All symmetric cipher algorithms and hash algorithms now include support
for a POLARSSL_XXX_ALT flag that prevents the definition of the
algorithm context structure and all 'core' functions.
(cherry picked from commit 4087c47043)
PKCS#8 encrypted key file support has been added to x509parse_key() with
support for some PCKS#12 PBE functions (pbeWithSHAAnd128BitRC4,
pbeWithSHAAnd3-KeyTripleDES-CBC and pbeWithSHAAnd2-KeyTripleDES-CBC)
(cherry picked from commit cf6e95d9a8)
Conflicts:
scripts/generate_errors.pl
After header and footer are read, pem_read_buffer() is able to determine
the length of input data used. This allows calling functions to skip
this PEM bit if an error occurs during its parsing.
(cherry picked from commit 9255e8300e)
Rationale: The HAVEGE random generator has too many caveats to be a
standard generator that people rely on. The HAVEGE random generator is not
suitable for virtualized environments. In addition the HAVEGE random
generator is dependent on timing and specific processor traits that
cannot be guaranteed by default on compile time.
Our advice: only use HAVEGE as an additional random source for your
entropy pool, never as your primary source.
(cherry picked from commit 08f06cf49f)
code selection
The base RFC 4279 DHE-PSK ciphersuites are now supported and added.
The SSL code cuts out code not relevant for defined key exchange methods
The ciphersuites parameter in the ssl_session structure changed from
'int *' to 'int *[4]'.
The new function ssl_set_ciphersuite_for_version() sets specific entries
inside this array. ssl_set_ciphersuite() sets all entries to the same
value.
(cherry picked from commit a62729888b)
Conflicts:
ChangeLog
library/ssl_srv.c
library/ssl_tls.c
A new OID module has been created that contains the main OID searching
functionality based on type-dependent arrays. A base type is used to
contain the basic values (oid_descriptor_t) and that type is extended to
contain type specific information (like a pk_alg_t).
As a result the rsa sign and verify function prototypes have changed. They
now expect a md_type_t identifier instead of the removed RSA_SIG_XXX
defines.
All OID definitions have been moved to oid.h
All OID matching code is in the OID module.
The RSA PKCS#1 functions cleaned up as a result and adapted to use the
MD layer.
The SSL layer cleanup up as a result and adapted to use the MD layer.
The X509 parser cleaned up and matches OIDs in certificates with new
module and adapted to use the MD layer.
The X509 writer cleaned up and adapted to use the MD layer.
Apps and tests modified accordingly
Made all modifications to include Ephemeral Elliptic Curve Diffie
Hellman ciphersuites into the existing SSL/TLS modules. All basic
handling of the ECDHE-ciphersuites (TLS_ECDHE_RSA_WITH_NULL_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
has been included.
process functions
Access to process functions is needed to reduce possible timing attacks
on SSL MAC checks. As SSL is set to move to using the dynamic MD layer,
the MD layer needs access to these process functions as well.
The real peer certificate is copied into a x509_buf in the
ssl_cache_entry and reinstated upon cache retrieval. The information
about the rest of the certificate chain is lost in the process.
As the handshake (and certificate verification) has already been
performed, no issue is foreseen.
If the define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is enabled,
the SSL Server module can handle the old SSLv2 Client Hello messages.
It has been updated to deny SSLv2 Client Hello messages during
renegotiation.
Split rsa_pkcs1_encrypt() into rsa_rsaes_oaep_encrypt() and
rsa_rsaes_pkcs1_v15_encrypt()
Split rsa_pkcs1_decrypt() into rsa_rsaes_oaep_decrypt() and
rsa_rsaes_pkcs1_v15_decrypt()
Split rsa_pkcs1_sign() into rsa_rsassa_pss_sign() and
rsa_rsassa_pkcs1_v15_sign()
Split rsa_pkcs1_verify() into rsa_rsassa_pss_verify() and
rsa_rsassa_pkcs1_v15_verify()
The original functions exist as generic wrappers to these functions.
New padding checking is unbiased on correct or incorrect padding and
has no branch prediction timing differences.
The additional MAC checks further straighten out the timing differences.