Paul Bakker
c0463502ff
Fixed memory leak in ssl_free() and ssl_reset() for active session
2013-02-14 11:19:38 +01:00
Paul Bakker
c7a2da437e
Updated for PolarSSL 1.2.5
2013-02-02 19:23:57 +01:00
Paul Bakker
40865c8e5d
Added sending of alert messages in case of decryption failures as per RFC
...
The flag POLARSSL_SSL_ALERT_MESSAGES switched between enabling and
disabling the sending of alert messages that give adversaries intel
about the result of their action. PolarSSL can still communicate with
other parties if they are disabled, but debugging of issues might be
harder.
2013-02-02 19:04:13 +01:00
Paul Bakker
d66f070d49
Disable debug messages that can introduce a timing side channel.
...
Introduced the POLARSSL_SSL_DEBUG_ALL flag to enable all these debug
messages in case somebody does want to see the reason checks fail.
2013-02-02 19:04:13 +01:00
Paul Bakker
4582999be6
Fixed timing difference resulting from badly formatted padding.
2013-02-02 19:04:13 +01:00
Paul Bakker
8fe40dcd7d
Allow enabling of dummy error_strerror() to support some use-cases
...
Enable a dummy error function to make use of error_strerror() in
third party libraries easier.
Disable if you run into name conflicts and want to really remove the
error_strerror()
2013-02-02 12:43:08 +01:00
Paul Bakker
14c56a3378
Updated for PolarSSL 1.2.4
2013-01-25 17:11:37 +01:00
Paul Bakker
9d2bb658fc
Added PolarSSL 1.1.5 ChangeLog from 1.1 branch
2013-01-25 16:07:49 +01:00
Paul Bakker
1961b709d8
Added ssl_handshake_step() to allow single stepping the handshake
...
process
Single stepping the handshake process allows for better support of
non-blocking network stacks and for getting information from specific
handshake messages if wanted.
2013-01-25 14:49:24 +01:00
Paul Bakker
9c94cddeae
Correctly handle CertificateRequest with empty DN list in <= TLS 1.1
2013-01-22 14:21:49 +01:00
Paul Bakker
21dca69ef0
Handle future version properly in ssl_write_certificate_request()
2013-01-03 11:41:08 +01:00
Paul Bakker
40628bad98
Memory leak when using RSA_PKCS_V21 operations fixed
2013-01-03 10:50:31 +01:00
Paul Bakker
fb1ba781b3
Updated for release 1.2.3
2012-11-26 16:28:25 +01:00
Paul Bakker
df5069cb97
Updated for 1.2.2 release
2012-11-24 12:20:19 +01:00
Paul Bakker
7c90da9e75
Amended ChangeLog for client authentication fix
2012-11-23 14:02:40 +01:00
Paul Bakker
e667c98fb1
Added p_hw_data to ssl_context for context specific hardware acceleration data
2012-11-20 13:50:22 +01:00
Paul Bakker
1492633e54
Updated date for release
2012-11-20 10:58:09 +01:00
Manuel Pégourié-Gonnard
e44ec108be
Fixed segfault in mpi_shift_r()
...
