wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
9601 commits 20 branches 302 tags 153 MiB
Commit graph

1126 commits

Author SHA1 Message Date
Ben Laurie
a149b2466e Add SRP. 2011-03-16 11:26:40 +00:00
Dr. Stephen Henson
80b3d7a3c9 Remove redundant check to stop compiler warning. 2011-03-12 17:05:58 +00:00
Ben Laurie
4bd48de60c Fix warning. 2011-03-12 12:18:34 +00:00
Dr. Stephen Henson
2eab92f8e3 make no-dsa work again 2011-03-10 18:27:13 +00:00
Bodo Möller
8c93c4dd42 OCSP stapling fix (OpenSSL 0.9.8r/1.0.0d) 
Submitted by: Neel Mehta, Adam Langley, Bodo Moeller
 2011-02-08 17:48:41 +00:00
Bodo Möller
a288aaefc4 Assorted bugfixes: 
- safestack macro changes for C++ were incomplete
- RLE decompression boundary case
- SSL 2.0 key arg length check

Submitted by: Google (Adam Langley, Neel Mehta, Bodo Moeller)
 2011-02-03 12:03:57 +00:00
Bodo Möller
346601bc32 CVE-2010-4180 fix (from OpenSSL_1_0_0-stable) 2011-02-03 10:42:00 +00:00
Dr. Stephen Henson
e1435034ae FIPS_allow_md5() no longer exists and is no longer required 2011-01-26 12:25:51 +00:00
Dr. Stephen Henson
4577b38d22 Don't use decryption_failed alert for TLS v1.1 or later. 2011-01-04 19:39:42 +00:00
Dr. Stephen Henson
a8515e2d28 Since DTLS 1.0 is based on TLS 1.1 we should never return a decryption_failed 
alert.
 2011-01-04 19:33:30 +00:00
Richard Levitte
90d02be7c5 First attempt at adding the possibility to set the pointer size for the builds on VMS. 
PR: 2393
 2010-12-14 19:18:58 +00:00
Dr. Stephen Henson
6c36ca4628 PR: 2240 
Submitted by: Jack Lloyd <lloyd@randombit.net>, "Mounir IDRASSI" <mounir.idrassi@idrix.net>, steve
Reviewed by: steve

As required by RFC4492 an absent supported points format by a server is
not an error: it should be treated as equivalent to an extension only
containing uncompressed.
 2010-11-25 12:27:39 +00:00
Dr. Stephen Henson
9c61c57896 using_ecc doesn't just apply to TLSv1 2010-11-25 11:51:46 +00:00
Dr. Stephen Henson
95eef4df79 use generalised mac API for SSL key generation 2010-11-24 13:17:48 +00:00
Dr. Stephen Henson
a25c98ac73 remove duplicate statement 2010-11-18 17:33:44 +00:00
Dr. Stephen Henson
2d1e9ce753 oops, reinstate TLSv1 string 2010-11-17 18:16:57 +00:00
Dr. Stephen Henson
6e21ce592e fix CVE-2010-3864 2010-11-17 17:36:29 +00:00
Dr. Stephen Henson
1a8ecda3ee Only use explicit IV if cipher is in CBC mode. 2010-11-14 17:47:21 +00:00
Dr. Stephen Henson
d36c7b618d Get correct GOST private key instead of just assuming the last one is 
correct: this isn't always true if we have more than one certificate.
 2010-11-14 13:50:42 +00:00
Dr. Stephen Henson
3fa29765fd PR: 2314 
Submitted by: Mounir IDRASSI <mounir.idrassi@idrix.net>
Reviewed by: steve

Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
 2010-10-10 12:27:19 +00:00
Dr. Stephen Henson
36778eb231 PR: 1833 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix other cases not covered by original patch. (correct patch this time!)
 2010-08-27 12:12:07 +00:00
Dr. Stephen Henson
c6dd154b3e oops, revert previous patch 2010-08-27 12:10:12 +00:00
Dr. Stephen Henson
35cae95032 PR: 1833 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix other cases not covered by original patch.
 2010-08-27 11:57:42 +00:00
Bodo Möller
02ba02604c Patch from PR #1833 was broken: there's no s->s3->new_session 
(only s->new_session).
 2010-08-26 14:54:18 +00:00
Dr. Stephen Henson
48ae85b6ff PR: 1833 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Support for abbreviated handshakes when renegotiating.
 2010-08-26 14:22:40 +00:00
Dr. Stephen Henson
53e7985c8d PR: 1830 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson

Support for RFC5705 key extractor.
 2010-07-18 17:39:46 +00:00
Dr. Stephen Henson
28566b4966 no need for empty fragments with TLS 1.1 and later due to explicit IV 2010-06-27 14:42:43 +00:00
Dr. Stephen Henson
b4b15f68c0 Backport TLS v1.1 support from HEAD, ssl/ changes 2010-06-27 14:22:11 +00:00
Dr. Stephen Henson
e97359435e Fix warnings (From HEAD, original patch by Ben). 2010-06-15 17:25:15 +00:00
Dr. Stephen Henson
72240ab31a PR: 2259 
Submitted By: Artem Chuprina <ran@cryptocom.ru>

Check return values of HMAC in tls_P_hash and tls1_generate_key_block.

Although the previous version could in theory crash that would only happen if a
digest call failed. The standard software methods can never fail and only one
ENGINE currently uses digests and it is not compiled in by default.
 2010-05-17 11:26:56 +00:00
Dr. Stephen Henson
8c1e7de6cb PR: 2230 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix bug in bitmask macros and stop warnings.
 2010-05-03 13:01:50 +00:00
Dr. Stephen Henson
9f827ded1c fix signed/unsigned comparison warnings 2010-04-14 00:41:01 +00:00
Dr. Stephen Henson
1507f3abba PR: 2230 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix various DTLS fragment reassembly bugs.
 2010-04-14 00:17:29 +00:00
Dr. Stephen Henson
30e8defe52 PR: 2229 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Don't drop DTLS connection if mac or decryption failed.
 2010-04-14 00:09:55 +00:00
Dr. Stephen Henson
9f4dd3e3e3 PR: 2228 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix DTLS buffer record MAC failure bug.
 2010-04-14 00:03:13 +00:00
Richard Levitte
d2f098b33d Spelling 2010-04-13 14:34:48 +00:00
Richard Levitte
0a4fe6c8db Undo the previous change, it was incorrect in this branch. 2010-04-13 11:10:07 +00:00
Richard Levitte
7bba401d5d Third argument to dtls1_buffer_record is by reference 2010-04-13 08:41:58 +00:00
Dr. Stephen Henson
acc9938ba5 Add SHA2 algorithms to SSL_library_init(). Although these aren't used 
directly by SSL/TLS SHA2 certificates are becoming more common and
applications that only call SSL_library_init() and not
OpenSSL_add_all_alrgorithms() will fail when verifying certificates.

Update docs.
 2010-04-07 13:18:30 +00:00
Dr. Stephen Henson
6dfd3cf68e PR: 2218 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fixes for DTLS replay bug.
 2010-04-06 12:44:55 +00:00
Dr. Stephen Henson
073775cbbb PR: 2219 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fixes for DTLS buffering bug.
 2010-04-06 12:40:10 +00:00
Dr. Stephen Henson
e995d5044e PR: 2223 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fixes for DTLS timeout bug
 2010-04-06 12:29:21 +00:00
Bodo Möller
5b5464d525 Fix for "Record of death" vulnerability CVE-2010-0740. 
Also, add missing CHANGES entry for CVE-2009-3245 (code changes submitted to this branch on 23 Feb 2010).
 2010-03-25 11:22:42 +00:00
Dr. Stephen Henson
7b52778eff PR: 1731 and maybe 2197 
Clear error queue in a few places in SSL code where errors are expected
so they don't stay in the queue.
 2010-03-24 23:16:49 +00:00
Dr. Stephen Henson
47333a34d5 Submitted by: Tomas Hoger <thoger@redhat.com> 
Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).
 2010-03-03 15:41:00 +00:00
Dr. Stephen Henson
90278430d9 make USE_CRYPTODEV_DIGESTS work 2010-03-01 01:19:36 +00:00
Dr. Stephen Henson
79363339b7 algorithms field has changed in 1.0.0 and later: update 2010-02-28 00:24:24 +00:00
Dr. Stephen Henson
fbe2c6b33e Add Kerberos fix which was in 0.9.8-stable but never committed to HEAD and 
1.0.0. Original fix was on 2007-Mar-09 and had the log message: "Fix kerberos
ciphersuite bugs introduced with PR:1336."
 2010-02-27 23:04:10 +00:00
Dr. Stephen Henson
8321bab39c OR default SSL_OP_LEGACY_SERVER_CONNECT so existing options are preserved 2010-02-17 19:43:46 +00:00
Dr. Stephen Henson
989238802a Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as 
initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway.
 2010-02-17 18:38:10 +00:00