Commit Graph

59 Commits

Author SHA1 Message Date
Paul Bakker
a1caf6e1e8 SSL now gracefully handles missing RNG 2014-07-07 14:20:52 +02:00
Manuel Pégourié-Gonnard
5c8434cf52 Safer buffer comparisons in the SSL modules 2014-07-07 14:10:07 +02:00
Paul Bakker
915ee19887 Do not allow SHA256/SHA384 ciphersuites in < TLS 1.2 2013-09-23 17:30:26 +02:00
Paul Bakker
43f9799ce6 RSA blinding on CRT operations to counter timing attacks 2013-09-23 11:23:31 +02:00
Paul Bakker
21360ca4d4 ssl_write_certificate_request() can handle empty ca_chain 2013-06-21 15:11:10 +02:00
Paul Bakker
7c3c3899cf Secure renegotiation extension should only be sent in case client supports secure renegotiation 2013-06-06 11:22:13 +02:00
Paul Bakker
a62729888b Ability to specify allowed ciphersuites based on the protocol version.
The ciphersuites parameter in the ssl_session structure changed from
'int *' to 'int **' and is now malloced in ssl_init() and freed in
ssl_free().

The new function ssl_set_ciphersuite_for_version() sets specific entries
inside this array. ssl_set_ciphersuite() sets all entries to the same
value.
2013-04-12 13:13:43 +02:00
Paul Bakker
78a8c71993 Re-added support for parsing and handling SSLv2 Client Hello messages
If the define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is enabled,
the SSL Server module can handle the old SSLv2 Client Hello messages.

It has been updated to deny SSLv2 Client Hello messages during
renegotiation.
2013-03-06 18:01:03 +01:00
Paul Bakker
1961b709d8 Added ssl_handshake_step() to allow single stepping the handshake
process