Fixed memory leak in test_suite_mpi
Amended ChangeLog
2012-11-18 23:15:02 +01:00
Paul Bakker
34d8dbcc6d
- Depth that the certificate verify callback receives is now numbered bottom-up (Peer cert depth is 0)
2012-11-14 12:11:38 +00:00
Paul Bakker
b815682a48
- Updated Changelog for 1.2.1
2012-11-13 12:52:17 +00:00
Paul Bakker
9daf0d0651
- Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
2012-11-13 12:13:27 +00:00
Paul Bakker
f02c5642d0
- Allow R and A to point to same mpi in mpi_div_mpi
2012-11-13 10:25:21 +00:00
Paul Bakker
d9374b05d6
- Moved mpi_inv_mod() outside POLARSSL_GENPRIME
2012-11-02 11:02:58 +00:00
Paul Bakker
7a2538ee38
- Fixes for MSVC6
2012-11-02 10:59:36 +00:00
Paul Bakker
c9c5df98de
- Updated for PolarSSL 1.2.0
2012-10-31 13:55:27 +00:00
Paul Bakker
645ce3a2b4
- Moved ciphersuite naming scheme to IANA reserved names
2012-10-31 12:32:41 +00:00
Paul Bakker
4f024b7ba9
- Fixed for SPARC64
2012-10-30 07:29:57 +00:00
Paul Bakker
d5834bb394
- Added release text for 1.1.4 to ChangeLog
2012-10-02 14:38:56 +00:00
Paul Bakker
5c2364c2ba
- Moved from unsigned long to uint32_t throughout code
2012-10-01 14:41:15 +00:00
Paul Bakker
1d29fb5e33
- Added option to add minimum accepted SSL/TLS protocol version
2012-09-28 13:28:45 +00:00
Paul Bakker
915275ba78
- Revamped x509_verify() and the SSL f_vrfy callback implementations
2012-09-28 07:10:55 +00:00
Paul Bakker
5701cdcd02
- Added ServerName extension parsing (SNI) at server side
2012-09-27 21:49:42 +00:00
Paul Bakker
eb2c658163
- Generalized external private key implementation handling (like PKCS#11) in SSL/TLS
2012-09-27 19:15:01 +00:00
Paul Bakker
0a59707523
- Added simple SSL session cache implementation
...
- Revamped session resumption handling
2012-09-25 21:55:46 +00:00
Paul Bakker
b00ca42f2a
- Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
2012-09-25 12:10:00 +00:00
Paul Bakker
29b64761fd
- Added predefined DHM groups from RFC 5114
2012-09-25 09:36:44 +00:00
Paul Bakker
995a215eac
- Added credits
2012-09-25 08:19:56 +00:00
Paul Bakker
d4c2bd79fe
- Added bug
2012-09-16 21:35:30 +00:00
Paul Bakker
48916f9b67
- Added Secure Renegotiation (RFC 5746)
2012-09-16 19:57:18 +00:00
Paul Bakker
ec636f3bdd
- Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation)
2012-09-09 19:17:02 +00:00
Paul Bakker
f518b16f97
- Added PKCS#5 PBKDF2 key derivation function
2012-08-23 13:03:18 +00:00
Paul Bakker
535e97dbab
- Better checking for reading over buffer boundaries
...
- Zeroize altSubjectName chain memory before use
2012-08-23 10:49:55 +00:00
Paul Bakker
3c16db9a10
- Fixed potential memory zeroization on miscrafted RSA key
2012-07-05 13:58:08 +00:00
Paul Bakker
6132d0aa93
- Added Blowfish to generic cipher layer
...
- Renamed POLARSSL_MODE_CFB128 to POLARSSL_MODE_CFB
2012-07-04 17:10:40 +00:00
Paul Bakker
a9379c0ed1
- Added base blowfish algorithm
2012-07-04 11:02:11 +00:00
Paul Bakker
2770fbd651
- Added DEFLATE compression support as per RFC3749 (requires zlib)
2012-07-03 13:30:23 +00:00
Paul Bakker
4f9a7bb7fd
- Added Thumb assembly optimizations
2012-07-02 08:36:36 +00:00
Paul Bakker
cefb396a77
- Handle empty certificate subject names
2012-06-27 11:51:09 +00:00
Paul Bakker
8d914583f3
- Added X509 CA Path support
2012-06-04 12:46:42 +00:00
Paul Bakker
e6ee41f932
- Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and example application (programs/ssl/o_p_test) (Requires OpenSSL)
...
- Handle encryption with private key and decryption with public key as per RFC 2313
2012-05-19 08:43:48 +00:00
Paul Bakker
f6198c1513
- mpi_exp_mod() now correctly handles negative base numbers (Closes ticket #52 )
2012-05-16 08:02:29 +00:00
Paul Bakker
5b37784f6d
- Updated with tickets
2012-05-16 07:57:36 +00:00
Paul Bakker
4d2c1243b1
- Changed certificate verify behaviour to comply with RFC 6125 section 6.3 to not match CN if subjectAltName extension is present.
