
+# CONFIG_SSL_ENABLE_V23_HANDSHAKE is not set
+# CONFIG_SSL_HAS_PEM is not set
+# CONFIG_SSL_USE_PKCS12 is not set
+CONFIG_SSL_EXPIRY_TIME=0
+CONFIG_X509_MAX_CA_CERTS=0
+CONFIG_SSL_MAX_CERTS=3
+# CONFIG_SSL_CTX_MUTEXING is not set
+# CONFIG_USE_DEV_URANDOM is not set
+# CONFIG_WIN32_USE_CRYPTO_LIB is not set
+# CONFIG_OPENSSL_COMPATIBLE is not set
+# CONFIG_PERFORMANCE_TESTING is not set
+# CONFIG_SSL_TEST is not set
+# CONFIG_AXTLSWRAP is not set
+# CONFIG_AXHTTPD is not set
+# CONFIG_HTTP_STATIC_BUILD is not set
+CONFIG_HTTP_PORT=0
+CONFIG_HTTP_HTTPS_PORT=0
+CONFIG_HTTP_SESSION_CACHE_SIZE=0
+CONFIG_HTTP_WEBROOT=""
+CONFIG_HTTP_TIMEOUT=0
+# CONFIG_HTTP_HAS_CGI is not set
+CONFIG_HTTP_CGI_EXTENSIONS=""
+# CONFIG_HTTP_ENABLE_LUA is not set
+CONFIG_HTTP_LUA_PREFIX=""
+# CONFIG_HTTP_BUILD_LUA is not set
+CONFIG_HTTP_CGI_LAUNCHER=""
+# CONFIG_HTTP_DIRECTORIES is not set
+# CONFIG_HTTP_HAS_AUTHORIZATION is not set
+# CONFIG_HTTP_HAS_IPV6 is not set
+# CONFIG_HTTP_ENABLE_DIFFERENT_USER is not set
+CONFIG_HTTP_USER=""
+# CONFIG_HTTP_VERBOSE is not set
+# CONFIG_HTTP_IS_DAEMON is not set
+
+#
+# Language Bindings
+#
+# CONFIG_BINDINGS is not set
+# CONFIG_CSHARP_BINDINGS is not set
+# CONFIG_VBNET_BINDINGS is not set
+CONFIG_DOT_NET_FRAMEWORK_BASE=""
+# CONFIG_JAVA_BINDINGS is not set
+CONFIG_JAVA_HOME=""
+# CONFIG_PERL_BINDINGS is not set
+CONFIG_PERL_CORE=""
+CONFIG_PERL_LIB=""
+# CONFIG_LUA_BINDINGS is not set
+CONFIG_LUA_CORE=""
+
+#
+# Samples
+#
+# CONFIG_SAMPLES is not set
+# CONFIG_C_SAMPLES is not set
+# CONFIG_CSHARP_SAMPLES is not set
+# CONFIG_VBNET_SAMPLES is not set
+# CONFIG_JAVA_SAMPLES is not set
+# CONFIG_PERL_SAMPLES is not set
+# CONFIG_LUA_SAMPLES is not set
+# CONFIG_BIGINT_CLASSICAL is not set
+# CONFIG_BIGINT_MONTGOMERY is not set
+# CONFIG_BIGINT_BARRETT is not set
+# CONFIG_BIGINT_CRT is not set
+# CONFIG_BIGINT_KARATSUBA is not set
+MUL_KARATSUBA_THRESH=0
+SQU_KARATSUBA_THRESH=0
+# CONFIG_BIGINT_SLIDING_WINDOW is not set
+# CONFIG_BIGINT_SQUARE is not set
+# CONFIG_BIGINT_CHECK_ON is not set
+# CONFIG_INTEGER_32BIT is not set
+# CONFIG_INTEGER_16BIT is not set
+# CONFIG_INTEGER_8BIT is not set

config/upyconfig.client

@@ -0,0 +1,116 @@
+#
+# Automatically generated make config: don't edit
+#
+HAVE_DOT_CONFIG=y
+CONFIG_PLATFORM_LINUX=y
+# CONFIG_PLATFORM_CYGWIN is not set
+# CONFIG_PLATFORM_WIN32 is not set
+
+#
+# General Configuration
+#
+PREFIX="/usr/local"
+# CONFIG_DEBUG is not set
+# CONFIG_STRIP_UNWANTED_SECTIONS is not set
+# CONFIG_VISUAL_STUDIO_7_0 is not set
+# CONFIG_VISUAL_STUDIO_8_0 is not set
+# CONFIG_VISUAL_STUDIO_10_0 is not set
+CONFIG_VISUAL_STUDIO_7_0_BASE=""
+CONFIG_VISUAL_STUDIO_8_0_BASE=""
+CONFIG_VISUAL_STUDIO_10_0_BASE=""
+CONFIG_EXTRA_CFLAGS_OPTIONS=""
+CONFIG_EXTRA_LDFLAGS_OPTIONS=""
+
+#
+# SSL Library
+#
+# CONFIG_SSL_SERVER_ONLY is not set
+# CONFIG_SSL_CERT_VERIFICATION is not set
+# CONFIG_SSL_FULL_MODE is not set
+CONFIG_SSL_SKELETON_MODE=y
+CONFIG_SSL_ENABLE_CLIENT=y
+# CONFIG_SSL_DIAGNOSTICS is not set
+CONFIG_SSL_PROT_LOW=y
+# CONFIG_SSL_PROT_MEDIUM is not set
+# CONFIG_SSL_PROT_HIGH is not set
+CONFIG_SSL_AES=y
+# CONFIG_SSL_USE_DEFAULT_KEY is not set
+CONFIG_SSL_PRIVATE_KEY_LOCATION=""
+CONFIG_SSL_PRIVATE_KEY_PASSWORD=""
+CONFIG_SSL_X509_CERT_LOCATION=""
+# CONFIG_SSL_GENERATE_X509_CERT is not set
+CONFIG_SSL_X509_COMMON_NAME=""
+CONFIG_SSL_X509_ORGANIZATION_NAME=""
+CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME=""
+# CONFIG_SSL_ENABLE_V23_HANDSHAKE is not set
+# CONFIG_SSL_HAS_PEM is not set
+# CONFIG_SSL_USE_PKCS12 is not set
+CONFIG_SSL_EXPIRY_TIME=0
+CONFIG_X509_MAX_CA_CERTS=0
+CONFIG_SSL_MAX_CERTS=3
+# CONFIG_SSL_CTX_MUTEXING is not set
+# CONFIG_USE_DEV_URANDOM is not set
+# CONFIG_WIN32_USE_CRYPTO_LIB is not set
+# CONFIG_OPENSSL_COMPATIBLE is not set
+# CONFIG_PERFORMANCE_TESTING is not set
+# CONFIG_SSL_TEST is not set
+# CONFIG_AXTLSWRAP is not set
+# CONFIG_AXHTTPD is not set
+# CONFIG_HTTP_STATIC_BUILD is not set
+CONFIG_HTTP_PORT=0
+CONFIG_HTTP_HTTPS_PORT=0
+CONFIG_HTTP_SESSION_CACHE_SIZE=0
+CONFIG_HTTP_WEBROOT=""
+CONFIG_HTTP_TIMEOUT=0
+# CONFIG_HTTP_HAS_CGI is not set
+CONFIG_HTTP_CGI_EXTENSIONS=""
+# CONFIG_HTTP_ENABLE_LUA is not set
+CONFIG_HTTP_LUA_PREFIX=""
+# CONFIG_HTTP_BUILD_LUA is not set
+CONFIG_HTTP_CGI_LAUNCHER=""
+# CONFIG_HTTP_DIRECTORIES is not set
+# CONFIG_HTTP_HAS_AUTHORIZATION is not set
+# CONFIG_HTTP_HAS_IPV6 is not set
+# CONFIG_HTTP_ENABLE_DIFFERENT_USER is not set
+CONFIG_HTTP_USER=""
+# CONFIG_HTTP_VERBOSE is not set
+# CONFIG_HTTP_IS_DAEMON is not set
+
+#
+# Language Bindings
+#
+# CONFIG_BINDINGS is not set
+# CONFIG_CSHARP_BINDINGS is not set
+# CONFIG_VBNET_BINDINGS is not set
+CONFIG_DOT_NET_FRAMEWORK_BASE=""
+# CONFIG_JAVA_BINDINGS is not set
+CONFIG_JAVA_HOME=""
+# CONFIG_PERL_BINDINGS is not set
+CONFIG_PERL_CORE=""
+CONFIG_PERL_LIB=""
+# CONFIG_LUA_BINDINGS is not set
+CONFIG_LUA_CORE=""
+
+#
+# Samples
+#
+# CONFIG_SAMPLES is not set
+# CONFIG_C_SAMPLES is not set
+# CONFIG_CSHARP_SAMPLES is not set
+# CONFIG_VBNET_SAMPLES is not set
+# CONFIG_JAVA_SAMPLES is not set
+# CONFIG_PERL_SAMPLES is not set
+# CONFIG_LUA_SAMPLES is not set
+# CONFIG_BIGINT_CLASSICAL is not set
+# CONFIG_BIGINT_MONTGOMERY is not set
+# CONFIG_BIGINT_BARRETT is not set
+# CONFIG_BIGINT_CRT is not set
+# CONFIG_BIGINT_KARATSUBA is not set
+MUL_KARATSUBA_THRESH=0
+SQU_KARATSUBA_THRESH=0
+# CONFIG_BIGINT_SLIDING_WINDOW is not set
+# CONFIG_BIGINT_SQUARE is not set
+# CONFIG_BIGINT_CHECK_ON is not set
+# CONFIG_INTEGER_32BIT is not set
+# CONFIG_INTEGER_16BIT is not set
+# CONFIG_INTEGER_8BIT is not set

crypto/aes.c

@@ -159,8 +159,6 @@ static const unsigned char Rcon[30]=
 };
 
