Bodo Möller
9770924f9b
OCSP stapling fix (OpenSSL 0.9.8r/1.0.0d)
...
Submitted by: Neel Mehta, Adam Langley, Bodo Moeller
2011-02-08 17:48:57 +00:00
Bodo Möller
e2b798c8b3
Assorted bugfixes:
...
- safestack macro changes for C++ were incomplete
- RLE decompression boundary case
- SSL 2.0 key arg length check
Submitted by: Google (Adam Langley, Neel Mehta, Bodo Moeller)
2011-02-03 12:03:51 +00:00
Bodo Möller
88f2a4cf9c
CVE-2010-4180 fix (from OpenSSL_1_0_0-stable)
2011-02-03 10:43:00 +00:00
Bodo Möller
9d0397e977
make update
2011-02-03 10:17:53 +00:00
Dr. Stephen Henson
9bafd8f7b3
FIPS_allow_md5() no longer exists and is no longer required
2011-01-26 12:23:58 +00:00
Dr. Stephen Henson
722521594c
Don't use decryption_failed alert for TLS v1.1 or later.
2011-01-04 19:39:27 +00:00
Dr. Stephen Henson
a47577164c
Since DTLS 1.0 is based on TLS 1.1 we should never return a decryption_failed
...
alert.
2011-01-04 19:34:20 +00:00
Richard Levitte
b7ef916c38
First attempt at adding the possibility to set the pointer size for the builds on VMS.
...
PR: 2393
2010-12-14 19:19:04 +00:00
Dr. Stephen Henson
d0205686bb
PR: 2240
...
Submitted by: Jack Lloyd <lloyd@randombit.net>, "Mounir IDRASSI" <mounir.idrassi@idrix.net>, steve
Reviewed by: steve
As required by RFC4492 an absent supported points format by a server is
not an error: it should be treated as equivalent to an extension only
containing uncompressed.
2010-11-25 12:27:09 +00:00
Dr. Stephen Henson
290be870d6
using_ecc doesn't just apply to TLSv1
2010-11-25 11:51:31 +00:00
Dr. Stephen Henson
6f678c4081
oops, revert invalid change
2010-11-24 14:03:25 +00:00
Dr. Stephen Henson
e9be051f3a
use generalise mac API for SSL key generation
2010-11-24 13:16:59 +00:00
Richard Levitte
ec44f0ebfa
Taken from OpenSSL_1_0_0-stable:
...
Include proper header files for time functions.
Submitted by Arpadffy Zoltan <Zoltan.Arpadffy@scientificgames.se>
2010-11-22 18:25:04 +00:00
Dr. Stephen Henson
b71f815f6b
remove duplicate statement
2010-11-18 17:33:17 +00:00
Dr. Stephen Henson
ac7797a722
oops, reinstate TLSv1 string
2010-11-17 18:17:08 +00:00
Dr. Stephen Henson
7d5686d355
Don't assume a decode error if session tlsext_ecpointformatlist is not NULL: it can be legitimately set elsewhere.
2010-11-17 17:37:23 +00:00
Dr. Stephen Henson
732d31beee
bring HEAD up to date, add CVE-2010-3864 fix, update NEWS files
2010-11-16 14:18:51 +00:00
Dr. Stephen Henson
e15320f652
Only use explicit IV if cipher is in CBC mode.
2010-11-14 17:47:45 +00:00
Dr. Stephen Henson
e827b58711
Get correct GOST private key instead of just assuming the last one is
...
correct: this isn't always true if we have more than one certificate.
2010-11-14 13:50:55 +00:00
Dr. Stephen Henson
5759425810
PR: 2314
...
Submitted by: Mounir IDRASSI <mounir.idrassi@idrix.net>
Reviewed by: steve
Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
2010-10-10 12:15:47 +00:00
Ben Laurie
bf48836c7c
Fixes to NPN from Adam Langley.
2010-09-05 17:14:01 +00:00
Ben Laurie
d9a268b9f9
NPN tests.
2010-09-05 16:35:10 +00:00
Ben Laurie
5df2a2497a
Fix warnings.
2010-09-05 16:34:49 +00:00
Dr. Stephen Henson
bdd5350804
PR: 1833
...
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>
Fix other cases not covered by original patch.
2010-08-27 11:29:15 +00:00
Bodo Möller
7c2d4fee25
For better forward-security support, add functions
...
SSL_[CTX_]set_not_resumable_session_callback.
Submitted by: Emilia Kasper (Google)
[A part of this change affecting ssl/s3_lib.c was accidentally commited
separately, together with a compilation fix for that file;
see s3_lib.c CVS revision 1.133 (http://cvs.openssl.org/chngview?cn=19855 ).]
2010-08-26 15:15:47 +00:00
Bodo Möller
f16176dab4
Patch from PR #1833 was broken: there's no s->s3->new_session
...