2012-05-10 14:12:46 +00:00
Paul Bakker
186751d9dd
- Moved out_msg to out_hdr + 32 to support hardware acceleration
2012-05-08 13:16:14 +00:00
Paul Bakker
6b906e5095
- Const correctness mpi_get_bit()
...
- Documentation mpi_lsb(), mpi_msb()
2012-05-08 12:01:43 +00:00
Paul Bakker
05ef835b6a
- Added support for Hardware Acceleration hooking in SSL/TLS
2012-05-08 09:17:57 +00:00
Paul Bakker
fad3893ead
- Added release notes for 1.1.2 and 1.1.3 to trunk
2012-05-08 09:04:04 +00:00
Paul Bakker
01cc394848
- Added commandline error code convertor (util/strerror)
2012-05-08 08:36:15 +00:00
Paul Bakker
430ffbe564
- Fixed potential heap corruption in x509_name allocation
2012-05-01 08:14:20 +00:00
Paul Bakker
4cf2b7f8bf
- Added name
2012-04-20 13:59:39 +00:00
Paul Bakker
84bef1db2c
- Fixed DHM length to correct one
2012-04-20 13:42:02 +00:00
Paul Bakker
ca4ab49158
- Added GCM ciphersuites to TLS implementation
2012-04-18 14:23:57 +00:00
Paul Bakker
915940ef80
- Added TLS1.2
2012-04-18 14:21:32 +00:00
Paul Bakker
452d532955
- Fixed potential memory corruption on miscrafted client messages (found by Frama-C team at CEA LIST)
2012-04-05 12:07:34 +00:00
Paul Bakker
7beceb2e2b
2012-03-22 14:19:49 +00:00
Paul Bakker
37824581b7
- Added Changelog for bugfix in mpi_cmp_mpi()
2012-03-22 14:10:22 +00:00
Paul Bakker
89e80c9a43
- Added base Galois/Counter mode (GCM) for AES
2012-03-20 13:50:09 +00:00
Paul Bakker
bdb912db69
- Added preliminary ASN.1 buffer writing support
...
- Added preliminary X509 Certificate Request writing support
- Added key_app_writer example application
- Added cert_req example application
2012-02-13 23:11:30 +00:00
Paul Bakker
048d04ef4b
- AES code only check for Padlock once
2012-02-12 17:31:04 +00:00
Paul Bakker
1504af585c
- Removed redundant POLARSSL_DEBUG_MSG define
2012-02-11 16:17:43 +00:00
Paul Bakker
a8cd239d6b
- Added support for wildcard certificates
...
- Added support for multi-domain certificates through the X509 Subject Alternative Name extension
2012-02-11 16:09:32 +00:00
Paul Bakker
fab5c829e7
- Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak ciphersuites (POLARSSL_ENABLE_WEAK_CIPHERSUITES). They are disabled by default!
2012-02-06 16:45:10 +00:00
Paul Bakker
99955bf86a
- Final changes for 1.1.1 release
2012-01-23 09:31:41 +00:00
Paul Bakker
2ec0a56649
- Fixed issue with Intel compiler on 64-bit platforms
2012-01-21 05:41:23 +00:00
Paul Bakker
b15b851d6d
- Check for failed malloc() in ssl_set_hostname() and x509_get_entries() (Closes ticket #47 , found by Hugo Leisink)
2012-01-13 13:44:06 +00:00
Paul Bakker
08a508838c
- Updated release date
2011-12-22 09:43:57 +00:00
Paul Bakker
a42b3e916d
- Fixed top line for version
2011-12-11 11:48:51 +00:00
Paul Bakker
69e095cc15
- Changed the behaviour of x509parse_parse_crt for permissive parsing. Now returns the number of 'failed certificates' instead of having a switch to enable it.
...
- As a consequence all error code that were positive were changed. A lot of MALLOC_FAILED and FILE_IO_ERROR error codes added for different modules.