 /* ----- static functions ----- */
-static void AES_encrypt(const AES_CTX *ctx, uint32_t *data);
-static void AES_decrypt(const AES_CTX *ctx, uint32_t *data);
 
 /* Perform doubling in Galois Field GF(2^8) using the irreducible polynomial
    x^8+x^4+x^3+x+1 */
@@ -241,7 +239,10 @@ void AES_set_key(AES_CTX *ctx, const uint8_t *key,
     }
 
     /* copy the iv across */
-    memcpy(ctx->iv, iv, 16);
+    if (iv)
+    {
+        memcpy(ctx->iv, iv, 16);
+    }
 }
 
 /**
@@ -348,7 +349,7 @@ void AES_cbc_decrypt(AES_CTX *ctx, const uint8_t *msg, uint8_t *out, int length)
 /**
  * Encrypt a single block (16 bytes) of data
  */
-static void AES_encrypt(const AES_CTX *ctx, uint32_t *data)
+void AES_encrypt(const AES_CTX *ctx, uint32_t *data)
 {
     /* To make this code smaller, generate the sbox entries on the fly.
      * This will have a really heavy effect upon performance.
@@ -398,7 +399,7 @@ static void AES_encrypt(const AES_CTX *ctx, uint32_t *data)
 /**
  * Decrypt a single block (16 bytes) of data
  */
-static void AES_decrypt(const AES_CTX *ctx, uint32_t *data)
+void AES_decrypt(const AES_CTX *ctx, uint32_t *data)
 { 
     uint32_t tmp[4];
     uint32_t xt0,xt1,xt2,xt3,xt4,xt5,xt6;

crypto/bigint.c

@@ -1379,6 +1379,10 @@ bigint *bi_mod_power(BI_CTX *ctx, bigint *bi, bigint *biexp)
      * will reduce to standard left-to-right exponentiation */
     do
     {
+#ifdef __ets__
+        void ets_loop_iter(void);
+        ets_loop_iter();
+#endif
         if (exp_bit_is_one(biexp, i))
         {
             int l = i-window_size+1;

crypto/crypto.h

@@ -51,12 +51,14 @@ extern "C" {
 
 
 /* enable features based on a 'super-set' capbaility. */
+#if 0
 #if defined(CONFIG_SSL_FULL_MODE) 
 #define CONFIG_SSL_ENABLE_CLIENT
 #define CONFIG_SSL_CERT_VERIFICATION
 #elif defined(CONFIG_SSL_ENABLE_CLIENT)
 #define CONFIG_SSL_CERT_VERIFICATION
 #endif
+#endif
 
 /**************************************************************************
  * AES declarations 
@@ -86,6 +88,8 @@ void AES_cbc_encrypt(AES_CTX *ctx, const uint8_t *msg,
         uint8_t *out, int length);
 void AES_cbc_decrypt(AES_CTX *ks, const uint8_t *in, uint8_t *out, int length);
 void AES_convert_key(AES_CTX *ctx);
+void AES_encrypt(const AES_CTX *ctx, uint32_t *data);
+void AES_decrypt(const AES_CTX *ctx, uint32_t *data);
 
 /**************************************************************************
  * RC4 declarations 
@@ -128,6 +132,8 @@ void SHA1_Final(uint8_t *digest, SHA1_CTX *);
 
 #define SHA256_SIZE   32
 
+#ifndef SHA256_CTX
+#define SHA256_CTX SHA256_CTX
 typedef struct
 {
     uint32_t total[2];
@@ -138,6 +144,7 @@ typedef struct
 void SHA256_Init(SHA256_CTX *c);
 void SHA256_Update(SHA256_CTX *, const uint8_t *input, int len);
 void SHA256_Final(uint8_t *digest, SHA256_CTX *);
+#endif
 
 /**************************************************************************
  * SHA512 declarations 
@@ -196,9 +203,9 @@ EXP_FUNC void STDCALL MD5_Final(uint8_t *digest, MD5_CTX *);
 /**************************************************************************
  * HMAC declarations 
  **************************************************************************/
-void hmac_md5(const uint8_t *msg, int length, const uint8_t *key, 
+void ssl_hmac_md5(const uint8_t *msg, int length, const uint8_t *key, 
         int key_len, uint8_t *digest);
-void hmac_sha1(const uint8_t *msg, int length, const uint8_t *key, 
+void ssl_hmac_sha1(const uint8_t *msg, int length, const uint8_t *key, 
         int key_len, uint8_t *digest);
 void hmac_sha256(const uint8_t *msg, int length, const uint8_t *key, 
         int key_len, uint8_t *digest);
@@ -242,14 +249,15 @@ void RSA_free(RSA_CTX *ctx);
 int RSA_decrypt(const RSA_CTX *ctx, const uint8_t *in_data, uint8_t *out_data,
         int out_len, int is_decryption);
 bigint *RSA_private(const RSA_CTX *c, bigint *bi_msg);
-#if defined(CONFIG_SSL_CERT_VERIFICATION) || defined(CONFIG_SSL_GENERATE_X509_CERT)
+// Don't bother to ifdef prototypes, let them be
+//#if defined(CONFIG_SSL_CERT_VERIFICATION) || defined(CONFIG_SSL_GENERATE_X509_CERT)
 bigint *RSA_sign_verify(BI_CTX *ctx, const uint8_t *sig, int sig_len,
         bigint *modulus, bigint *pub_exp);
 bigint *RSA_public(const RSA_CTX * c, bigint *bi_msg);
 int RSA_encrypt(const RSA_CTX *ctx, const uint8_t *in_data, uint16_t in_len, 
         uint8_t *out_data, int is_signing);
 void RSA_print(const RSA_CTX *ctx);
-#endif
+//#endif
 
 /**************************************************************************
  * RNG declarations 

crypto/crypto_misc.c

@@ -42,7 +42,7 @@
 #include "wincrypt.h"
 #endif
 
-#ifndef WIN32
+#if !defined(WIN32) && defined(CONFIG_USE_DEV_URANDOM)
 static int rng_fd = -1;
 #elif defined(CONFIG_WIN32_USE_CRYPTO_LIB)
 static HCRYPTPROV gCryptProv;
@@ -120,11 +120,17 @@ EXP_FUNC void STDCALL RNG_initialize()
             exit(1);
         }
     }
-#else
+#elif !defined(__ets__)
     /* start of with a stack to copy across */
     int i;
     memcpy(entropy_pool, &i, ENTROPY_POOL_SIZE);
+    #ifdef __ANDROID__
+    /* Later android releases have rand_r(), but classic ones, e.g.
+       android-3 (1.5) have jrand48(). */
+    jrand48((unsigned short *)entropy_pool);
+    #else
     rand_r((unsigned int *)entropy_pool); 
+    #endif
 #endif
 }
 
@@ -146,7 +152,7 @@ EXP_FUNC void STDCALL RNG_custom_init(const uint8_t *seed_buf, int size)
  */
 EXP_FUNC void STDCALL RNG_terminate(void)
 {
-#ifndef WIN32
+#if !defined(WIN32) && defined(CONFIG_USE_DEV_URANDOM)
     close(rng_fd);
 #elif defined(CONFIG_WIN32_USE_CRYPTO_LIB)
     CryptReleaseContext(gCryptProv, 0);
@@ -158,7 +164,13 @@ EXP_FUNC void STDCALL RNG_terminate(void)
  */
 EXP_FUNC int STDCALL get_random(int num_rand_bytes, uint8_t *rand_data)
 {   
-#if !defined(WIN32) && defined(CONFIG_USE_DEV_URANDOM)
+#ifdef __ets__
+// see http://esp8266-re.foogod.com/wiki/Random_Number_Generator
+#define WDEV_HWRNG ((volatile uint32_t*)0x3ff20e44)
+    while (num_rand_bytes--) {
+        *rand_data++ = *WDEV_HWRNG;
+    }
+#elif !defined(WIN32) && defined(CONFIG_USE_DEV_URANDOM)
     /* use the Linux default - read from /dev/urandom */
     if (read(rng_fd, rand_data, num_rand_bytes) < 0) 
         return -1;
@@ -223,7 +235,7 @@ int get_random_NZ(int num_rand_bytes, uint8_t *rand_data)
 /**
  * Some useful diagnostic routines
  */
-#if defined(CONFIG_SSL_FULL_MODE) || defined(CONFIG_DEBUG)
+#if defined(CONFIG_SSL_DIAGNOSTICS) || defined(CONFIG_DEBUG)
 int hex_finish;
 int hex_index;
 
