Manuel Pégourié-Gonnard
11c919208d
Fix error code description.
2015-01-22 13:22:12 +00:00
Manuel Pégourié-Gonnard
59c6f2ef21
Avoid nested if's without braces.
...
Creates a potential for confusing code if we later want to add an else clause.
2015-01-22 11:06:40 +00:00
Manuel Pégourié-Gonnard
5d9cde25da
Move renego SCSV after actual ciphersuites
2015-01-22 10:49:41 +00:00
Paul Bakker
5b8f7eaa3e
Merge new security defaults for programs (RC4 disabled, SSL3 disabled)
2015-01-14 16:26:54 +01:00
Paul Bakker
36adc3631c
Merge support for getrandom() call
2015-01-14 16:19:59 +01:00
Paul Bakker
c82b7e2003
Merge option to disable truncated hmac on the server-side
2015-01-14 16:16:55 +01:00
Paul Bakker
e522d0fa57
Merge smarter certificate selection for pre-TLS-1.2 clients
2015-01-14 16:12:48 +01:00
Manuel Pégourié-Gonnard
a852cf4833
Fix issue with non-blocking I/O & record splitting
2015-01-13 20:56:15 +01:00
Manuel Pégourié-Gonnard
d5746b36f9
Fix warning
2015-01-13 20:33:24 +01:00
Paul Bakker
f3561154ff
Merge support for 1/n-1 record splitting
2015-01-13 16:31:34 +01:00
Paul Bakker
f6080b8557
Merge support for enabling / disabling renegotiation support at compile-time
2015-01-13 16:18:23 +01:00
Paul Bakker
d7e2483bfc
Merge miscellaneous fixes into development
2015-01-13 16:04:38 +01:00
Manuel Pégourié-Gonnard
5dd28ea432
Fix len miscalculation in buffer-based allocator
2015-01-13 14:58:01 +01:00
Manuel Pégourié-Gonnard
547ff6618f
Fix NULL dereference in buffer-based allocator
2015-01-13 14:58:01 +01:00
Manuel Pégourié-Gonnard
5ba1d52f96
Add memory_buffer_alloc_self_test()
2015-01-13 14:58:00 +01:00
Manuel Pégourié-Gonnard
5cb4b31057
Fix missing bound check
2015-01-13 14:58:00 +01:00
Manuel Pégourié-Gonnard
bd47a58221
Add ssl_set_arc4_support()
...
Rationale: if people want to disable RC4 but otherwise keep the default suite
list, it was cumbersome. Also, since it uses a global array,
ssl_list_ciphersuite() is not a convenient place. So the SSL modules look like
the best place, even if it means temporarily adding one SSL setting.
2015-01-13 13:03:06 +01:00
Manuel Pégourié-Gonnard
352143fa1e
Refactor for clearer correctness/security
2015-01-13 12:02:55 +01:00
Manuel Pégourié-Gonnard
18292456c5
Add support for getrandom()
2015-01-09 14:34:13 +01:00
Manuel Pégourié-Gonnard
e117a8fc0d
Make truncated hmac a runtime option server-side
...
Reading the documentation of ssl_set_truncated_hmac() may give the impression
I changed the default for clients but I didn't, the old documentation was
wrong.
2015-01-09 12:52:20 +01:00
Manuel Pégourié-Gonnard
f01768c55e
Specific error for suites in common but none good
2015-01-08 17:06:16 +01:00
Manuel Pégourié-Gonnard
df331a55d2
Prefer SHA-1 certificates for pre-1.2 clients
2015-01-08 16:43:07 +01:00
Manuel Pégourié-Gonnard
6458e3b743
Some more refactoring/tuning.
2015-01-08 14:16:56 +01:00
Manuel Pégourié-Gonnard
846ba473af
Minor refactoring
2015-01-08 13:54:38 +01:00
Manuel Pégourié-Gonnard
cfa477ef2f
Allow disabling record splitting at runtime
2015-01-07 14:56:54 +01:00
Manuel Pégourié-Gonnard
d76314c44c
Add 1/n-1 record splitting
2015-01-07 14:56:54 +01:00
Manuel Pégourié-Gonnard
d94232389e
Skip signature_algorithms ext if PSK only
2014-12-02 11:57:29 +01:00
Manuel Pégourié-Gonnard
eaecbd3ba8
Fix warning in reduced configs
2014-12-02 10:40:55 +01:00
Manuel Pégourié-Gonnard
837f0fe831
Make renego period configurable
2014-12-02 10:40:55 +01:00
Manuel Pégourié-Gonnard
b445805283
Auto-renegotiate before sequence number wrapping
2014-12-02 10:40:55 +01:00
Manuel Pégourié-Gonnard
6186019d5d
Save 48 bytes if SSLv3 is not defined
2014-12-02 10:40:54 +01:00
Manuel Pégourié-Gonnard
615e677c0b
Make renegotiation a compile-time option
2014-12-02 10:40:54 +01:00
Manuel Pégourié-Gonnard
60346be2a3
Improve debugging message.
...
This actually prints only the payload, not the potential IV and/or MAC,
so (to me at least) it's much less confusing
2014-11-27 17:44:46 +01:00
Manuel Pégourié-Gonnard
e423246e7f
Fix net_usleep for durations greater than 1 second
2014-11-27 17:44:46 +01:00
Manuel Pégourié-Gonnard
9439f93ea4
Use pk_load_file() in X509
...
Saves a bit of ROM. X509 depends on PK anyway.
2014-11-27 17:44:46 +01:00
Manuel Pégourié-Gonnard
2457fa0915
Create ticket keys only if enabled
2014-11-27 17:44:45 +01:00
Manuel Pégourié-Gonnard
d16d1cb96a
Use more #ifdef's on CLI_C and SRV_C in ssl_tls.c
2014-11-27 17:44:45 +01:00
Manuel Pégourié-Gonnard
fd6c85c3eb
Set a compile-time limit to X.509 chain length
2014-11-20 16:37:41 +01:00
Manuel Pégourié-Gonnard
6ed2d92629
Make x509_crl_parse() iterative
2014-11-20 16:36:07 +01:00
Manuel Pégourié-Gonnard
426d4ae7ff
Split x509_crl_parse_der() out of x509_crl_parse()
2014-11-20 16:36:07 +01:00
Manuel Pégourié-Gonnard
8c9223df84
Add text view to debug_print_buf()
2014-11-19 13:21:38 +01:00
Manuel Pégourié-Gonnard
8e4b3374d7
Fix some more warnings in reduced configs
2014-11-17 15:06:13 +01:00
Manuel Pégourié-Gonnard
98aa19148c
Adjust warnings in different modes
2014-11-14 16:45:48 +01:00
Manuel Pégourié-Gonnard
e5b0fc1847
Make malloc-init script a bit happier
2014-11-13 12:42:12 +01:00
Manuel Pégourié-Gonnard
f631bbc1da
Make x509_string_cmp() iterative
2014-11-13 12:42:06 +01:00
Manuel Pégourié-Gonnard
8a5e3d4a40
Forbid repeated X.509 extensions
2014-11-12 18:13:58 +01:00
Manuel Pégourié-Gonnard
d681443f69
Fix potential stack overflow
2014-11-12 01:25:31 +01:00
Manuel Pégourié-Gonnard
b134060f90
Fix memory leak with crafted X.509 certs
2014-11-12 00:01:52 +01:00
Manuel Pégourié-Gonnard
0369a5291b
Fix uninitialised pointer dereference
2014-11-12 00:01:52 +01:00
Manuel Pégourié-Gonnard
e959979621
Fix ECDSA sign buffer size
2014-11-12 00:01:52 +01:00