Merge commit '36adc36' into dtls

* commit '36adc36': Add support for getrandom() Use library default for trunc-hmac in ssl_client2 Make truncated hmac a runtime option server-side Fix portability issue in script Specific error for suites in common but none good Prefer SHA-1 certificates for pre-1.2 clients Some more refactoring/tuning. Minor refactoring Conflicts: include/polarssl/error.h include/polarssl/ssl.h library/error.c
2025-12-23 15:55:10 +01:00 · 2015-01-21 13:48:45 +00:00 · 2015-01-21 13:48:45 +00:00 · bfccdd3c92
commit bfccdd3c92
parent 0017c2be48 36adc3631c
11 changed files with 262 additions and 63 deletions
--- a/include/polarssl/error.h
+++ b/include/polarssl/error.h
@ -91,7 +91,7 @@
 * ECP       4   8 (Started from top)
 * MD        5   4
 * CIPHER    6   6
- * SSL       6   12 (Started from top)
+ * SSL       6   13 (Started from top)
 * SSL       7   31
 *
 * Module dependent error code (5 bits 0x.00.-0x.F8.)
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@ -158,6 +158,7 @@
 #define POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO       -0x6B00  /**< Unexpected message at ServerHello in renegotiation. */
 #define POLARSSL_ERR_SSL_HELLO_VERIFY_REQUIRED             -0x6A80  /**< DTLS client must retry for hello verification */
 #define POLARSSL_ERR_SSL_BUFFER_TOO_SMALL                  -0x6A00  /**< A buffer is too small to receive or write a message */
+#define POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE             -0x6980  /**< None of the common ciphersuites is usable (eg, no suitable certificate) */

 /*
 * Various constants
@ -1851,15 +1852,15 @@ int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code );

 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
 /**
- * \brief          Activate negotiation of truncated HMAC (Client only)
- *                 (Default: SSL_TRUNC_HMAC_ENABLED)
+ * \brief          Activate negotiation of truncated HMAC
+ *                 (Default: SSL_TRUNC_HMAC_DISABLED on client,
+ *                           SSL_TRUNC_HMAC_ENABLED on server.)
 *
 * \param ssl      SSL context
 * \param truncate Enable or disable (SSL_TRUNC_HMAC_ENABLED or
 *                                    SSL_TRUNC_HMAC_DISABLED)
 *
- * \return         O if successful,
- *                 POLARSSL_ERR_SSL_BAD_INPUT_DATA if used server-side
+ * \return         Always 0.
 */
 int ssl_set_truncated_hmac( ssl_context *ssl, int truncate );
 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */