Manuel Pégourié-Gonnard
56d985d0a6
Merge branch 'session-hash' into dtls
...
* session-hash:
Update Changelog for session-hash
Make session-hash depend on TLS versions
Forbid extended master secret with SSLv3
compat.sh: allow git version of gnutls
compat.sh: make options a bit more robust
Implement extended master secret
Add negotiation of Extended Master Secret
Conflicts:
include/polarssl/check_config.h
programs/ssl/ssl_server2.c
2014-11-06 01:25:09 +01:00
Manuel Pégourié-Gonnard
fedba98ede
Merge branch 'fb-scsv' into dtls
...
* fb-scsv:
Update Changelog for FALLBACK_SCSV
Implement FALLBACK_SCSV server-side
Implement FALLBACK_SCSV client-side
2014-11-05 16:12:09 +01:00
Manuel Pégourié-Gonnard
699cafaea2
Implement initial negotiation of EtM
...
Not implemented yet:
- actually using EtM
- conditions on renegotiation
2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard
1cbd39dbeb
Implement FALLBACK_SCSV client-side
2014-11-05 16:00:49 +01:00
Manuel Pégourié-Gonnard
367381fddd
Add negotiation of Extended Master Secret
...
(But not the actual thing yet.)
2014-11-05 16:00:49 +01:00
Manuel Pégourié-Gonnard
9b35f18f66
Add ssl_get_record_expansion()
2014-10-21 16:32:55 +02:00
Manuel Pégourié-Gonnard
e63582a166
Add dlts_client.c and dtls_server.c
2014-10-21 16:32:54 +02:00
Manuel Pégourié-Gonnard
dc6a75a952
ERR_NET_CONN_RESET can't happen with UDP
2014-10-21 16:32:54 +02:00
Manuel Pégourié-Gonnard
2d87e419e0
Adapt ssl_{client,server}2.c to datagram write
2014-10-21 16:32:53 +02:00
Manuel Pégourié-Gonnard
994f8b554f
Ok for close_notify to fail
2014-10-21 16:32:52 +02:00
Manuel Pégourié-Gonnard
85beb30b11
Add test for resumption with non-blocking I/O
2014-10-21 16:32:48 +02:00
Manuel Pégourié-Gonnard
f1e0df3ccd
Allow ssl_client2 to resend on read timeout
2014-10-21 16:32:46 +02:00
Manuel Pégourié-Gonnard
6b65141718
Implement ssl_read() timeout (DTLS only for now)
2014-10-21 16:32:46 +02:00
Manuel Pégourié-Gonnard
d823bd0a04
Add handshake_timeout option to test server/client
2014-10-21 16:32:44 +02:00
Manuel Pégourié-Gonnard
f03651217c
Adapt programs to use nbio with DTLS
2014-10-21 16:32:42 +02:00
Manuel Pégourié-Gonnard
484b8f9ed8
Fix bug in ssl_client2 reconnect option
2014-10-21 16:32:32 +02:00
Manuel Pégourié-Gonnard
a014829024
Use ssl_set_bio_timeout() in test client/server
2014-10-21 16:32:27 +02:00
Manuel Pégourié-Gonnard
ae5050c212
Start adapting ssl_client2 to datagram I/O
2014-10-21 16:30:11 +02:00
Manuel Pégourié-Gonnard
798f15a500
Fix version adjustments with force_ciphersuite
2014-10-21 16:30:10 +02:00
Manuel Pégourié-Gonnard
fe3f73bdeb
Allow force_version to select DTLS
2014-10-21 16:30:10 +02:00
Manuel Pégourié-Gonnard
8a06d9c5d6
Actually use UDP for DTLS in test client/server
2014-10-21 16:30:09 +02:00
Manuel Pégourié-Gonnard
f5a1312eaa
Add UDP support to the NET module
2014-10-21 16:30:09 +02:00
Manuel Pégourié-Gonnard
83218f1da1
Add dtls version aliases to test serv/cli
2014-10-21 16:30:05 +02:00
Manuel Pégourié-Gonnard
864a81fdc0
More ssl_set_XXX() functions can return BAD_INPUT
2014-10-21 16:30:04 +02:00
Manuel Pégourié-Gonnard
e29fd4beaf
Add a dtls option to test server and client
2014-10-21 16:30:03 +02:00
Manuel Pégourié-Gonnard
f138874811
Properly send close_notify in ssl_client2
2014-08-19 16:14:36 +02:00
Manuel Pégourié-Gonnard
a8c0a0dbd0
Add "exchanges" option to test server and client
...
Goal is to test renegotiation better: we need more than one exchange for
server-initiated renego to work reliably (the previous hack for this wouldn't
work with non-blocking I/O and probably not with DTLS either).
Also check message termination in a semi-realistic way.
2014-08-19 13:26:05 +02:00
Manuel Pégourié-Gonnard
e08660e612
Fix ssl_read() and close_notify error handling in programs
2014-08-19 10:34:37 +02:00
Manuel Pégourié-Gonnard
dcab293bd4
Get rid of SERVERQUIT code in ssl_{client,server}2
2014-08-14 18:33:00 +02:00
Paul Bakker
a317a98221
Adapt programs / test suites
2014-07-09 10:19:24 +02:00
Manuel Pégourié-Gonnard
c5fd391e04
Check return value of ssl_set_xxx() in programs
2014-07-08 14:20:26 +02:00
Manuel Pégourié-Gonnard
481fcfde93
Make PSK_LEN configurable and adjust PMS size
2014-07-04 14:59:08 +02:00
Paul Bakker
2a45d1c8bb
Merge changes to config examples and configuration issues
2014-06-25 11:27:00 +02:00
Manuel Pégourié-Gonnard
dea29c51fd
Extend request_size to small sizes in ssl_client2
2014-06-25 11:26:11 +02:00
Manuel Pégourié-Gonnard
8a4d571af8
Fix warnings in no-SSL configs
2014-06-24 14:19:59 +02:00
Manuel Pégourié-Gonnard
8de259b953
Minor code simplification in ssl programs
2014-06-11 18:35:33 +02:00
Paul Bakker
525f87559f
Cast alpn_list to void * to prevent MSVC compiler warnings
2014-05-01 10:59:27 +02:00
Manuel Pégourié-Gonnard
cef4ad2509
Adapt sources to configurable config.h name
2014-04-30 16:40:20 +02:00
Paul Bakker
c73079a78c
Add debug_set_threshold() and thresholding of messages
2014-04-25 16:58:16 +02:00
Paul Bakker
93c32b21b3
Allow ssl_client to pad request to SSL_MAX_CONTENT_LEN
2014-04-25 16:58:12 +02:00
Manuel Pégourié-Gonnard
1bd2281260
Add an alpn option to ssl_client2 and ssl_server2
2014-04-05 14:51:42 +02:00
Manuel Pégourié-Gonnard
6b0d268bc9
Add ssl_close_notify() to servers that missed it
2014-03-31 11:28:11 +02:00
Manuel Pégourié-Gonnard
00d538f8f9
Disable renegotiation by default in example cli/srv
2014-03-31 11:03:06 +02:00
Paul Bakker
a4b0343edf
Merged massive SSL Testing improvements
2014-03-14 16:30:36 +01:00
Manuel Pégourié-Gonnard
84fd6877c6
Use ssl_client2 to terminate ssl_server2
2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard
5b2d776d2a
GnuTLS in compat.sh: server-side
2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard
3e1b178ba2
Add options for no certificates in test srv/cli
2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard
5575316385
Add options for non-blocking I/O in test cli & srv
2014-03-14 08:41:01 +01:00
Manuel Pégourié-Gonnard
0d8780b2cd
Add a server_adrr option to ssl_client2
2014-03-14 08:41:01 +01:00
Manuel Pégourié-Gonnard
c55a5b7d6f
Add tests for cache timeout
2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard
780d671f9d
Add tests for renegotiation
2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard
2fc243d06a
Rearrange help messages of example cli/srv
2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard
fcf2fc2960
Make auth_mode=required the default in ssl_client2
2014-03-13 19:25:07 +01:00
Manuel Pégourié-Gonnard
c580a00e3c
Print protocol version in example cli/srv
2014-02-12 10:15:30 +01:00
Manuel Pégourié-Gonnard
9c1e1898b6
Move some code around, improve documentation
2013-10-30 16:48:09 +01:00
Manuel Pégourié-Gonnard
53b3e0603b
Add code for testing client-initiated renegotiation
2013-10-30 16:46:46 +01:00
Manuel Pégourié-Gonnard
8a3c64d73f
Fix and simplify *-PSK ifdef's
2013-10-14 19:54:10 +02:00
Manuel Pégourié-Gonnard
1b62c7f93d
Fix dependencies and related issues
2013-10-14 14:02:19 +02:00
Paul Bakker
1ffefaca1e
Introduced entropy_free()
2013-09-29 15:01:42 +02:00
Manuel Pégourié-Gonnard
641de714b6
Use both RSA and ECDSA CA if available
2013-09-25 13:23:33 +02:00
Manuel Pégourié-Gonnard
abd6e02b7b
Rm _CRT_SECURE_NO_DEPRECATE for programs
...
(Already in config.h.)
2013-09-20 16:51:13 +02:00
Paul Bakker
c559c7a680
Renamed x509_cert structure to x509_crt for consistency
2013-09-18 14:32:52 +02:00
Paul Bakker
ddf26b4e38
Renamed x509parse_* functions to new form
...
e.g. x509parse_crtfile -> x509_crt_parse_file
2013-09-18 13:46:23 +02:00
Paul Bakker
369d2eb2a2
Introduced x509_crt_init(), x509_crl_init() and x509_csr_init()
2013-09-18 12:01:43 +02:00
Paul Bakker
36713e8ed9
Fixed bunch of X509_PARSE related defines / dependencies
2013-09-17 13:25:29 +02:00
Paul Bakker
1a7550ac67
Moved PK key parsing from X509 module to PK module
2013-09-15 13:47:30 +02:00
Manuel Pégourié-Gonnard
e8ea0c0421
Fix exit value on SERVERQUIT
2013-09-08 20:08:24 +02:00
Paul Bakker
577e006c2f
Merged ECDSA-based key-exchange and ciphersuites into development
...
Conflicts:
include/polarssl/config.h
library/ssl_cli.c
library/ssl_srv.c
library/ssl_tls.c
2013-08-28 11:58:40 +02:00
Manuel Pégourié-Gonnard
ac75523593
Adapt ssl_set_own_cert() to generic keys
2013-08-27 22:21:20 +02:00
Paul Bakker
0be444a8b1
Ability to disable server_name extension (RFC 6066)
2013-08-27 21:55:01 +02:00
Manuel Pégourié-Gonnard
38d1eba3b5
Move verify_result from ssl_context to session
2013-08-26 14:26:02 +02:00
Paul Bakker
1f2bc6238b
Made support for the truncated_hmac extension configurable
2013-08-15 13:45:55 +02:00
Paul Bakker
05decb24c3
Made support for the max_fragment_length extension configurable
2013-08-15 13:33:48 +02:00
Paul Bakker
a503a63b85
Made session tickets support configurable from config.h
2013-08-14 14:26:03 +02:00
Manuel Pégourié-Gonnard
aa0d4d1aff
Add ssl_set_session_tickets()
2013-08-14 14:08:06 +02:00
Manuel Pégourié-Gonnard
06650f6a37
Fix reusing session more than once
2013-08-14 14:08:06 +02:00
Manuel Pégourié-Gonnard
cf2e97eae2
ssl_client2: allow reconnecting twice
2013-08-14 14:08:06 +02:00
Manuel Pégourié-Gonnard
aaa1eab55a
Add an option to reconnect in ssl_client2
...
Purpose: test resuming sessions.
2013-08-14 14:08:04 +02:00
Paul Bakker
66c4810ffe
Better handling of ciphersuite version range and forced version in
...
ssl_client2
2013-07-26 14:05:32 +02:00
Paul Bakker
6c85279719
Newline fixes in help text for ssl_client2 / ssl_server2
2013-07-26 14:02:13 +02:00
Paul Bakker
dbd79ca617
ssl_client2 and ssl_server2 now exit with 1 on errors (shell
...
limitations)
2013-07-24 16:28:35 +02:00
Paul Bakker
8c1ede655f
Changed prototype for ssl_set_truncated_hmac() to allow disabling
2013-07-19 14:51:47 +02:00
Manuel Pégourié-Gonnard
e980a994f0
Add interface for truncated hmac
2013-07-19 14:51:47 +02:00
Manuel Pégourié-Gonnard
e048b67d0a
Misc minor fixes
...
- avoid "multi-line comment" warning in ssl_client2.c
- rm useless initialisation of mfl_code in ssl_init()
- const-correctness of ssl_parse_*_ext()
- a code formating issue
2013-07-19 12:56:08 +02:00
Manuel Pégourié-Gonnard
0c017a55e0
Add max_frag_len option in ssl_server2
...