@@ -276,7 +288,7 @@ EXP_FUNC void STDCALL print_blob(const char *format,
     va_list(ap);
 
     va_start(ap, size);
-    sprintf(tmp, "%s\n", format);
+    snprintf(tmp, sizeof(tmp), "%s\n", format);
     vprintf(tmp, ap);
     print_hex_init(size);
     for (i = 0; i < size; i++)

crypto/hmac.c

@@ -42,31 +42,34 @@
  * Perform HMAC-MD5
  * NOTE: does not handle keys larger than the block size.
  */
-void hmac_md5(const uint8_t *msg, int length, const uint8_t *key, 
+void ssl_hmac_md5(const uint8_t *msg, int length, const uint8_t *key, 
         int key_len, uint8_t *digest)
 {
     MD5_CTX context;
-    uint8_t k_ipad[64];
-    uint8_t k_opad[64];
+    uint8_t k_pad[64];
     int i;
 
-    memset(k_ipad, 0, sizeof k_ipad);
-    memset(k_opad, 0, sizeof k_opad);
-    memcpy(k_ipad, key, key_len);
-    memcpy(k_opad, key, key_len);
-
+    memset(k_pad, 0, sizeof k_pad);
+    memcpy(k_pad, key, key_len);
     for (i = 0; i < 64; i++)
     {
-        k_ipad[i] ^= 0x36;
-        k_opad[i] ^= 0x5c;
+        k_pad[i] ^= 0x36;
     }
 
     MD5_Init(&context);
-    MD5_Update(&context, k_ipad, 64);
+    MD5_Update(&context, k_pad, 64);
     MD5_Update(&context, msg, length);
     MD5_Final(digest, &context);
+
+    memset(k_pad, 0, sizeof k_pad);
+    memcpy(k_pad, key, key_len);
+    for (i = 0; i < 64; i++) 
+    {
+        k_pad[i] ^= 0x5c;
+    }
+
     MD5_Init(&context);
-    MD5_Update(&context, k_opad, 64);
+    MD5_Update(&context, k_pad, 64);
     MD5_Update(&context, digest, MD5_SIZE);
     MD5_Final(digest, &context);
 }
@@ -75,31 +78,34 @@ void hmac_md5(const uint8_t *msg, int length, const uint8_t *key,
  * Perform HMAC-SHA1
  * NOTE: does not handle keys larger than the block size.
  */
-void hmac_sha1(const uint8_t *msg, int length, const uint8_t *key, 
+void ssl_hmac_sha1(const uint8_t *msg, int length, const uint8_t *key, 
         int key_len, uint8_t *digest)
 {
     SHA1_CTX context;
-    uint8_t k_ipad[64];
-    uint8_t k_opad[64];
+    uint8_t k_pad[64];
     int i;
 
-    memset(k_ipad, 0, sizeof k_ipad);
-    memset(k_opad, 0, sizeof k_opad);
-    memcpy(k_ipad, key, key_len);
-    memcpy(k_opad, key, key_len);
-
+    memset(k_pad, 0, sizeof k_pad);
+    memcpy(k_pad, key, key_len);
     for (i = 0; i < 64; i++)
     {
-        k_ipad[i] ^= 0x36;
-        k_opad[i] ^= 0x5c;
+        k_pad[i] ^= 0x36;
     }
 
     SHA1_Init(&context);
-    SHA1_Update(&context, k_ipad, 64);
+    SHA1_Update(&context, k_pad, 64);
     SHA1_Update(&context, msg, length);
     SHA1_Final(digest, &context);
+
+    memset(k_pad, 0, sizeof k_pad);
+    memcpy(k_pad, key, key_len);
+    for (i = 0; i < 64; i++) 
+    {
+        k_pad[i] ^= 0x5c;
+    }
+
     SHA1_Init(&context);
-    SHA1_Update(&context, k_opad, 64);
+    SHA1_Update(&context, k_pad, 64);
     SHA1_Update(&context, digest, SHA1_SIZE);
     SHA1_Final(digest, &context);
 }

crypto/md5.c

@@ -74,6 +74,13 @@ static const uint8_t PADDING[64] =
 #define H(x, y, z) ((x) ^ (y) ^ (z))
 #define I(x, y, z) ((y) ^ ((x) | (~z)))
 
+/* Versions for size-optimized code. */
+#define IDX(v) ((v) & 3)
+#define F_(a, i) ((a[IDX(i + 1)] & a[IDX(i + 2)]) | (~a[IDX(i + 1)] & a[IDX(i + 3)]))
+#define G_(a, i) ((a[IDX(i + 1)] & a[IDX(i + 3)]) | (a[IDX(i + 2)] & ~a[IDX(i + 3)]))
+#define H_(a, i) (a[IDX(i + 1)] ^ a[IDX(i + 2)] ^ a[IDX(i + 3)])
+#define I_(a, i) (a[IDX(i + 2)] ^ (a[IDX(i + 1)] | ~a[IDX(i + 3)]))
+
 /* ROTATE_LEFT rotates x left n bits.  */
 #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
 
@@ -178,6 +185,8 @@ EXP_FUNC void STDCALL MD5_Final(uint8_t *digest, MD5_CTX *ctx)
 /**
  * MD5 basic transformation. Transforms state based on block.
  */
+#if OPTIMIZE_FOR_SPEED
+
 static void MD5Transform(uint32_t state[4], const uint8_t block[64])
 {
     uint32_t a = state[0], b = state[1], c = state[2], 
@@ -263,6 +272,136 @@ static void MD5Transform(uint32_t state[4], const uint8_t block[64])
     state[3] += d;
 }
 
+#else
+
+static void MD5Transform(uint32_t state[4], const uint8_t block[64])
+{
+    uint32_t arr[4], x[MD5_SIZE];
+    memcpy(arr, state, sizeof(arr));
+
+    Decode(x, block, 64);
+
+    static const uint32_t round_ac[] = {
+        0xd76aa478, /* 1 */
+        0xe8c7b756, /* 2 */
+        0x242070db, /* 3 */
+        0xc1bdceee, /* 4 */
+        0xf57c0faf, /* 5 */
+        0x4787c62a, /* 6 */
+        0xa8304613, /* 7 */
+        0xfd469501, /* 8 */
+        0x698098d8, /* 9 */
+        0x8b44f7af, /* 10 */
+        0xffff5bb1, /* 11 */
+        0x895cd7be, /* 12 */
+        0x6b901122, /* 13 */
+        0xfd987193, /* 14 */
+        0xa679438e, /* 15 */
+        0x49b40821, /* 16 */
+        0xf61e2562, /* 17 */
+        0xc040b340, /* 18 */
+        0x265e5a51, /* 19 */
+        0xe9b6c7aa, /* 20 */
+        0xd62f105d, /* 21 */
+         0x2441453, /* 22 */
+        0xd8a1e681, /* 23 */
+        0xe7d3fbc8, /* 24 */
+        0x21e1cde6, /* 25 */
+        0xc33707d6, /* 26 */
+        0xf4d50d87, /* 27 */
+        0x455a14ed, /* 28 */
+        0xa9e3e905, /* 29 */
+        0xfcefa3f8, /* 30 */
+        0x676f02d9, /* 31 */
+        0x8d2a4c8a, /* 32 */
+        0xfffa3942, /* 33 */
+        0x8771f681, /* 34 */
+        0x6d9d6122, /* 35 */
+        0xfde5380c, /* 36 */
+        0xa4beea44, /* 37 */
+        0x4bdecfa9, /* 38 */
+        0xf6bb4b60, /* 39 */
+        0xbebfbc70, /* 40 */
+        0x289b7ec6, /* 41 */
+        0xeaa127fa, /* 42 */
+        0xd4ef3085, /* 43 */
+         0x4881d05, /* 44 */
+        0xd9d4d039, /* 45 */
+        0xe6db99e5, /* 46 */
+        0x1fa27cf8, /* 47 */
+        0xc4ac5665, /* 48 */
+        0xf4292244, /* 49 */
+        0x432aff97, /* 50 */
+        0xab9423a7, /* 51 */
+        0xfc93a039, /* 52 */
+        0x655b59c3, /* 53 */
+        0x8f0ccc92, /* 54 */
+        0xffeff47d, /* 55 */
+        0x85845dd1, /* 56 */
+        0x6fa87e4f, /* 57 */
+        0xfe2ce6e0, /* 58 */
+        0xa3014314, /* 59 */
+        0x4e0811a1, /* 60 */
+        0xf7537e82, /* 61 */
+        0xbd3af235, /* 62 */
+        0x2ad7d2bb, /* 63 */
+        0xeb86d391, /* 64 */
+    };
+
+    static const uint8_t round1_s[] = {
+        7, 12, 17, 22,
+        5,  9, 14, 20,
+        4, 11, 16, 23,
+        6, 10, 15, 21,
+    };
+
+    static const uint8_t round_order[] = {
+        0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
+        1, 6, 11, 0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12,
+        5, 8, 11, 14, 1, 4, 7, 10, 13, 0, 3, 6, 9, 12, 15, 2,
+        0, 7, 14, 5, 12, 3, 10, 1, 8, 15, 6, 13, 4, 11, 2, 9,
+    };
+
+    unsigned i;
+
+    const uint8_t *round_s = round1_s - 4;
+    for (i = 0; i < 64; i++) {
+        int off = IDX(4 - i);
+        uint32_t v;
+
+        // Code size is bigger
+        //round_s = round1_s + (i >> 4) * 4;
+        if ((i & 15) == 0) {
+            round_s += 4;
+        }
+
+        if (i < 32) {
+            if (i < 16) {
+                v = F_(arr, off);
+            } else {
+                v = G_(arr, off);
+            }
+        } else {
+            if (i < 48) {
+                v = H_(arr, off);
+            } else {
+                v = I_(arr, off);
+            }
+        }
+        v += arr[off];
+        v += x[round_order[i]] + round_ac[i];
+        v = ROTATE_LEFT(v, round_s[i & 3]);
+        v += arr[IDX(off + 1)];
+        arr[off] = v;
+    }
+
+    state[0] += arr[0];
+    state[1] += arr[1];
+    state[2] += arr[2];
+    state[3] += arr[3];
+}
+#endif // OPTIMIZE_FOR_SPEED
+
 /**
  * Encodes input (uint32_t) into output (uint8_t). Assumes len is
  *   a multiple of 4.