(only s->new_session).
2010-08-26 14:54:16 +00:00
Dr. Stephen Henson
44959ee456
PR: 1833
...
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>
Support for abbreviated handshakes when renegotiating.
2010-08-26 14:23:52 +00:00
Ben Laurie
ee2ffc2794
Add Next Protocol Negotiation.
2010-07-28 10:06:55 +00:00
Dr. Stephen Henson
f96ccf36ff
PR: 1830
...
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson
Support for RFC5705 key extractor.
2010-07-18 17:43:18 +00:00
Dr. Stephen Henson
b9e7793dd7
oops, revert wrong patch..
2010-07-18 17:43:01 +00:00
Dr. Stephen Henson
d135da5192
Fix warnings (From HEAD, original patch by Ben).
2010-07-18 16:52:47 +00:00
Dr. Stephen Henson
9674de7d3d
no need for empty fragments with TLS 1.1 and later due to explicit IV
2010-06-27 14:43:03 +00:00
Ben Laurie
c8bbd98a2b
Fix warnings.
2010-06-12 14:13:23 +00:00
Dr. Stephen Henson
7837c7ec45
PR: 2259
...
Submitted By: Artem Chuprina <ran@cryptocom.ru>
Check return values of HMAC in tls_P_hash and tls1_generate_key_block.
Although the previous version could in theory crash that would only happen if a
digest call failed. The standard software methods can never fail and only one
ENGINE currently uses digests and it is not compiled in by default.
2010-05-17 11:27:22 +00:00
Dr. Stephen Henson
6006ae148c
PR: 2230
...
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>
Fix bug in bitmask macros and stop warnings.
2010-05-03 13:01:40 +00:00
Dr. Stephen Henson
45106caab7
fix signed/unsigned comparison warnings
2010-04-14 00:41:14 +00:00
Dr. Stephen Henson
934e22e814
PR: 2230
...
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>
Fix various DTLS fragment reassembly bugs.
2010-04-14 00:17:55 +00:00
Dr. Stephen Henson
3122d1d382
PR: 2229
...
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>
Don't drop DTLS connection if mac or decryption failed.
2010-04-14 00:10:05 +00:00
Dr. Stephen Henson
b7463c8818
PR: 2228
...
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>
Fix DTLS buffer record MAC failure bug.
2010-04-14 00:03:27 +00:00
Dr. Stephen Henson
c0b8eb606f
Add SHA2 algorithms to SSL_library_init(). Although these aren't used
...
directly by SSL/TLS SHA2 certificates are becoming more common and
applications that only call SSL_library_init() and not
OpenSSL_add_all_alrgorithms() will fail when verifying certificates.
Update docs.
2010-04-07 13:18:07 +00:00
Dr. Stephen Henson
ff12f88b8e
PR: 2218
...
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>
Fixes for DTLS replay bug.
2010-04-06 12:45:04 +00:00
Dr. Stephen Henson
47e6a60e42
PR: 2219
...
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>
Fixes for DTLS buffering bug.
2010-04-06 12:40:19 +00:00
Dr. Stephen Henson
87a37cbadd
PR: 2223
...
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>
Fixes for DTLS timeout bug
2010-04-06 12:29:31 +00:00
Dr. Stephen Henson
00a37b5a9b
PR: 2220
...
Fixes to make OpenSSL compile with no-rc4
2010-04-06 11:18:59 +00:00
Bodo Möller
3e8b6485b3
Fix for "Record of death" vulnerability CVE-2010-0740.
...
Also, add missing CHANGES entry for CVE-2009-3245 (code changes submitted to this branch on 23 Feb 2010),
and further harmonize this version of CHANGES with the versions in the current branches.
2010-03-25 11:25:30 +00:00
Dr. Stephen Henson
a3a06e6543
PR: 1731 and maybe 2197
...
Clear error queue in a few places in SSL code where errors are expected
so they don't stay in the queue.
2010-03-24 23:17:15 +00:00
Dr. Stephen Henson
cca1cd9a34
Submitted by: Tomas Hoger <thoger@redhat.com>
...
Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).
2010-03-03 15:41:18 +00:00
Dr. Stephen Henson
2b13f80360
algorithms field has changed in 1.0.0 and later: update
2010-02-28 00:24:04 +00:00
Dr. Stephen Henson
c1ca9d3238
Add Kerberos fix which was in 0.9.8-stable but never committed to HEAD and
...
1.0.0. Original fix was on 2007-Mar-09 and had the log message: "Fix kerberos
ciphersuite bugs introduced with PR:1336."
2010-02-27 23:02:41 +00:00
Dr. Stephen Henson
7512141162
OR default SSL_OP_LEGACY_SERVER_CONNECT so existing options are preserved
2010-02-17 19:43:56 +00:00