Also reformat code and output more information in ssl_client2
2013-07-18 14:07:36 +02:00
Manuel Pégourié-Gonnard
787b658bb3
Implement max_frag_len write restriction
2013-07-18 11:18:14 +02:00
Manuel Pégourié-Gonnard
0df6b1f068
ssl_client2: add max_frag_len option
2013-07-18 11:18:13 +02:00
Manuel Pégourié-Gonnard
ba4878aa64
Rename x509parse_key & co with _rsa suffix
2013-07-08 15:31:18 +02:00
Paul Bakker
03a8a79516
Programs adapted to use polarssl_strerror() instead of error_strerror()
2013-06-30 12:18:08 +02:00
Paul Bakker
c1516be99d
ssl_server2 and ssl_client2 adapted to support maximum protocol version
2013-06-29 18:35:41 +02:00
Paul Bakker
3c5ef71322
Cleanup up non-prototyped functions (static) and const-correctness in programs
2013-06-25 16:37:45 +02:00
Paul Bakker
ef3f8c747e
Fixed const correctness issues in programs and tests
...
(cherry picked from commit e0225e4d7f
)
Conflicts:
programs/ssl/ssl_client2.c
programs/ssl/ssl_server2.c
programs/test/ssl_test.c
programs/x509/cert_app.c
2013-06-24 19:09:24 +02:00
Paul Bakker
bcbe2d8d81
Prettier printing of the lists for longer ciphersuite names
2013-04-19 09:10:20 +02:00
Paul Bakker
ed27a041e4
More granular define selections within code to allow for smaller code
...
sizes
2013-04-18 23:12:34 +02:00
Paul Bakker
d4a56ec6bf
Added pre-shared key handling for the client side of SSL / TLS
...
Client side handling of the pure PSK ciphersuites is now in the base
code.
2013-04-18 23:12:33 +02:00
Paul Bakker
91ebfb5272
Made auth_mode as an command line option
2012-11-23 14:04:08 +01:00
Paul Bakker
1f9d02dc90
Added more notes / comments on own_cert, trust_ca purposes
2012-11-20 10:30:55 +01:00
Paul Bakker
645ce3a2b4
- Moved ciphersuite naming scheme to IANA reserved names
2012-10-31 12:32:41 +00:00
Paul Bakker
b0550d90c9
- Added ssl_get_peer_cert() to SSL API
2012-10-30 07:51:03 +00:00
Paul Bakker
1d29fb5e33
- Added option to add minimum accepted SSL/TLS protocol version
2012-09-28 13:28:45 +00:00
Paul Bakker
915275ba78
- Revamped x509_verify() and the SSL f_vrfy callback implementations
2012-09-28 07:10:55 +00:00
Paul Bakker
0a59707523
- Added simple SSL session cache implementation
...
- Revamped session resumption handling
2012-09-25 21:55:46 +00:00
Paul Bakker
d0f6fa7bdc
- Sending of handshake_failures during renegotiation added
...
- Handle two legacy modes differently: SSL_LEGACY_BREAK_HANDSHAKE and SSL_LEGACY_NO_RENEGOTIATION
2012-09-17 09:18:12 +00:00
Paul Bakker
48916f9b67
- Added Secure Renegotiation (RFC 5746)
2012-09-16 19:57:18 +00:00
Paul Bakker
8d914583f3
- Added X509 CA Path support
2012-06-04 12:46:42 +00:00
Paul Bakker
4248823f43
- Updated to handle x509parse_crtfile() positive return values
2012-05-16 08:21:05 +00:00
Paul Bakker
0b22e3e989
- Print return codes properly
2012-04-18 14:23:29 +00:00
Paul Bakker
570267f01a
- print error string in useful format
2012-04-10 08:22:46 +00:00
Paul Bakker
fab5c829e7
- Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak ciphersuites (POLARSSL_ENABLE_WEAK_CIPHERSUITES). They are disabled by default!
2012-02-06 16:45:10 +00:00
Paul Bakker
13eb9f01cf
- Added error exit code
2012-02-06 15:35:10 +00:00
Paul Bakker
69e095cc15
- Changed the behaviour of x509parse_parse_crt for permissive parsing. Now returns the number of 'failed certificates' instead of having a switch to enable it.
...
- As a consequence all error code that were positive were changed. A lot of MALLOC_FAILED and FILE_IO_ERROR error codes added for different modules.