crypto/rsa.c

@@ -231,7 +231,7 @@ void RSA_print(const RSA_CTX *rsa_ctx)
 }
 #endif
 
-#if defined(CONFIG_SSL_CERT_VERIFICATION) || defined(CONFIG_SSL_GENERATE_X509_CERT)
+#if defined(CONFIG_SSL_CERT_VERIFICATION) || defined(CONFIG_SSL_GENERATE_X509_CERT) || (CONFIG_SSL_ENABLE_CLIENT)
 /**
  * Performs c = m^e mod n
  */

crypto/sha256.c

@@ -32,6 +32,8 @@
 #include "os_port.h"
 #include "crypto.h"
 
+#ifndef SHA256_CTX
+
 #define GET_UINT32(n,b,i)                       \
 {                                               \
     (n) = ((uint32_t) (b)[(i)    ] << 24)       \
@@ -272,3 +274,5 @@ void SHA256_Final(uint8_t *digest, SHA256_CTX *ctx)
     PUT_UINT32(ctx->state[6], digest, 24);
     PUT_UINT32(ctx->state[7], digest, 28);
 }
+
+#endif // SHA256_CTX

samples/c/axssl.c

@@ -86,8 +86,8 @@ int main(int argc, char *argv[])
                 strcmp(argv[1], "s_server") && strcmp(argv[1], "s_client")))
         print_options(argc > 1 ? argv[1] : "");
 
-    strcmp(argv[1], "s_server") ? 
-        do_client(argc, argv) : do_server(argc, argv);
+//    strcmp(argv[1], "s_server") ? 
+        do_client(argc, argv);// : do_server(argc, argv);
     return 0;
 }
 
@@ -573,6 +573,7 @@ static void do_client(int argc, char *argv[])
         exit(1);
     }
 
+#ifndef CONFIG_SSL_SKELETON_MODE
     if (private_key_file)
     {
         int obj_type = SSL_OBJ_RSA_KEY;
@@ -608,6 +609,7 @@ static void do_client(int argc, char *argv[])
             exit(1);
         }
     }
+#endif
 
     free(cert);
     free(ca_cert);

ssl/Config.in

@@ -34,16 +34,6 @@ config CONFIG_SSL_CERT_VERIFICATION
         have an SSL server which requires client authentication (which is 
         uncommon in browser applications).
 
-config CONFIG_SSL_ENABLE_CLIENT
-    bool "Client/Server enabled"
-    help
-        Enable client/server functionality (including peer authentication).
-
-        The axssl sample runs with the "s_client" option enabled.
-
-        This mode produces a library about 51kB in size. Use this mode if you
-        require axTLS to use SSL client functionality (the SSL server code
-        is always enabled).
 
 config CONFIG_SSL_FULL_MODE
     bool "Client/Server enabled with diagnostics"
@@ -79,9 +69,30 @@ config CONFIG_SSL_SKELETON_MODE
 
 endchoice
 
+config CONFIG_SSL_ENABLE_SERVER
+    bool "Server enabled"
+    help
+        Enable server functionality.
+
+config CONFIG_SSL_ENABLE_CLIENT
+    bool "Client enabled"
+    help
+        Enable client functionality.
+
+        The axssl sample runs with the "s_client" option enabled.
+
+        This mode produces a library about 51kB in size. Use this mode if you
+        require axTLS to use SSL client functionality (the SSL server code
+        is always enabled).
+
+config CONFIG_SSL_DIAGNOSTICS
+    bool "Diagnostic messages"
+    help
+        Enable support for diagnostics of connection progress and state.
+
 choice
     prompt "Protocol Preference"
-    depends on !CONFIG_SSL_SKELETON_MODE
+#    depends on !CONFIG_SSL_SKELETON_MODE
     default CONFIG_SSL_PROT_MEDIUM
 
 config CONFIG_SSL_PROT_LOW
@@ -110,9 +121,15 @@ config CONFIG_SSL_PROT_HIGH
 
 endchoice
 
+config CONFIG_SSL_AES
+    bool "Enable AES cipher"
+    default y
+    help
+        Enable/disable AES support.
+
 config CONFIG_SSL_USE_DEFAULT_KEY
     bool "Enable default key"
-    depends on !CONFIG_SSL_SKELETON_MODE
+#    depends on !CONFIG_SSL_SKELETON_MODE
     default y 
     help
         Some applications will not require the default private key/certificate
@@ -241,7 +258,7 @@ config CONFIG_SSL_EXPIRY_TIME
 config CONFIG_X509_MAX_CA_CERTS
     int "Maximum number of certificate authorites"
     default 150
-    depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
+#    depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
     help
         Determines the number of CA's allowed. 
 

ssl/Makefile

@@ -62,7 +62,7 @@ STATIC_LIB=$(AXTLS_HOME)/$(STAGE)/axtls.static.lib
 CRYPTO_PATH=$(AXTLS_HOME)\\crypto\\
 endif
 
-libs: $(TARGET1) $(TARGET2)
+libs: $(TARGET1) #$(TARGET2)
 
 CRYPTO_OBJ=\
 	$(CRYPTO_PATH)aes.o \
@@ -94,7 +94,7 @@ include $(AXTLS_HOME)/config/makefile.post
 ifndef CONFIG_PLATFORM_WIN32     # Linux/Unix/Cygwin
 
 $(TARGET1) : $(CRYPTO_OBJ) $(OBJ)
-	$(AR) -r $@ $(CRYPTO_OBJ) $(OBJ)
+	$(AR) -rcs $@ $(CRYPTO_OBJ) $(OBJ)
 
 $(TARGET2) : $(CRYPTO_OBJ) $(OBJ)
 ifndef CONFIG_PLATFORM_CYGWIN

ssl/crypto_misc.h

@@ -111,23 +111,23 @@ struct _x509_ctx
 
 typedef struct _x509_ctx X509_CTX;
 
-#ifdef CONFIG_SSL_CERT_VERIFICATION
+//#ifdef CONFIG_SSL_CERT_VERIFICATION
 typedef struct 
 {
     X509_CTX *cert[CONFIG_X509_MAX_CA_CERTS];
 } CA_CERT_CTX;
-#endif
+//#endif
 
 int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx);
 void x509_free(X509_CTX *x509_ctx);
-#ifdef CONFIG_SSL_CERT_VERIFICATION
+//#ifdef CONFIG_SSL_CERT_VERIFICATION
 int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert, 
         int *pathLenConstraint);
-#endif
-#ifdef CONFIG_SSL_FULL_MODE
+//#endif
+//#ifdef CONFIG_SSL_FULL_MODE
 void x509_print(const X509_CTX *cert, CA_CERT_CTX *ca_cert_ctx);
 const char * x509_display_error(int error);
-#endif
+//#endif
 
 /**************************************************************************
  * ASN1 declarations 
@@ -197,7 +197,7 @@ typedef void (*hmac_func)(const uint8_t *msg, int length, const uint8_t *key,
 
 int get_file(const char *filename, uint8_t **buf);
 