- Programs and tests were adapted accordingly
2011-12-10 21:55:01 +00:00
Paul Bakker
c50132d4fa
- Updated version of PolarSSL to 1.1.0
2011-12-05 14:38:36 +00:00
Paul Bakker
c8ffbe7706
- Corrected removal of leading '00:' in printing serial numbers in certificates and CRLs
2011-12-05 14:22:49 +00:00
Paul Bakker
4f5ae803fa
- Fixed MS Visual C++ name clash with int64 in sha4.h
2011-12-04 22:10:28 +00:00
Paul Bakker
508ad5ab6d
- Moved all examples programs to use the new entropy and CTR_DRBG
2011-12-04 17:09:26 +00:00
Paul Bakker
6c0ceb3f9a
- Added permissive certificate parsing to x509parse_crt() and x509parse_crtfile(). With permissive parsing the parsing does not stop on encountering a parse-error
2011-12-04 12:24:18 +00:00
Paul Bakker
6083fd252d
- Added a generic entropy accumulator that provides support for adding custom entropy sources and added some generic and platform dependent entropy sources
2011-12-03 21:45:14 +00:00
Paul Bakker
a3d195c41f
- Changed the used random function pointer to more flexible format. Renamed havege_rand() to havege_random() to prevent mistakes. Lots of changes as a consequence in library code and programs
2011-11-27 21:07:34 +00:00
Paul Bakker
0e04d0e9a3
- Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
2011-11-27 14:46:59 +00:00
Paul Bakker
4463740fe4
- Improved build support for s390x and sparc64 in bignum.h
2011-11-26 09:23:07 +00:00
Paul Bakker
03c7c25243
- * If certificate serial is longer than 32 octets, serial number is now appended with '....' after first 28 octets
2011-11-25 12:37:37 +00:00
Paul Bakker
fe3256e54b
- Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size management (Closes ticket #44 )
2011-11-25 12:11:43 +00:00
Paul Bakker
b6d5f08051
- Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory trade-off
2011-11-25 11:52:11 +00:00
Paul Bakker
2e6d5328d5
- Added credits!
2011-11-18 14:34:17 +00:00
Paul Bakker
cce9d77745
- Lots of minimal changes to better support WINCE as a build target
2011-11-18 14:26:47 +00:00
Paul Bakker
5e18aed436
- Changed the defined key-length of DES ciphers in cipher.h to include the parity bits, to prevent mistakes in copying data. (Closes ticket #33 )
2011-11-15 15:38:45 +00:00
Paul Bakker
1fe7d9baf9
- Fixed incorrect behaviour in case of RSASSA-PSS with a salt length smaller than the hash length. (Closes ticket #41 )
2011-11-15 15:26:03 +00:00
Paul Bakker
cebdf17159
- Allowed X509 key usage parsing to accept 4 byte values instead of the standard 1 byte version sometimes used by Microsoft. (Closes ticket #38 )
2011-11-11 15:01:31 +00:00
Paul Bakker
03a30d34dc
- Added latest fix to ChangeLog
2011-11-11 10:55:02 +00:00
Paul Bakker
efc302964c
- Extracted ASN.1 parsing code from the X.509 parsing code. Added new module.
2011-11-10 14:43:23 +00:00
Paul Bakker
b5a11ab80b
- Added a separate CRL entry extension parsing function
2011-10-12 09:58:41 +00:00
Paul Bakker
fbc09f3cb6
- Added an EXPLICIT tag number parameter to x509_get_ext()
2011-10-12 09:56:41 +00:00
Paul Bakker
3329d1f805
- Fixed a bug where the CRL parser expected an EXPLICIT ASN.1 tag before version numbers
2011-10-12 09:55:01 +00:00
Paul Bakker
c4909d95f1
- Inceased maximum size of ASN1 length reads to 32-bits
2011-10-12 09:52:22 +00:00
Paul Bakker
fa1c592860
- Fixed faulty HMAC-MD2 implementation (Fixes ticket #37 )
2011-10-06 14:18:49 +00:00
Paul Bakker
d246ed30bd
- Fixed rsa_encrypt and rsa_decrypt example programs to use public key for encryption and private key for decryption (Fixes ticket #34 )
2011-10-06 13:18:27 +00:00
Paul Bakker
ca6f3e24a4
- Clarified use of AES and Camellia in CFB and CTR modes
2011-10-06 13:11:08 +00:00
Paul Bakker
490ecc8c3e
- Added ssl_set_max_version() to set the client's maximum sent version number
2011-10-06 13:04:09 +00:00
Paul Bakker
7eb013face
- Added ssl_session_reset() to allow re-use of already set non-connection specific context information
2011-10-06 12:37:39 +00:00
Paul Bakker
7bc05ff4a6
- Added rsa_encrypt and rsa_decrypt example programs
2011-08-09 10:30:36 +00:00
Paul Bakker
968bc9831b
- Preparations for v1.0.0 release of PolarSSL
2011-07-27 17:03:00 +00:00
Paul Bakker
42e5981c26
- Updated to reflect changes in error codes in the generic cipher and message digest layers
2011-06-09 15:55:41 +00:00
Paul Bakker
343a870daa
- Expanded generic cipher layer with support for CTR and CFB128 modes of operation.
2011-06-09 14:27:58 +00:00
Paul Bakker
887bd502d2
- Undid fix for ssl_write that introduced a true bug when buffers are running full.
2011-06-08 13:10:54 +00:00
Paul Bakker
828acb2234
- Updated for release 0.99-pre5
2011-05-27 09:25:42 +00:00
Paul Bakker
1496d38028
- Added the ssl_mail_client example application
2011-05-23 12:07:29 +00:00
Paul Bakker
2f5947e1f6
- Added mpi_get_bit() and mpi_set_bit() individual bit setter/getter functions.
2011-05-18 15:47:11 +00:00
Paul Bakker
831a755d9e
- Changed behaviour of net_recv(), ssl_fetch_input() and ssl_read(). net_recv() now returns 0 on EOF instead of POLARSSL_ERR_NET_CONN_RESET. ssl_fetch_input() returns POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function. ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received after the handshake.
...
- Network functions now return POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE instead of the ambiguous POLARSSL_ERR_NET_TRY_AGAIN
2011-05-18 13:32:51 +00:00
Paul Bakker
9d781407bc
- A error_strerror function() has been added to translate between error codes and their description.
...
- The error codes have been remapped and combining error codes is now done with a PLUS instead of an OR as error codes used are negative.
- Descriptions to all error codes have been added.
- Generation script for error.c has been created to automatically generate error.c from the available error definitions in the headers.
2011-05-09 16:17:09 +00:00
Paul Bakker
6c591fab72
- mpi_init() and mpi_free() only accept a single argument and do not accept variable arguments anymore. This prevents unexpected memory corruption in a number of use cases.
2011-05-05 11:49:20 +00:00
Paul Bakker
335db3f121
- Functions requiring File System functions can now be disables by undefining POLARSSL_FS_IO
2011-04-25 15:28:35 +00:00
Paul Bakker
a755ca1bbe
- Renamed t_s_int, t_int and t_dbl to respectively t_sint, t_uint and t_udbl for clarity
2011-04-24 09:11:17 +00:00
Paul Bakker
23986e5d5d
- Major type rewrite of int to size_t for most variables and arguments used for buffer lengths and loops
2011-04-24 08:57:21 +00:00
Paul Bakker
b6ecaf5276
- Added additional (configurable) cipher block modes. AES-CTR, Camellia-CTR, XTEA-CBC
2011-04-19 14:29:23 +00:00
Paul Bakker
3efa575ff2
- Ready for release 0.99-pre4
2011-04-01 12:23:26 +00:00
Paul Bakker
287781a965
- Added mpi_fill_random() for centralized filling of big numbers with random data (Fixed ticket #10 )
2011-03-26 13:18:49 +00:00
Paul Bakker
98675496e1
- Added information about changed behaviour of x509parse_key()
2011-03-26 13:17:12 +00:00
Paul Bakker
e77db2e119
- Added bugfix info for previous checkin
2011-03-25 14:01:32 +00:00
Paul Bakker
1fd00bfe82
- Fixed bug in ssl_write() when flushing old data (Fixes ticket #18 )
2011-03-14 20:50:15 +00:00
Paul Bakker
be4e7dca08
- Debug print of MPI now removes leading zero octets and displays actual bit size of the value
2011-03-14 20:41:31 +00:00
Paul Bakker
9dcc32236b
- Added support for PKCS#1 v2.1 encoding and thus support for the RSAES-OAEP and RSASSA-PSS operations (enabled by POLARSSL_PKCS1_V21)
2011-03-08 14:16:06 +00:00
Paul Bakker
345a6fee91
- Replaced function that fixes man-in-the-middle attack
...