Single stepping the handshake process allows for better support of
non-blocking network stacks and for getting information from specific
handshake messages if wanted.
2013-01-25 14:49:24 +01:00
Paul Bakker
21dca69ef0 Handle future version properly in ssl_write_certificate_request() 2013-01-03 11:41:08 +01:00
Paul Bakker
bc3d98469f Fixed multiple DN size 2012-11-26 16:12:02 +01:00
Paul Bakker
78ce507988 Fixed typo 2012-11-23 14:23:53 +01:00
Paul Bakker
926af7582a Fixed client certificate handling with TLS 1.2 2012-11-23 13:38:07 +01:00
Paul Bakker
645ce3a2b4 - Moved ciphersuite naming scheme to IANA reserved names 2012-10-31 12:32:41 +00:00
Paul Bakker
35a7fe52f3 - Prevent compiler warning 2012-10-31 09:07:14 +00:00
Paul Bakker
8611e73dd3 - Fixed infinite loop 2012-10-30 07:52:29 +00:00
Paul Bakker
81420abcb6 - properly print minimum version 2012-10-23 10:31:15 +00:00
Paul Bakker
23f3680898 - Added proper support for TLS 1.2 signature_algorithm extension on server
side
 - Minor const changes to other extension parsing functions
2012-09-28 14:15:14 +00:00
Paul Bakker
1d29fb5e33 - Added option to add minimum accepted SSL/TLS protocol version 2012-09-28 13:28:45 +00:00
Paul Bakker
5701cdcd02 - Added ServerName extension parsing (SNI) at server side 2012-09-27 21:49:42 +00:00
Paul Bakker
eb2c658163 - Generalized external private key implementation handling (like PKCS#11) in SSL/TLS 2012-09-27 19:15:01 +00:00
Paul Bakker
0a59707523 - Added simple SSL session cache implementation
- Revamped session resumption handling
2012-09-25 21:55:46 +00:00
Paul Bakker
29b64761fd - Added predefined DHM groups from RFC 5114 2012-09-25 09:36:44 +00:00
Paul Bakker
d0f6fa7bdc - Sending of handshake_failures during renegotiation added
- Handle two legacy modes differently: SSL_LEGACY_BREAK_HANDSHAKE and SSL_LEGACY_NO_RENEGOTIATION
2012-09-17 09:18:12 +00:00
Paul Bakker
48916f9b67 - Added Secure Renegotiation (RFC 5746) 2012-09-16 19:57:18 +00:00
Paul Bakker
ec636f3bdd - Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation) 2012-09-09 19:17:02 +00:00
Paul Bakker
2770fbd651 - Added DEFLATE compression support as per RFC3749 (requires zlib) 2012-07-03 13:30:23 +00:00
Paul Bakker
380da53c48 - Abstracted checksum updating during handshake 2012-04-18 16:10:25 +00:00
Paul Bakker
ca4ab49158 - Added GCM ciphersuites to TLS implementation 2012-04-18 14:23:57 +00:00
Paul Bakker
10cd225962 - Added support for the SHA256 ciphersuites of AES and Camellia 2012-04-12 21:26:34 +00:00
Paul Bakker
bf63b36127 - Updated comments 2012-04-12 20:44:34 +00:00
Paul Bakker
1ef83d66dd - Initial bare version of TLS 1.2 2012-04-11 12:09:53 +00:00
Paul Bakker
fab5c829e7 - Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak ciphersuites (POLARSSL_ENABLE_WEAK_CIPHERSUITES). They are disabled by default! 2012-02-06 16:45:10 +00:00
Paul Bakker
1c70d409ad - Added better handling of missing session struct 2011-12-04 22:30:17 +00:00
Paul Bakker
a3d195c41f - Changed the used random function pointer to more flexible format. Renamed havege_rand() to havege_random() to prevent mistakes. Lots of changes as a consequence in library code and programs 2011-11-27 21:07:34 +00:00
Paul Bakker
5690efccc4 - Fixed a whole bunch of dependencies on defines between files, examples and tests 2011-05-26 13:16:06 +00:00
Paul Bakker
9d781407bc - A error_strerror function() has been added to translate between error codes and their description.
- The error codes have been remapped and combining error codes is now done with a PLUS instead of an OR as error codes used are negative.
 - Descriptions to all error codes have been added.
 - Generation script for error.c has been created to automatically generate error.c from the available error definitions in the headers.
2011-05-09 16:17:09 +00:00
Paul Bakker
23986e5d5d - Major type rewrite of int to size_t for most variables and arguments used for buffer lengths and loops 2011-04-24 08:57:21 +00:00
Paul Bakker
99a03afc22 - Fixed possible uninitialized values 2011-04-01 11:39:39 +00:00
Paul Bakker
9dcc32236b - Added support for PKCS#1 v2.1 encoding and thus support for the RSAES-OAEP and RSASSA-PSS operations (enabled by POLARSSL_PKCS1_V21) 2011-03-08 14:16:06 +00:00
Paul Bakker
e3166ce040 - Renamed ciphers member of ssl_context and cipher member of ssl_session to ciphersuites and ciphersuite respectively. This clarifies the difference with the generic cipher layer and is better naming altogether
- Adapted in the rest of using code as well
2011-01-27 17:40:50 +00:00
Paul Bakker
43b7e35b25 - Support for PKCS#11 through the use of the pkcs11-helper library 2011-01-18 15:27:19 +00:00
Paul Bakker
61c324bbdd - Enabled TLSv1.1 support in server as well 2010-07-29 21:09:03 +00:00
Paul Bakker
b96f154e51 - Fixed copyright message 2010-07-18 20:36:00 +00:00
Paul Bakker
84f12b76fc - Updated Copyright to correct entity 2010-07-18 10:13:04 +00:00
Paul Bakker
77a43580da - Added support for the SSL_EDH_RSA_AES_128_SHA and SSL_EDH_RSA_CAMELLIA_128_SHA ciphersuites 2010-06-15 21:32:46 +00:00
Paul Bakker
2908713af1 - Corrected behaviour 2010-03-21 21:03:34 +00:00
Paul Bakker
fc8c4360b8 - Updated copyright line to 2010 2010-03-21 17:37:16 +00:00
Paul Bakker
1f3c39c194 - Removed copyright line for Christophe Devine for clarity 2010-03-21 17:30:05 +00:00
Paul Bakker
ff60ee6c2a - Added const-correctness to main codebase 2010-03-16 21:09:09 +00:00