-#if defined(CONFIG_SSL_FULL_MODE) || defined(WIN32) || defined(CONFIG_DEBUG)
+#if defined(CONFIG_SSL_DIAGNOSTICS) || defined(WIN32) || defined(CONFIG_DEBUG)
 EXP_FUNC void STDCALL print_blob(const char *format, const uint8_t *data, int size, ...);
 #else
     #define print_blob(...)

ssl/loader.c

@@ -44,6 +44,8 @@
 #include "os_port.h"
 #include "ssl.h"
 
+#if CONFIG_SSL_ENABLE_SERVER
+
 static int do_obj(SSL_CTX *ssl_ctx, int obj_type, 
                     SSLObjLoader *ssl_obj, const char *password);
 #ifdef CONFIG_SSL_HAS_PEM
@@ -486,3 +488,5 @@ error:
     return ret;
 
 }
+
+#endif

ssl/os_port.c

@@ -1,92 +0,0 @@
-/*
- * Copyright (c) 2007-2016, Cameron Rich
- * 
- * All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions are met:
- *
- * * Redistributions of source code must retain the above copyright notice, 
- *   this list of conditions and the following disclaimer.
- * * Redistributions in binary form must reproduce the above copyright notice, 
- *   this list of conditions and the following disclaimer in the documentation 
- *   and/or other materials provided with the distribution.
- * * Neither the name of the axTLS project nor the names of its contributors 
- *   may be used to endorse or promote products derived from this software 
- *   without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/**
- * @file os_port.c
- *
- * OS specific functions.
- */
-#include <time.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <stdarg.h>
-#include "os_port.h"
-
-#ifdef WIN32
-/**
- * gettimeofday() not in Win32 
- */
-EXP_FUNC void STDCALL gettimeofday(struct timeval* t, void* timezone)
-{       
-#if defined(_WIN32_WCE)
-    t->tv_sec = time(NULL);
-    t->tv_usec = 0;                         /* 1sec precision only */ 
-#else
-    struct _timeb timebuffer;
-    _ftime(&timebuffer);
-    t->tv_sec = (long)timebuffer.time;
-    t->tv_usec = 1000 * timebuffer.millitm; /* 1ms precision */
-#endif
-}
-
-/**
- * strcasecmp() not in Win32
- */
-EXP_FUNC int STDCALL strcasecmp(const char *s1, const char *s2)
-{
-    while (tolower(*s1) == tolower(*s2++))
-    {
-        if (*s1++ == '\0')
-        {
-            return 0;
-        }
-    }
-
-    return *(unsigned char *)s1 - *(unsigned char *)(s2 - 1);
-}
-
-
-EXP_FUNC int STDCALL getdomainname(char *buf, int buf_size)
-{
-    HKEY hKey;
-    unsigned long datatype;
-    unsigned long bufferlength = buf_size;
-
-    if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
-            TEXT("SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters"),
-                        0, KEY_QUERY_VALUE, &hKey) != ERROR_SUCCESS)
-        return -1;
-
-    RegQueryValueEx(hKey, "Domain", NULL, &datatype, buf, &bufferlength);
-    RegCloseKey(hKey);
-    return 0; 
-}
-#endif
-

ssl/os_port.h

@@ -1,188 +0,0 @@
-/*
- * Copyright (c) 2007-2016, Cameron Rich
- * 
- * All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions are met:
- *
- * * Redistributions of source code must retain the above copyright notice, 
- *   this list of conditions and the following disclaimer.
- * * Redistributions in binary form must reproduce the above copyright notice, 
- *   this list of conditions and the following disclaimer in the documentation 
- *   and/or other materials provided with the distribution.
- * * Neither the name of the axTLS project nor the names of its contributors 
- *   may be used to endorse or promote products derived from this software 
- *   without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/**
- * @file os_port.h
- *
- * Some stuff to minimise the differences between windows and linux/unix
- */
-
-#ifndef HEADER_OS_PORT_H
-#define HEADER_OS_PORT_H
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#include "os_int.h"
-#include "config.h"
-#include <stdio.h>
-
-#if defined(WIN32)
-#define STDCALL                 __stdcall
-#define EXP_FUNC                __declspec(dllexport)
-#else
-#define STDCALL
-#define EXP_FUNC
-#endif
-
-#if defined(_WIN32_WCE)
-#undef WIN32
-#define WIN32
-#endif
-
-#ifdef WIN32
-
-/* Windows CE stuff */
-#if defined(_WIN32_WCE)
-#include <basetsd.h>
-#define abort()                 exit(1)
-#else
-#include <io.h>
-#include <process.h>
-#include <sys/timeb.h>
-#include <fcntl.h>
-#endif      /* _WIN32_WCE */
-
-#include <winsock.h>
-#include <direct.h>
-#undef getpid
-#undef open
-#undef close
-#undef sleep
-#undef gettimeofday
-#undef dup2
-#undef unlink
-
-#define SOCKET_READ(A,B,C)      recv(A,B,C,0)
-#define SOCKET_WRITE(A,B,C)     send(A,B,C,0)
-#define SOCKET_CLOSE(A)         closesocket(A)
-#define srandom(A)              srand(A)
-#define random()                rand()
-#define getpid()                _getpid()
-#define snprintf                _snprintf
-#define open(A,B)               _open(A,B)
-#define dup2(A,B)               _dup2(A,B)
-#define unlink(A)               _unlink(A)
-#define close(A)                _close(A)
-#define read(A,B,C)             _read(A,B,C)
-#define write(A,B,C)            _write(A,B,C)
-#define sleep(A)                Sleep(A*1000)
-#define usleep(A)               Sleep(A/1000)
-#define strdup(A)               _strdup(A)
-#define chroot(A)               _chdir(A)
-#define chdir(A)                _chdir(A)
-#define alloca(A)               _alloca(A)
-#ifndef lseek
-#define lseek(A,B,C)            _lseek(A,B,C)
-#endif
-
-/* This fix gets around a problem where a win32 application on a cygwin xterm
-   doesn't display regular output (until a certain buffer limit) - but it works
-   fine under a normal DOS window. This is a hack to get around the issue - 
-   see http://www.khngai.com/emacs/tty.php  */
-#define TTY_FLUSH()             if (!_isatty(_fileno(stdout))) fflush(stdout);
-
-/*
- * automatically build some library dependencies.
- */
-#pragma comment(lib, "WS2_32.lib")
-#pragma comment(lib, "AdvAPI32.lib")
-
-typedef int socklen_t;
-
-EXP_FUNC void STDCALL gettimeofday(struct timeval* t,void* timezone);
-EXP_FUNC int STDCALL strcasecmp(const char *s1, const char *s2);
-EXP_FUNC int STDCALL getdomainname(char *buf, int buf_size);
-
-#else   /* Not Win32 */
-
-#include <unistd.h>
-#include <pwd.h>
-#include <netdb.h>
-#include <dirent.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <sys/stat.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <sys/wait.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <asm/byteorder.h>
-
-#define SOCKET_READ(A,B,C)      read(A,B,C)
-#define SOCKET_WRITE(A,B,C)     write(A,B,C)
-#define SOCKET_CLOSE(A)         if (A >= 0) close(A)
-#define TTY_FLUSH()
-
-#ifndef be64toh
-#define be64toh(x) __be64_to_cpu(x)
-#endif
-
-#endif  /* Not Win32 */
-
-/* some functions to mutate the way these work */
-EXP_FUNC int STDCALL ax_open(const char *pathname, int flags); 
-
-#ifdef CONFIG_PLATFORM_LINUX
-void exit_now(const char *format, ...) __attribute((noreturn));
-#else
-void exit_now(const char *format, ...);
-#endif
-
-/* Mutexing definitions */
-#if defined(CONFIG_SSL_CTX_MUTEXING)
-#if defined(WIN32)
-#define SSL_CTX_MUTEX_TYPE          HANDLE
-#define SSL_CTX_MUTEX_INIT(A)       A=CreateMutex(0, FALSE, 0)
-#define SSL_CTX_MUTEX_DESTROY(A)    CloseHandle(A)
-#define SSL_CTX_LOCK(A)             WaitForSingleObject(A, INFINITE)
-#define SSL_CTX_UNLOCK(A)           ReleaseMutex(A)
-#else 
-#include <pthread.h>
-#define SSL_CTX_MUTEX_TYPE          pthread_mutex_t
-#define SSL_CTX_MUTEX_INIT(A)       pthread_mutex_init(&A, NULL)
-#define SSL_CTX_MUTEX_DESTROY(A)    pthread_mutex_destroy(&A)
-#define SSL_CTX_LOCK(A)             pthread_mutex_lock(&A)
-#define SSL_CTX_UNLOCK(A)           pthread_mutex_unlock(&A)
-#endif
-#else   /* no mutexing */
-#define SSL_CTX_MUTEX_INIT(A)
-#define SSL_CTX_MUTEX_DESTROY(A)
-#define SSL_CTX_LOCK(A)
-#define SSL_CTX_UNLOCK(A)
-#endif
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif 

