Commit graph

154 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard 67505bf9e8 Merge branch 'development' into dtls
* development:
  Adapt tests to new defaults/errors.
  Fix typos/cosmetics in Changelog
  Disable RC4 by default in example programs.
  Add ssl_set_arc4_support()
  Set min version to TLS 1.0 in programs

Conflicts:
	include/polarssl/ssl.h
	library/ssl_cli.c
	library/ssl_srv.c
	tests/compat.sh
2015-01-21 13:57:33 +00:00
Paul Bakker 5b8f7eaa3e Merge new security defaults for programs (RC4 disabled, SSL3 disabled) 2015-01-14 16:26:54 +01:00
Manuel Pégourié-Gonnard bd47a58221 Add ssl_set_arc4_support()
Rationale: if people want to disable RC4 but otherwise keep the default suite
list, it was cumbersome. Also, since it uses a global array,
ssl_list_ciphersuite() is not a convenient place. So the SSL modules look like
the best place, even if it means temporarily adding one SSL setting.
2015-01-13 13:03:06 +01:00
Manuel Pégourié-Gonnard a65d5082b6 Merge branch 'development' into dtls
* development:
  Fix previous commit
  Allow flexible location of valgrind
  Fix test scripts portability issues
  Fix Gnu-ism in script

Conflicts:
	tests/ssl-opt.sh
2015-01-12 14:54:55 +01:00
Paul Bakker 54b1a8fa4d Merge support for Extended Master Secret (session-hash) 2015-01-12 14:14:07 +01:00
Manuel Pégourié-Gonnard f46f128f4a Fix test scripts portability issues 2014-12-11 17:26:09 +01:00
Manuel Pégourié-Gonnard 56d985d0a6 Merge branch 'session-hash' into dtls
* session-hash:
  Update Changelog for session-hash
  Make session-hash depend on TLS versions
  Forbid extended master secret with SSLv3
  compat.sh: allow git version of gnutls
  compat.sh: make options a bit more robust
  Implement extended master secret
  Add negotiation of Extended Master Secret