- Programs and tests were adapted accordingly
2011-12-10 21:55:01 +00:00
Paul Bakker
508ad5ab6d
- Moved all examples programs to use the new entropy and CTR_DRBG
2011-12-04 17:09:26 +00:00
Paul Bakker
6c0ceb3f9a
- Added permissive certificate parsing to x509parse_crt() and x509parse_crtfile(). With permissive parsing the parsing does not stop on encountering a parse-error
2011-12-04 12:24:18 +00:00
Paul Bakker
a3d195c41f
- Changed the used random function pointer to more flexible format. Renamed havege_rand() to havege_random() to prevent mistakes. Lots of changes as a consequence in library code and programs
2011-11-27 21:07:34 +00:00
Paul Bakker
cce9d77745
- Lots of minimal changes to better support WINCE as a build target
2011-11-18 14:26:47 +00:00
Paul Bakker
5690efccc4
- Fixed a whole bunch of dependencies on defines between files, examples and tests
2011-05-26 13:16:06 +00:00
Paul Bakker
f357131a7b
- Gather data until server gives EOF
2011-05-20 12:32:35 +00:00
Paul Bakker
831a755d9e
- Changed behaviour of net_recv(), ssl_fetch_input() and ssl_read(). net_recv() now returns 0 on EOF instead of POLARSSL_ERR_NET_CONN_RESET. ssl_fetch_input() returns POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function. ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received after the handshake.
...
- Network functions now return POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE instead of the ambiguous POLARSSL_ERR_NET_TRY_AGAIN
2011-05-18 13:32:51 +00:00
Paul Bakker
23986e5d5d
- Major type rewrite of int to size_t for most variables and arguments used for buffer lengths and loops
2011-04-24 08:57:21 +00:00
Paul Bakker
5193688682
- Added force_ciphersuite option to ssl_client2 application
2011-02-20 16:05:58 +00:00
Paul Bakker
1a207ec8af
- Set sane start values for structures that are closed or freed.
2011-02-06 13:22:40 +00:00
Paul Bakker
e3166ce040
- Renamed ciphers member of ssl_context and cipher member of ssl_session to ciphersuites and ciphersuite respectively. This clarifies the difference with the generic cipher layer and is better naming altogether
...
- Adapted in the rest of using code as well
2011-01-27 17:40:50 +00:00
Paul Bakker
b96f154e51
- Fixed copyright message
2010-07-18 20:36:00 +00:00
Paul Bakker
84f12b76fc
- Updated Copyright to correct entity
2010-07-18 10:13:04 +00:00
Paul Bakker
6796839695
2010-07-18 08:28:20 +00:00
Paul Bakker
fc8c4360b8
- Updated copyright line to 2010
2010-03-21 17:37:16 +00:00
Paul Bakker
1f3c39c194
- Removed copyright line for Christophe Devine for clarity
2010-03-21 17:30:05 +00:00
Paul Bakker
43f7ff6906
- Removed debug print
2010-03-18 20:10:27 +00:00
Paul Bakker
f80d4539d1
- Small fix to initialize value
2010-03-16 21:16:04 +00:00
Paul Bakker
ff60ee6c2a
- Added const-correctness to main codebase
2010-03-16 21:09:09 +00:00
Paul Bakker
9caf2d2d38
- Added option parsing for ssl_client2 to select host and port
2010-02-18 19:37:19 +00:00
Paul Bakker
77b385e91a
- Updated copyright messages on all relevant files
2009-07-28 17:23:11 +00:00
Paul Bakker
40ea7de46d
- Added CRL revocation support to x509parse_verify()
...
- Fixed an off-by-one allocation in ssl_set_hostname()
- Added CRL support to SSL/TLS code
2009-05-03 10:18:48 +00:00
Paul Bakker
d98030e7d6
- Added prelimenary CRL parsing and info support
2009-05-02 15:13:40 +00:00
Paul Bakker
0e6975b7ed
- Fixed use of correct ca certificate (test_ca_cert) instead of xyssl_ca_cert
2009-02-10 22:19:10 +00:00
Paul Bakker
785a9eeece
- Added email address to header license information
2009-01-25 14:15:10 +00:00
Paul Bakker
e0ccd0a7c3
- Updated Copyright notices
2009-01-04 16:27:10 +00:00
Paul Bakker
b749d68f9c
- Updates to PolarSSL
...
- Added ignores
2009-01-04 16:08:55 +00:00
Paul Bakker
40e46940df
- First replacement of xyssl by polarssl where needed
2009-01-03 21:51:57 +00:00
Paul Bakker
5121ce5bdb
- Renamed include directory to polarssl
2009-01-03 21:22:43 +00:00