ssl/os_port.h

@@ -0,0 +1 @@
+os_port_micropython.h

ssl/os_port_micropython.h

@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 2007-2015, Cameron Rich
+ * 
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice, 
+ *   this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright notice, 
+ *   this list of conditions and the following disclaimer in the documentation 
+ *   and/or other materials provided with the distribution.
+ * * Neither the name of the axTLS project nor the names of its contributors 
+ *   may be used to endorse or promote products derived from this software 
+ *   without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * @file os_port.h
+ *
+ * Some stuff to minimise the differences between windows and linux/unix
+ */
+
+#ifndef HEADER_OS_PORT_H
+#define HEADER_OS_PORT_H
+
+#include "os_int.h"
+#include <errno.h>
+#include <sys/types.h>
+#ifndef __ets__
+#include <arpa/inet.h>
+#endif
+#include <sys/time.h>
+#include "config.h"
+
+ssize_t mp_stream_posix_write(void *sock_obj, const void *buf, size_t len);
+ssize_t mp_stream_posix_read(void *sock_obj, void *buf, size_t len);
+extern int mp_stream_errno;
+
+#if 1
+#define SOCKET_READ(A,B,C)      mp_stream_posix_read((void*)A,B,C)
+#define SOCKET_WRITE(A,B,C)     mp_stream_posix_write((void*)A,B,C)
+#define SOCKET_CLOSE(A)         NOT_USED_IN_LIB_CODE
+#define SOCKET_ERRNO() mp_stream_errno
+#else
+#define SOCKET_READ(A,B,C)      read(A,B,C)
+#define SOCKET_WRITE(A,B,C)     write(A,B,C)
+#define SOCKET_CLOSE(A)         if (A >= 0) close(A)
+#define SOCKET_ERRNO()          errno
+#endif
+#define ax_calloc(x, y) calloc(x, y)
+#define ax_open(x, y) open(x, y)
+
+#ifndef be64toh
+#define be64toh(x) __be64_to_cpu(x)
+#endif
+
+#define SSL_CTX_MUTEX_INIT(A)
+#define SSL_CTX_MUTEX_DESTROY(A)
+#define SSL_CTX_LOCK(A)
+#define SSL_CTX_UNLOCK(A)
+
+#define TTY_FLUSH()
+
+#include "../../../extmod/crypto-algorithms/sha256.h"
+
+#define SHA256_CTX CRYAL_SHA256_CTX
+#define SHA256_Init(a) sha256_init(a)
+#define SHA256_Update(a, b, c) sha256_update(a, b, c)
+#define SHA256_Final(a, b) sha256_final(b, a)
+
+#endif

ssl/p12.c

@@ -409,7 +409,7 @@ int pkcs12_decode(SSL_CTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password)
                             key, SHA1_SIZE, PKCS12_MAC_ID)) < 0)
         goto error;
 
-    hmac_sha1(auth_safes, auth_safes_len, key, SHA1_SIZE, mac);
+    ssl_hmac_sha1(auth_safes, auth_safes_len, key, SHA1_SIZE, mac);
 
     if (memcmp(mac, orig_mac, SHA1_SIZE))
     {

ssl/ssl.h

@@ -89,6 +89,7 @@ extern "C" {
 #define SSL_NOT_OK                              -1
 #define SSL_ERROR_DEAD                          -2
 #define SSL_CLOSE_NOTIFY                        -3
+#define SSL_EAGAIN                              -4
 #define SSL_ERROR_CONN_LOST                     -256
 #define SSL_ERROR_RECORD_OVERFLOW               -257
 #define SSL_ERROR_SOCK_SETUP_FAILURE            -258
@@ -255,7 +256,7 @@ EXP_FUNC void STDCALL ssl_ext_free(SSL_EXTENSIONS *ssl_ext);
  * @param client_fd [in] The client's file descriptor. 
  * @return An SSL object reference.
  */
-EXP_FUNC SSL * STDCALL ssl_server_new(SSL_CTX *ssl_ctx, int client_fd);
+EXP_FUNC SSL * STDCALL ssl_server_new(SSL_CTX *ssl_ctx, long client_fd);
 
 /**
  * @brief (client only) Establish a new SSL connection to an SSL server.
@@ -277,7 +278,7 @@ EXP_FUNC SSL * STDCALL ssl_server_new(SSL_CTX *ssl_ctx, int client_fd);
  * @return An SSL object reference. Use ssl_handshake_status() to check 
  * if a handshake succeeded.
  */
-EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const uint8_t *session_id, uint8_t sess_id_size, SSL_EXTENSIONS* ssl_ext);
+EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, long client_fd, const uint8_t *session_id, uint8_t sess_id_size, SSL_EXTENSIONS* ssl_ext);
 
 /**
  * @brief Free any used resources on this connection. 
@@ -328,7 +329,7 @@ EXP_FUNC int STDCALL ssl_write(SSL *ssl, const uint8_t *out_data, int out_len);
  * @return A reference to the SSL object. Returns null if the object could not 
  * be found.
  */
-EXP_FUNC SSL * STDCALL ssl_find(SSL_CTX *ssl_ctx, int client_fd);
+EXP_FUNC SSL * STDCALL ssl_find(SSL_CTX *ssl_ctx, long client_fd);
 
 /**
  * @brief Get the session id for a handshake. 

ssl/tls1.c

@@ -83,7 +83,7 @@ static const cipher_info_t cipher_info[NUM_PROTOCOLS] =
         16,                             /* block padding size */
         SHA1_SIZE,                      /* digest size */
         2*(SHA1_SIZE+16+16),            /* key block size */
-        hmac_sha1,                      /* hmac algorithm */
+        ssl_hmac_sha1,                  /* hmac algorithm */
         (crypt_func)AES_cbc_encrypt,    /* encrypt */
         (crypt_func)AES_cbc_decrypt     /* decrypt */
     },
@@ -94,7 +94,7 @@ static const cipher_info_t cipher_info[NUM_PROTOCOLS] =
         16,                             /* block padding size */
         SHA1_SIZE,                      /* digest size */
         2*(SHA1_SIZE+32+16),            /* key block size */
-        hmac_sha1,                      /* hmac algorithm */
+        ssl_hmac_sha1,                  /* hmac algorithm */
         (crypt_func)AES_cbc_encrypt,    /* encrypt */
         (crypt_func)AES_cbc_decrypt     /* decrypt */
     },       
@@ -169,11 +169,13 @@ EXP_FUNC SSL_CTX *STDCALL ssl_ctx_new(uint32_t options, int num_sessions)
     ssl_ctx->options = options;
     RNG_initialize();
 
+#ifdef CONFIG_SSL_ENABLE_SERVER
     if (load_key_certs(ssl_ctx) < 0)
     {
         free(ssl_ctx);  /* can't load our key/certificate pair, so die */
         return NULL;
     }
+#endif
 
 #ifndef CONFIG_SSL_SKELETON_MODE
     ssl_ctx->num_sessions = num_sessions;
@@ -293,7 +295,7 @@ EXP_FUNC int STDCALL ssl_read(SSL *ssl, uint8_t **in_data)
     int ret = basic_read(ssl, in_data);
 
     /* check for return code so we can send an alert */
-    if (ret < SSL_OK && ret != SSL_CLOSE_NOTIFY)
+    if (ret < SSL_OK && ret != SSL_CLOSE_NOTIFY && ret != SSL_EAGAIN)
     {
         if (ret != SSL_ERROR_CONN_LOST)
         {
@@ -352,7 +354,7 @@ int add_cert(SSL_CTX *ssl_ctx, const uint8_t *buf, int len)
 
     if (i == CONFIG_SSL_MAX_CERTS) /* too many certs */
     {
-#ifdef CONFIG_SSL_FULL_MODE
+#ifdef CONFIG_SSL_DIAGNOSTICS
         printf("Error: maximum number of certs added (%d) - change of "
                 "compile-time configuration required\n",
                 CONFIG_SSL_MAX_CERTS);
@@ -531,7 +533,7 @@ EXP_FUNC const char * STDCALL ssl_get_cert_subject_alt_dnsname(const SSL *ssl,
 /*
  * Find an ssl object based on the client's file descriptor.
  */
-EXP_FUNC SSL * STDCALL ssl_find(SSL_CTX *ssl_ctx, int client_fd)
+EXP_FUNC SSL * STDCALL ssl_find(SSL_CTX *ssl_ctx, long client_fd)
 {
     SSL *ssl;
 
@@ -603,7 +605,7 @@ static const cipher_info_t *get_cipher_info(uint8_t cipher)
 /*
  * Get a new ssl context for a new connection.
  */
-SSL *ssl_new(SSL_CTX *ssl_ctx, int client_fd)
+SSL *ssl_new(SSL_CTX *ssl_ctx, long client_fd)
 {
     SSL *ssl = (SSL *)calloc(1, sizeof(SSL));
     ssl->ssl_ctx = ssl_ctx;
@@ -800,9 +802,9 @@ static void p_hash_md5(const uint8_t *sec, int sec_len,
     uint8_t a1[MD5_SIZE+77];
 