Conflicts:
	include/polarssl/check_config.h
	programs/ssl/ssl_server2.c
2014-11-06 01:25:09 +01:00
Manuel Pégourié-Gonnard dd4592774b compat.sh: allow git version of gnutls 2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard 85a4178f82 compat.sh: make options a bit more robust 2014-11-05 16:00:49 +01:00
Manuel Pégourié-Gonnard 36795197d9 Rm now useless MTU setting in compat.sh 2014-10-21 16:32:40 +02:00
Manuel Pégourié-Gonnard 53aef81a7d Work around OpenSSL bug in compat.sh 2014-10-21 16:30:12 +02:00
Manuel Pégourié-Gonnard d1af1025d0 Add DTLS interop testing with OpenSSL server
PSK suites failing with client auth
2014-10-21 16:30:12 +02:00
Manuel Pégourié-Gonnard 9bfb1226da Add DTLS interop testing with GnuTLS server 2014-10-21 16:30:12 +02:00
Manuel Pégourié-Gonnard 29980b16bd Add DTLS interop testing (PolarSSL server) 2014-10-21 16:30:11 +02:00
Manuel Pégourié-Gonnard 3025b6cfd6 Add DTLS self-op test in compat.sh 2014-10-21 16:30:10 +02:00
Manuel Pégourié-Gonnard 7fa67728ad Scripts print more info on failure within buildbot 2014-08-31 17:42:53 +02:00
Manuel Pégourié-Gonnard 1287f11d54 Detect GnuTLS presence and version in compat.sh 2014-08-31 16:31:32 +02:00
Manuel Pégourié-Gonnard 16494496db Fix details in compat.sh 2014-08-31 10:37:14 +02:00
Manuel Pégourié-Gonnard 72e51ee7be Use arithmetic expansion in scripts, avoid bashisms 2014-08-31 10:22:11 +02:00
Manuel Pégourié-Gonnard c0f6a692fb Add client timeout to ssl-opt.sh and compat.sh 2014-08-30 22:59:55 +02:00
Manuel Pégourié-Gonnard decaf0b182 Clean up unused variable in compat.sh 2014-08-30 22:22:09 +02:00
Manuel Pégourié-Gonnard 74b11702d7 Simplify terminating ssl_server2 in test scripts 2014-08-14 18:33:00 +02:00
Manuel Pégourié-Gonnard e46aa5e336 Update GnuTLS version requirements in compat.sh 2014-08-14 11:34:34 +02:00
Manuel Pégourié-Gonnard 7e0a5183db Add a missing suite to compat.sh 2014-08-14 11:34:34 +02:00
Manuel Pégourié-Gonnard 8d4ad07706 SHA-2 ciphersuites now require TLS 1.x 2014-08-14 11:34:34 +02:00
Manuel Pégourié-Gonnard 7457cb3a56 Fix some version/peer requirements in compat.sh 2014-08-14 11:34:34 +02:00
Manuel Pégourié-Gonnard fab2a3c3d6 Fix port selection in ssl test scripts
Port was selected in the 1000-1999 range which is bad (system ports).
2014-06-23 11:54:57 +02:00
Manuel Pégourié-Gonnard 32f8f4d1a0 Catch SERVERQUIT timeout in ssl test scripts 2014-05-29 11:57:44 +02:00
Manuel Pégourié-Gonnard bc3b16c7e2 Also use unique names for temp files 2014-05-29 11:57:43 +02:00
Manuel Pégourié-Gonnard 8066b81a54 Pick a "unique" port in SSL test scripts 2014-05-29 11:57:43 +02:00
Paul Bakker 1ebc0c592c Fix typos 2014-05-22 15:47:58 +02:00
Manuel Pégourié-Gonnard 2594859bc6 Add CCM suites to compat.sh (self-op only) 2014-05-22 14:36:02 +02:00
Paul Bakker 17b85cbd69 Merged additional tests and improved code coverage
Conflicts:
	ChangeLog
2014-04-08 14:38:48 +02:00
Manuel Pégourié-Gonnard 563ad02663 Fix final report in compat.sh
Only affect what's printed, the exit code was already correct.
2014-04-08 11:56:35 +02:00
Manuel Pégourié-Gonnard 913030c286 Enable SSLv2 testing if OPENSSL_CMD is set 2014-04-04 16:33:01 +02:00
Manuel Pégourié-Gonnard e9a9a61c61 Deduplicate suites in compat.sh 2014-03-26 12:58:56 +01:00
Manuel Pégourié-Gonnard 12b8472f2f Test against GnuTLS for every common ciphersuite 2014-03-26 12:58:54 +01:00
Manuel Pégourié-Gonnard a1a9f9a639 Allow GnuTLS to be enabled via environment 2014-03-26 12:58:53 +01:00
Manuel Pégourié-Gonnard e01af4cd37 Tune compat.sh and ssl-opt.sh error reporting 2014-03-26 12:58:48 +01:00
Manuel Pégourié-Gonnard 5de31ecf9c Don't use dummy CA in compat.sh 2014-03-19 17:43:25 +01:00
Manuel Pégourié-Gonnard 3947d04b24 Fix too aggressive test for gnutls commands 2014-03-14 18:13:53 +01:00
Manuel Pégourié-Gonnard 74faf3c400 Fix usage of environment variables for commands 2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard 84fd6877c6 Use ssl_client2 to terminate ssl_server2 2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard ba0b8442f0 compat.sh and ssl-opt.sh cosmetics
- do not print '0 memory errors' when memcheck was not used
- add commands to the log files
2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard 9edba77c06 Add --exclude and --peers options to compat.sh 2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard a4371447e4 Start adding GnuTLS client support to compat.sh 2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard 213c67adfc Adapt to new ssl_client2 default 2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard 5b2d776d2a GnuTLS in compat.sh: server-side 2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard 3eec60402f Add memcheck support to compat.sh 2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard 1b149ef746 Use no cert when none is required in compat.sh 2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard f7a2690561 Make the openssl command configurable in sh tests 2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard 911622d84a compat.sh: never kill our server 2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard 87ae3031ac compat.sh: use file output (prep. for valgrind) 2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard 42d195acc1 compat.sh: don't start server if no ciphersuite 2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard 9dea8bd658 Minor compat.sh clean-up 2014-03-14 08:41:01 +01:00
Manuel Pégourié-Gonnard a9062e96e7 shell scripts: clean up when exiting on signal 2014-03-14 08:41:01 +01:00
Manuel Pégourié-Gonnard 4145b89091 compat.sh cosmetics 2014-03-14 08:41:01 +01:00
Manuel Pégourié-Gonnard da782c9458 compat.sh: better certificate verification testing 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard eaadc508fb New ssl-opt.sh test script 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard c57e98b5fa compat.sh: terminate ssl_server2 cleanly 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard 5f593f07f7 compat.sh: rm a useless sleep 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard 95957717f3 compat.sh: source cosmetics 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard 330e4111cb compat.sh: factor code into run_client() function 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard 304beef2ae compat.sh: function to start server 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard 9ada01a70c compat.sh: regroup arguments even more 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard 1b31d7fd97 compat.sh: remove useless server restart 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard 48f196cda5 compat.sh refactoring: group ciphersuite lists 2014-03-14 08:40:59 +01:00
Manuel Pégourié-Gonnard d941a796be compat.sh refectoring: regroup argument setting 2014-03-14 08:40:59 +01:00
Paul Bakker fe40f484fb Do not print error on missing kill target in compat.sh 2013-12-19 17:47:24 +01:00
Paul Bakker 5a607d26b7 Merged IPv6 support in the NET module 2013-12-17 14:34:19 +01:00
Manuel Pégourié-Gonnard c9baa873ca Force server to IPv4 in compat.s 2013-12-17 14:10:58 +01:00
Manuel Pégourié-Gonnard 0759d369e6 Fix ciphersuite selection in compat.sh 2013-12-17 11:50:52 +01:00
Manuel Pégourié-Gonnard 31a2325810 Add ECDH_ECDSA suites to compat.sh 2013-12-17 11:32:31 +01:00
Manuel Pégourié-Gonnard 07b54e06da Fix EC suites version requirements in compat.sh 2013-12-17 11:32:31 +01:00
Manuel Pégourié-Gonnard 452f6ba1a6 compat.sh cleanups 2013-12-17 11:26:59 +01:00
Manuel Pégourié-Gonnard c6f03faeaf Update compat.sh ciphersuite versions 2013-11-26 14:29:13 +01:00
Manuel Pégourié-Gonnard 65ea372f9b Rm unsupported suites (export) from compat.sh 2013-10-25 18:44:07 +02:00
Manuel Pégourié-Gonnard 8d01eea7af Add Camellia-GCM ciphersuites 2013-10-25 16:46:05 +02:00
Manuel Pégourié-Gonnard eebb5ad6cc Add RSA-PSK and ECDHE-PSK suites to compat.sh 2013-10-15 12:27:22 +02:00
Manuel Pégourié-Gonnard eb1714e9c8 Fix certs/psk arguments in compat.sh 2013-09-20 12:44:08 +02:00
Manuel Pégourié-Gonnard d331319a38 Check -m option in compat.sh 2013-09-18 14:34:32 +02:00
Manuel Pégourié-Gonnard 70064fd721 compat.sh: report results 2013-08-27 22:21:22 +02:00
Manuel Pégourié-Gonnard 7ebaf376f9 Add ECDSA suites to compat.sh 2013-08-27 22:21:22 +02:00
Manuel Pégourié-Gonnard dfc8d5accc Small adjustments in compat.sh 2013-08-27 22:21:22 +02:00
Manuel Pégourié-Gonnard 9791a4043e Refactor compat.sh to prepare for ECDSA 2013-08-27 22:21:22 +02:00
Paul Bakker 0f2f0bfc87 CAMELLIA-based PSK and DHE-PSK ciphersuites added 2013-07-26 15:04:03 +02:00
Paul Bakker 524691c0a0 Added --modes option to tests/compat.sh 2013-07-25 17:01:20 +02:00
Paul Bakker accd4eb665 compat.sh now has -f command-line option to filter used ciphersuites 2013-07-19 14:51:31 +02:00
Paul Bakker 89fe7f4388 compat.sh modified to support new ssl_server2 and ssl_client2
capabilities
2013-06-29 18:35:41 +02:00
Paul Bakker 40afb4ba13 Added PSK GCM, SHA256 and SHA384 ciphers from RFC5487 2013-04-19 22:03:30 +02:00
Paul Bakker a1bf92ddb4 Added PSK NULL ciphers from RFC4785 2013-04-19 20:47:26 +02:00
Paul Bakker 48f7a5d724 DHE-PSK based ciphersuite support added and cleaner key exchange based
code selection

