wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
7806 commits 20 branches 302 tags 153 MiB
Commit graph

809 commits

Author SHA1 Message Date
Dr. Stephen Henson
2c17b493b1 Make -DKSSL_DEBUG work again. 2008-11-10 18:55:07 +00:00
Lutz Jänicke
4db3e88459 Firstly, the bitmap we use for replay protection was ending up with zero 
length, so a _single_ pair of packets getting switched around would
cause one of them to be 'dropped'.

Secondly, it wasn't even _dropping_ the offending packets, in the
non-blocking case. It was just returning garbage instead.
PR: #1752
Submitted by: David Woodhouse <dwmw2@infradead.org>
 2008-10-13 06:43:06 +00:00
Lutz Jänicke
ab073bad4f When the underlying BIO_write() fails to send a datagram, we leave the 
offending record queued as 'pending'. The DTLS code doesn't expect this,
and we end up hitting an OPENSSL_assert() in do_dtls1_write().

The simple fix is just _not_ to leave it queued. In DTLS, dropping
packets is perfectly acceptable -- and even preferable. If we wanted a
service with retries and guaranteed delivery, we'd be using TCP.
PR: #1703
Submitted by: David Woodhouse <dwmw2@infradead.org>
 2008-10-10 10:41:32 +00:00
Bodo Möller
d875413a0b Make sure that SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG can't 
enable disabled ciphersuites.
 2008-09-22 21:22:51 +00:00
Dr. Stephen Henson
e852835da6 Make update: delete duplicate error code. 2008-09-17 17:11:09 +00:00
Dr. Stephen Henson
52702f6f92 Updates to build system from FIPS branch. Make fipscanisterbuild work and 
build FIPS test programs.
 2008-09-17 15:56:42 +00:00
Bodo Möller
446881468c update comment 2008-09-14 19:50:53 +00:00
Bodo Möller
c198c26226 oops 2008-09-14 18:16:09 +00:00
Andy Polyakov
54d6ddba69 dtls1_write_bytes consumers expect amount of bytes written per call, not 
overall [from HEAD].
PR: 1604
 2008-09-14 17:57:03 +00:00
Dr. Stephen Henson
1af12ff1d1 Fix error code discrepancy. 
Make update.
 2008-09-14 16:43:37 +00:00
Bodo Möller
200d00c854 Fix SSL state transitions. 
Submitted by: Nagendra Modadugu
 2008-09-14 14:02:01 +00:00
Bodo Möller
36a4a67b2b Some precautions to avoid potential security-relevant problems. 2008-09-14 13:42:40 +00:00
Andy Polyakov
3413424f01 DTLS didn't handle alerts correctly [from HEAD]. 
PR: 1632
 2008-09-13 18:25:36 +00:00
Dr. Stephen Henson
8f59c61d1d If tickets disabled behave as if no ticket received to support 
stateful resume.
 2008-09-03 22:13:04 +00:00
Bodo Möller
f9f6f0e9f0 sanity check 
PR: 1679
 2008-08-13 19:44:44 +00:00
Dr. Stephen Henson
14748adb09 Make ssl code consistent with FIPS branch. The new code has no effect 
at present because it asserts either noop flags or is inside
OPENSSL_FIPS #ifdef's.
 2008-06-16 16:56:43 +00:00
Dr. Stephen Henson
0278e15fa3 If auto load ENGINE lookup fails retry adding builtin ENGINEs. 2008-06-05 15:13:03 +00:00
Dr. Stephen Henson
56ef1cbc40 include engine.h if needed. 2008-06-05 11:23:35 +00:00
Dr. Stephen Henson
591371566e Update from HEAD. 2008-06-04 22:39:29 +00:00
Dr. Stephen Henson
4aefb1dd98 Backport more ENGINE SSL client auth code to 0.9.8. 2008-06-04 18:35:27 +00:00
Dr. Stephen Henson
aa03989791 Backport ssl client auth ENGINE support to 0.9.8. 2008-06-04 18:01:40 +00:00
Bodo Möller
cec9bce126 fix whitespace 2008-05-28 22:22:50 +00:00
Mark J. Cox
2c0fa03dc6 Fix flaw if 'Server Key exchange message' is omitted from a TLS 
handshake which could lead to a cilent crash as found using the
Codenomicon TLS test suite (CVE-2008-1672)

Reviewed by: openssl-security@openssl.org

Obtained from: mark@awe.com
 2008-05-28 07:29:27 +00:00
Mark J. Cox
d3b3a6d389 Fix double-free in TLS server name extensions which could lead to a remote 
crash found by Codenomicon TLS test suite (CVE-2008-0891)