     /* A(1) */
-    hmac_md5(seed, seed_len, sec, sec_len, a1);
+    ssl_hmac_md5(seed, seed_len, sec, sec_len, a1);
     memcpy(&a1[MD5_SIZE], seed, seed_len);
-    hmac_md5(a1, MD5_SIZE+seed_len, sec, sec_len, out);
+    ssl_hmac_md5(a1, MD5_SIZE+seed_len, sec, sec_len, out);
 
     while (olen > MD5_SIZE)
     {
@@ -811,11 +813,11 @@ static void p_hash_md5(const uint8_t *sec, int sec_len,
         olen -= MD5_SIZE;
 
         /* A(N) */
-        hmac_md5(a1, MD5_SIZE, sec, sec_len, a2);
+        ssl_hmac_md5(a1, MD5_SIZE, sec, sec_len, a2);
         memcpy(a1, a2, MD5_SIZE);
 
         /* work out the actual hash */
-        hmac_md5(a1, MD5_SIZE+seed_len, sec, sec_len, out);
+        ssl_hmac_md5(a1, MD5_SIZE+seed_len, sec, sec_len, out);
     }
 }
 
@@ -828,9 +830,9 @@ static void p_hash_sha1(const uint8_t *sec, int sec_len,
     uint8_t a1[SHA1_SIZE+77];
 
     /* A(1) */
-    hmac_sha1(seed, seed_len, sec, sec_len, a1);
+    ssl_hmac_sha1(seed, seed_len, sec, sec_len, a1);
     memcpy(&a1[SHA1_SIZE], seed, seed_len);
-    hmac_sha1(a1, SHA1_SIZE+seed_len, sec, sec_len, out);
+    ssl_hmac_sha1(a1, SHA1_SIZE+seed_len, sec, sec_len, out);
 
     while (olen > SHA1_SIZE)
     {
@@ -839,11 +841,11 @@ static void p_hash_sha1(const uint8_t *sec, int sec_len,
         olen -= SHA1_SIZE;
 
         /* A(N) */
-        hmac_sha1(a1, SHA1_SIZE, sec, sec_len, a2);
+        ssl_hmac_sha1(a1, SHA1_SIZE, sec, sec_len, a2);
         memcpy(a1, a2, SHA1_SIZE);
 
         /* work out the actual hash */
-        hmac_sha1(a1, SHA1_SIZE+seed_len, sec, sec_len, out);
+        ssl_hmac_sha1(a1, SHA1_SIZE+seed_len, sec, sec_len, out);
     }
 }
 
@@ -1068,11 +1070,15 @@ static int send_raw_packet(SSL *ssl, uint8_t protocol)
 #ifdef WIN32
             if (GetLastError() != WSAEWOULDBLOCK)
 #else
-            if (errno != EAGAIN && errno != EWOULDBLOCK)
+            if (SOCKET_ERRNO() != EAGAIN && SOCKET_ERRNO() != EWOULDBLOCK)
 #endif
                 return SSL_ERROR_CONN_LOST;
         }
 
+#ifdef PORT_USE_SELECT
+        // TODO: This should be factored into SOCKET_WAIT_WRITABLE(),
+        // with semantic being waiting until socket can be written
+        // regardless whether it is in blocking or non-blocking mode.
         /* keep going until the write buffer has some space */
         if (sent != pkt_size)
         {
@@ -1084,6 +1090,7 @@ static int send_raw_packet(SSL *ssl, uint8_t protocol)
             if (select(ssl->client_fd + 1, NULL, &wfds, NULL, NULL) < 0)
                 return SSL_ERROR_CONN_LOST;
         }
+#endif
     }
 
     SET_SSL_FLAG(SSL_NEED_RECORD);  /* reset for next time */
@@ -1167,13 +1174,11 @@ int send_packet(SSL *ssl, uint8_t protocol, const uint8_t *in, int length)
         if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_1)
         {
             uint8_t iv_size = ssl->cipher_info->iv_size;
-            uint8_t *t_buf = alloca(msg_length + iv_size);
-            memcpy(t_buf + iv_size, ssl->bm_data, msg_length);
-            if (get_random(iv_size, t_buf) < 0)
+            memmove(ssl->bm_data + iv_size, ssl->bm_data, msg_length);
+            if (get_random(iv_size, ssl->bm_data) < 0)
                 return SSL_NOT_OK;
 
             msg_length += iv_size;
-            memcpy(ssl->bm_data, t_buf, msg_length);
         }
 
         /* now encrypt the packet */
@@ -1304,9 +1309,9 @@ int basic_read(SSL *ssl, uint8_t **in_data)
 #ifdef WIN32
         if (GetLastError() == WSAEWOULDBLOCK)
 #else
-        if (errno == EAGAIN || errno == EWOULDBLOCK)
+        if (SOCKET_ERRNO() == EAGAIN || SOCKET_ERRNO() == EWOULDBLOCK)
 #endif
-            return 0;
+            return SSL_EAGAIN;
     }
 
     /* connection has gone, so die */
@@ -1347,6 +1352,7 @@ int basic_read(SSL *ssl, uint8_t **in_data)
         /* do we violate the spec with the message size?  */
         if (ssl->need_bytes > RT_MAX_PLAIN_LENGTH+RT_EXTRA-BM_RECORD_OFFSET)
         {
+            printf("TLS buffer overflow, record size: %u (+5)\n", ssl->need_bytes);
             ret = SSL_ERROR_RECORD_OVERFLOW;              
             goto error;
         }
@@ -1493,10 +1499,12 @@ static int do_handshake(SSL *ssl, uint8_t *buf, int read_len)
     if (handshake_type != HS_CERT_VERIFY && handshake_type != HS_HELLO_REQUEST)
         add_packet(ssl, buf, hs_len); 
 
-#if defined(CONFIG_SSL_ENABLE_CLIENT)
+#if defined(CONFIG_SSL_ENABLE_CLIENT) && defined(CONFIG_SSL_ENABLE_SERVER)
     ret = is_client ?
         do_clnt_handshake(ssl, handshake_type, buf, hs_len) :
         do_svr_handshake(ssl, handshake_type, buf, hs_len);
+#elif defined(CONFIG_SSL_ENABLE_CLIENT)
+    ret = do_clnt_handshake(ssl, handshake_type, buf, hs_len);
 #else
     ret = do_svr_handshake(ssl, handshake_type, buf, hs_len);
 #endif
@@ -1570,7 +1578,7 @@ int send_alert(SSL *ssl, int error_code)
         return SSL_ERROR_CONN_LOST;
     }
 
-#ifdef CONFIG_SSL_FULL_MODE
+#ifdef CONFIG_SSL_DIAGNOSTICS
     if (IS_SET_SSL_FLAG(SSL_DISPLAY_STATES))
         ssl_display_error(error_code);
 #endif
@@ -1989,6 +1997,7 @@ EXP_FUNC int STDCALL ssl_verify_cert(const SSL *ssl)
 
     return ret;
 }
+#endif /* CONFIG_SSL_CERT_VERIFICATION */
 
 /**
  * Process a certificate message.
@@ -2060,6 +2069,7 @@ int process_certificate(SSL *ssl, X509_CTX **x509_ctx)
     chain = certs[0];
     cert_used[0] = 1;
 
+#ifndef CONFIG_SSL_SKELETON_MODE
     // repeat until the end of the chain is found
     while (1)
     {
@@ -2099,6 +2109,7 @@ int process_certificate(SSL *ssl, X509_CTX **x509_ctx)
     {
         ret = ssl_verify_cert(ssl);
     }
+#endif
 
     ssl->next_state = is_client ? HS_SERVER_HELLO_DONE : HS_CLIENT_KEY_XCHG;
     ssl->dc->bm_proc_index += offset;
@@ -2113,12 +2124,12 @@ error:
     return ret;
 }
 
-#endif /* CONFIG_SSL_CERT_VERIFICATION */
+//#endif /* CONFIG_SSL_CERT_VERIFICATION */
 
 /**
  * Debugging routine to display SSL handshaking stuff.
  */
-#ifdef CONFIG_SSL_FULL_MODE
+#ifdef CONFIG_SSL_DIAGNOSTICS
 /**
  * Debugging routine to display SSL states.
  */
@@ -2188,11 +2199,13 @@ void DISPLAY_STATE(SSL *ssl, int is_send, uint8_t state, int not_ok)
  */
 void DISPLAY_RSA(SSL *ssl, const RSA_CTX *rsa_ctx)
 {
+#ifdef CONFIG_SSL_FULL_MODE
     if (!IS_SET_SSL_FLAG(SSL_DISPLAY_RSA))
         return;
 
     RSA_print(rsa_ctx);
     TTY_FLUSH();
+#endif
 }
 
 /**
@@ -2338,7 +2351,7 @@ void DISPLAY_ALERT(SSL *ssl, int alert)
             printf("bad record mac");
             break;
 
-        case SSL_ERROR_RECORD_OVERFLOW:
+        case SSL_ALERT_RECORD_OVERFLOW:
             printf("record overlow");
             break;
 
@@ -2409,13 +2422,13 @@ EXP_FUNC const char  * STDCALL ssl_version()
  * Enable the various language bindings to work regardless of the
  * configuration - they just return an error statement and a bad return code.
  */
-#if !defined(CONFIG_SSL_FULL_MODE)
+#if !defined(CONFIG_SSL_DIAGNOSTICS)
 EXP_FUNC void STDCALL ssl_display_error(int error_code) {}
 #endif
 
 #ifdef CONFIG_BINDINGS
 #if !defined(CONFIG_SSL_ENABLE_CLIENT)
-EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const
+EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, long client_fd, const
         uint8_t *session_id, uint8_t sess_id_size)
 {
     printf("%s", unsupported_str);

ssl/tls1.h

@@ -76,8 +76,14 @@ extern "C" {
 #define IS_SET_SSL_FLAG(A)          (ssl->flag & A)
 
 #define MAX_KEY_BYTE_SIZE           512     /* for a 4096 bit key */
+/* On send, will send another SSL fragment if plaintext exceeds RT_MAX_PLAIN_LENGTH */
+#ifndef RT_MAX_PLAIN_LENGTH
 #define RT_MAX_PLAIN_LENGTH         16384
+#endif
+/* Total receive buffer is RT_MAX_PLAIN_LENGTH + RT_EXTRA */
+#ifndef RT_EXTRA
 #define RT_EXTRA                    1024
+#endif
 #define BM_RECORD_OFFSET            5
 
 #define NUM_PROTOCOLS               4
@@ -194,7 +200,7 @@ struct _SSL
     int16_t next_state;
     int16_t hs_status;
     DISPOSABLE_CTX *dc;         /* temporary data which we'll get rid of soon */
-    int client_fd;
+    long client_fd;
     const cipher_info_t *cipher_info;
     void *encrypt_ctx;
     void *decrypt_ctx;
@@ -211,7 +217,7 @@ struct _SSL
     uint16_t session_index;
     SSL_SESSION *session;
 #endif
-#ifdef CONFIG_SSL_CERT_VERIFICATION
+#if defined(CONFIG_SSL_CERT_VERIFICATION) || defined(CONFIG_SSL_ENABLE_CLIENT)
     X509_CTX *x509_ctx;
 #endif
 
@@ -256,7 +262,7 @@ typedef struct _SSL_CTX SSLCTX;
 
 extern const uint8_t ssl_prot_prefs[NUM_PROTOCOLS];
 
-SSL *ssl_new(SSL_CTX *ssl_ctx, int client_fd);
+SSL *ssl_new(SSL_CTX *ssl_ctx, long client_fd);
 void disposable_new(SSL *ssl);
 void disposable_free(SSL *ssl);
 int send_packet(SSL *ssl, uint8_t protocol, 
@@ -287,7 +293,7 @@ void remove_ca_certs(CA_CERT_CTX *ca_cert_ctx);
 int do_client_connect(SSL *ssl);
 #endif
 
-#ifdef CONFIG_SSL_FULL_MODE
+#ifdef CONFIG_SSL_DIAGNOSTICS
 void DISPLAY_STATE(SSL *ssl, int is_send, uint8_t state, int not_ok);
 void DISPLAY_BYTES(SSL *ssl, const char *format, 
         const uint8_t *data, int size, ...);
@@ -307,9 +313,9 @@ void DISPLAY_BYTES(SSL *ssl, const char *format,/* win32 has no variadic macros
 #endif
 #endif
 
-#ifdef CONFIG_SSL_CERT_VERIFICATION
+//#ifdef CONFIG_SSL_CERT_VERIFICATION
 int process_certificate(SSL *ssl, X509_CTX **x509_ctx);
-#endif
+//#endif
 
 SSL_SESSION *ssl_session_update(int max_sessions, 
         SSL_SESSION *ssl_sessions[], SSL *ssl,

ssl/tls1_clnt.c

@@ -63,12 +63,13 @@ static int send_cert_verify(SSL *ssl);
 /*
  * Establish a new SSL connection to an SSL server.
  */
-EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const
+EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, long client_fd, const
         uint8_t *session_id, uint8_t sess_id_size, SSL_EXTENSIONS* ssl_ext)
 {
     SSL *ssl = ssl_new(ssl_ctx, client_fd);
     ssl->version = SSL_PROTOCOL_VERSION_MAX; /* try top version first */
 
+#ifndef CONFIG_SSL_SKELETON_MODE
     if (session_id && ssl_ctx->num_sessions)
     {
         if (sess_id_size > SSL_SESSION_ID_SIZE) /* validity check */
@@ -81,6 +82,7 @@ EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const
         ssl->sess_id_size = sess_id_size;
         SET_SSL_FLAG(SSL_SESSION_RESUME);   /* just flag for later */
     }
+#endif
 
     ssl->extensions = ssl_ext;
 
@@ -307,7 +309,9 @@ static int process_server_hello(SSL *ssl)
 {
     uint8_t *buf = ssl->bm_data;
     int pkt_size = ssl->bm_index;
+#ifndef CONFIG_SSL_SKELETON_MODE
     int num_sessions = ssl->ssl_ctx->num_sessions;
+#endif
     uint8_t sess_id_size;
     int offset, ret = SSL_OK;
 
@@ -320,7 +324,9 @@ static int process_server_hello(SSL *ssl)
     else if (ssl->version < SSL_PROTOCOL_MIN_VERSION)
     {
         ret = SSL_ERROR_INVALID_VERSION;
+#ifdef CONFIG_SSL_DIAGNOSTICS
         ssl_display_error(ret);
+#endif
         goto error;
     }
 
@@ -337,6 +343,7 @@ static int process_server_hello(SSL *ssl)
         goto error;
     }
 
+#ifndef CONFIG_SSL_SKELETON_MODE
     if (num_sessions)
     {
         ssl->session = ssl_session_update(num_sessions,
@@ -350,6 +357,7 @@ static int process_server_hello(SSL *ssl)
                 SSL_SESSION_ID_SIZE-sess_id_size);
         }
     }
+#endif
 
     memcpy(ssl->session_id, &buf[offset], sess_id_size);
     ssl->sess_id_size = sess_id_size;

ssl/tls1_svr.c

@@ -27,13 +27,14 @@
  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-
 #include <stdlib.h>
 #include <string.h>
 #include <stdio.h>
 #include "os_port.h"
 #include "ssl.h"
 
+#ifdef CONFIG_SSL_ENABLE_SERVER
+
 static const uint8_t g_hello_done[] = { HS_SERVER_HELLO_DONE, 0, 0, 0 };
 static const uint8_t g_asn1_sha256[] = 
 { 
@@ -54,14 +55,14 @@ static int process_cert_verify(SSL *ssl);
 /*
  * Establish a new SSL connection to an SSL client.
  */
-EXP_FUNC SSL * STDCALL ssl_server_new(SSL_CTX *ssl_ctx, int client_fd)
+EXP_FUNC SSL * STDCALL ssl_server_new(SSL_CTX *ssl_ctx, long client_fd)
 {
     SSL *ssl;
 
     ssl = ssl_new(ssl_ctx, client_fd);
     ssl->next_state = HS_CLIENT_HELLO;
 
-#ifdef CONFIG_SSL_FULL_MODE
+#ifdef CONFIG_SSL_DIAGNOSTICS
     if (ssl_ctx->chain_length == 0)
         printf("Warning - no server certificate defined\n"); TTY_FLUSH();
 #endif
@@ -139,7 +140,9 @@ static int process_client_hello(SSL *ssl)
     else if (version < SSL_PROTOCOL_MIN_VERSION)  /* old version supported? */
     {
         ret = SSL_ERROR_INVALID_VERSION;
+#ifdef CONFIG_SSL_DIAGNOSTICS
         ssl_display_error(ret);
+#endif
         goto error;
     }
 
@@ -245,6 +248,7 @@ error:
 /*
  * Send the entire server hello sequence
  */
+#if CONFIG_SSL_ENABLE_SERVER
 static int send_server_hello_sequence(SSL *ssl)
 {
     int ret;
@@ -356,6 +360,7 @@ static int send_server_hello_done(SSL *ssl)
     return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, 
                             g_hello_done, sizeof(g_hello_done));
 }
+#endif
 
 /*
  * Pull apart a client key exchange message. Decrypt the pre-master key (using
@@ -524,3 +529,5 @@ error:
 }
 
 #endif
+
+#endif

ssl/x509.c

@@ -814,6 +814,7 @@ void x509_print(const X509_CTX *cert, CA_CERT_CTX *ca_cert_ctx)
 
     TTY_FLUSH();
 }
+#endif
 
 const char * x509_display_error(int error)
 {
@@ -856,5 +857,5 @@ const char * x509_display_error(int error)
             return "Unknown";
     }
 }
-#endif      /* CONFIG_SSL_FULL_MODE */
+//#endif      /* CONFIG_SSL_FULL_MODE */