The base RFC 4279 DHE-PSK ciphersuites are now supported and added.

The SSL code cuts out code not relevant for defined key exchange methods
2013-04-19 20:47:26 +02:00
Paul Bakker 7e5e7ca205 Added PSK ciphersuite tests to compat.sh 2013-04-18 23:12:34 +02:00
Paul Bakker abfdfbfd46 Removed duplicate value from compat.sh ciphersuite list 2013-04-08 14:07:43 +02:00
Paul Bakker 27714b1aa1 Added Camellia ECDHE-based CBC ciphersuites
Added TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 and
TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384
2013-04-07 23:07:12 +02:00
Paul Bakker a54e493bc0 Added ECDHE-based SHA256 and SHA384 ciphersuites
Added TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ciphersuites
2013-03-20 15:31:54 +01:00
Paul Bakker 41c83d3f67 Added Ephemeral Elliptic Curve Diffie Hellman ciphersuites to SSL/TLS
Made all modifications to include Ephemeral Elliptic Curve Diffie
Hellman ciphersuites into the existing SSL/TLS modules. All basic
handling of the ECDHE-ciphersuites (TLS_ECDHE_RSA_WITH_NULL_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
has been included.
2013-03-20 14:39:14 +01:00
Paul Bakker 1eeceaeac8 More expansive testing 2012-11-23 14:25:34 +01:00
Paul Bakker 645ce3a2b4 - Moved ciphersuite naming scheme to IANA reserved names 2012-10-31 12:32:41 +00:00
Paul Bakker 0c93d126bc - Ability to define openssl at top
- Also add SHA256 ciphersuites in non-tls 1.2 modes
2012-09-13 14:26:09 +00:00