Reviewed by: openssl-security@openssl.org

Obtained from: jorton@redhat.com
 2008-05-28 07:26:33 +00:00
Lutz Jänicke
b0118409a9 Reword comment to be much shorter to stop other people from complaining 
about "overcommenting"
 2008-05-26 06:21:10 +00:00
Lutz Jänicke
5f23288692 Clear error queue when starting SSL_CTX_use_certificate_chain_file 
PR: 1417, 1513
Submitted by: Erik de Castro Lopo <mle+openssl@mega-nerd.com>
 2008-05-23 10:37:22 +00:00
Dr. Stephen Henson
db533c96e3 TLS ticket key setting callback: this allows and application to set 
its own TLS ticket keys.
 2008-04-30 16:11:33 +00:00
Dr. Stephen Henson
8831eb7624 Do not permit stateless session resumption is session IDs mismatch. 2008-04-29 17:22:01 +00:00
Dr. Stephen Henson
3c8f315021 Support ticket renewal in state machine (not used at present). 2008-04-29 16:41:53 +00:00
Dr. Stephen Henson
0f2e636602 Status strings for ticket states. 2008-04-29 16:38:26 +00:00
Dr. Stephen Henson
d3eef3e5af Fix from HEAD. 2008-04-25 16:27:25 +00:00
Dr. Stephen Henson
3edad44d6e Avoid "initializer not constant" errors when compiling in pedantic mode. 2008-04-02 11:15:05 +00:00
Ben Laurie
9c04747623 Make depend. 2007-11-15 13:32:53 +00:00
Dr. Stephen Henson
236860735e Allow new session ticket when resuming. 2007-11-03 13:07:39 +00:00
Dr. Stephen Henson
5f95651316 Ensure the ticket expected flag is reset when a stateless resumption is 
successful.
 2007-10-18 11:39:11 +00:00
Andy Polyakov
ccac657556 New unused field crippled ssl_ctx_st in 0.9.8"f". 2007-10-17 21:22:58 +00:00
Andy Polyakov
a9c23ea079 Don't let DTLS ChangeCipherSpec increment handshake sequence number. From 
HEAD with a twist: server interoperates with non-compliant client.
PR: 1587
 2007-10-17 21:17:49 +00:00
Dr. Stephen Henson
33ffe2a7f7 Don't try to lookup zero length session. 2007-10-17 17:30:15 +00:00
Dr. Stephen Henson
7c717aafc6 Allow TLS tickets and session ID to both be present if lifetime hint is -1. 
This never happens in normal SSL sessions but can be useful if the session
is being used as a "blob" to contain other data.
 2007-10-17 11:27:25 +00:00
Andy Polyakov
ffe181c366 Make ssl compile. 2007-10-14 14:07:46 +00:00
Dr. Stephen Henson
43490dfb89 Avoid shadow and signed/unsigned warnings. 2007-10-12 00:29:06 +00:00
Dr. Stephen Henson
a523276786 Backport certificate status request TLS extension support to 0.9.8. 2007-10-12 00:00:36 +00:00
Ben Laurie
bb99ce5f80 make update, and more DTLS stuff. 2007-10-11 14:36:59 +00:00
Andy Polyakov
49f42ec0f6 Respect cookie length set by app_gen_cookie_cb [from HEAD]. 
Submitted by: Alex Lam
 2007-10-09 19:31:53 +00:00
Andy Polyakov
91d509f0d9 Make DTLS1 record layer MAC calculation RFC compliant. From HEAD with a 
twist: server interoperates with non-compliant pre-0.9.8f client.
 2007-10-09 19:22:01 +00:00
Andy Polyakov
d5e858c55f Prohibit RC4 in DTLS [from HEAD]. 2007-10-05 21:05:27 +00:00
Andy Polyakov
d4736ae701 Set client_version earlier in DTLS (this is 0.9.8 specific). 2007-10-03 10:18:06 +00:00
Andy Polyakov
3e1158522a Oops! This was erroneously left out commit #16633. 2007-10-01 06:28:48 +00:00
Andy Polyakov
57191f86d9 Explicit IV update [from HEAD]. 2007-09-30 22:03:07 +00:00
Andy Polyakov
0a89c575de Make ChangeCipherSpec compliant with DTLS RFC4347. From HEAD with a twist: 
server interoperates with non-compliant pre-0.9.8f.
 2007-09-30 21:20:59 +00:00