- Added message to indicate inclusion of man-in-the-middle attack (Reported by Larry Highsmith, Subreption LLC)
- Released version 0.99-pre3
2011-02-28 21:20:02 +00:00
Paul Bakker
1946e42dd4
- Made ready for 0.99-pre2 release
2011-02-25 09:39:39 +00:00
Paul Bakker
e2a39cc0fa
- Do not bail out if no client certificate specified. Try to negotiate anonymous connection (Fixes ticket #12 )
2011-02-20 13:49:27 +00:00
Paul Bakker
400ff6f0fd
- Corrected parsing of UTCTime dates before 1990 and after 1950
...
- Support more exotic OID's when parsing certificates
- Support more exotic name representations when parsing certificates
- Replaced the expired test certificates
2011-02-20 10:40:16 +00:00
Paul Bakker
a9507c063b
- Added crl_app program to allow easy reading and printing of X509 CRLs from file
2011-02-12 15:27:28 +00:00
Paul Bakker
96743fc5f5
- Parsing of PEM files moved to separate module (Fixes ticket #13 ). Also possible to remove PEM support for systems only using DER encoding
...
- Parsing PEM private keys encrypted with DES and AES are now supported (Fixes ticket #5 )
- Added tests for encrypted keyfiles
2011-02-12 14:30:57 +00:00
Paul Bakker
9fc4659b30
- Preparing for Release of 0.99 prerelease 1
2011-01-30 16:59:02 +00:00
Paul Bakker
e3166ce040
- Renamed ciphers member of ssl_context and cipher member of ssl_session to ciphersuites and ciphersuite respectively. This clarifies the difference with the generic cipher layer and is better naming altogether
...
- Adapted in the rest of using code as well
2011-01-27 17:40:50 +00:00
Paul Bakker
20a7808d13
- Addec crypt_and_hash example program of the generic hash and cipher layers
2011-01-21 09:32:12 +00:00
Paul Bakker
43b7e35b25
- Support for PKCS#11 through the use of the pkcs11-helper library
2011-01-18 15:27:19 +00:00
Paul Bakker
b619499eb3
- x509parse_time_expired() checks time now in addition to the existing date check
2011-01-16 21:40:22 +00:00
Paul Bakker
72f6266f02
- Improved information provided about current Hashing, Cipher and Suite capabilities
2011-01-16 21:27:44 +00:00
Paul Bakker
76fd75a3de
- Improved certificate validation and validation against the available CRLs
2011-01-16 21:12:10 +00:00
Paul Bakker
43ca69c38a
- Added function for stringified SSL/TLS version
2011-01-15 17:35:19 +00:00
Paul Bakker
1f87fb6896
- Support for DES weak keys and parity bits added
2011-01-15 17:32:24 +00:00
Paul Bakker
74111d30b7
- Improved X509 certificate parsing to include extended certificate fields, such as Key Usage
2011-01-15 16:57:55 +00:00
Paul Bakker
b63b0afc05
- Added verification callback in certificate verification chain in order to allow external blacklisting
2011-01-13 17:54:59 +00:00
Paul Bakker
1b57b06751
- Added reading of DHM context from memory and file
2011-01-06 15:48:19 +00:00
Paul Bakker
8123e9d8f1
- Added generic cipher wrapper for integration with OpenVPN (donated by Fox-IT)
2011-01-06 15:37:30 +00:00
Paul Bakker
1737385e04
- Added generic message digest wrapper for integration with OpenVPN (donated by Fox-IT)
2011-01-06 14:20:01 +00:00
Paul Bakker
37ca75d6f2
- Added Doxygen source code documentation parts (donated by Fox-IT)
2011-01-06 12:28:03 +00:00
Paul Bakker
99ed6788b2
- Changed line endings and encodings to unix and utf-8
2011-01-05 14:48:42 +00:00