Commit graph

892 commits

Author SHA1 Message Date
Dr. Stephen Henson
cb4823fdd6 Add ctrls to clear options and mode.
Change RI ctrl so it doesn't clash.
2009-12-09 13:15:01 +00:00
Dr. Stephen Henson
17bb051628 Send no_renegotiation alert as required by spec. 2009-12-08 19:05:49 +00:00
Dr. Stephen Henson
59f44e810b Add ctrl and macro so we can determine if peer support secure renegotiation.
Fix SSL_CIPHER initialiser for mcsv
2009-12-08 13:47:28 +00:00
Dr. Stephen Henson
7a014dceb6 Add support for magic cipher suite value (MCSV). Make secure renegotiation
work in SSLv3: initial handshake has no extensions but includes MCSV, if
server indicates RI support then renegotiation handshakes include RI.

NB: current MCSV value is bogus for testing only, will be updated when we
have an official value.

Change mismatch alerts to handshake_failure as required by spec.

Also have some debugging fprintfs so we can clearly see what is going on
if OPENSSL_RI_DEBUG is set.
2009-12-08 13:15:38 +00:00
Dr. Stephen Henson
82e448b92b PR: 2115
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Add Renegotiation extension to DTLS, fix DTLS ClientHello processing bug.
2009-12-01 17:40:46 +00:00
Dr. Stephen Henson
7f5448e3a8 Servers can't end up talking SSLv2 with legacy renegotiation disabled 2009-11-18 15:08:49 +00:00
Dr. Stephen Henson
5d965f0783 Don't use SSLv2 compatible client hello if we don't tolerate legacy renegotiation 2009-11-18 14:43:27 +00:00
Dr. Stephen Henson
b14713c231 Include a more meaningful error message when rejecting legacy renegotiation 2009-11-18 14:24:00 +00:00
Dr. Stephen Henson
af13c50d51 Fix wrong function codes and duplicate codes 2009-11-09 18:21:57 +00:00
Dr. Stephen Henson
16e7efe3c8 use OPENSSL_assert() and not assert() 2009-11-08 17:07:42 +00:00
Ben Laurie
c2b78c31d6 First cut of renegotiation extension. 2009-11-08 14:51:54 +00:00
Dr. Stephen Henson
a1dc0336dd Re-revert (re-insert?) temporary change that made renegotiation work again
and add a proper fix: specifically if it is a new session don't send the old
TLS ticket, send a zero length ticket to request a new session.
2009-11-08 14:30:22 +00:00
Ben Laurie
d99a35f275 Revert renegotiation-breaking change. 2009-11-08 12:14:55 +00:00
Ben Laurie
949fbf073a Disable renegotiation. 2009-11-05 11:28:37 +00:00
Dr. Stephen Henson
d7d4325655 PR: 2089
Submitted by: David Woodhouse <dwmw2@infradead.org>
Approved by: steve@openssl.org

Use EVP_MD_size() in OpenSSL 0.9.8.
2009-11-04 12:58:54 +00:00
Dr. Stephen Henson
9f81ffe433 PR: 2089
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS Fragment size bug fix.
2009-11-02 13:36:56 +00:00
Dr. Stephen Henson
8164930816 Generate stateless session ID just after the ticket is received instead
of when a session is loaded. This will mean that applications that
just hold onto SSL_SESSION structures and never call d2i_SSL_SESSION()
will still work.
2009-10-30 14:07:59 +00:00
Dr. Stephen Henson
2a8834cf89 Fix stateless session resumption so it can coexist with SNI 2009-10-30 13:28:07 +00:00
Dr. Stephen Henson
e6e11f4ec3 Don't attempt session resumption if no ticket is present and session
ID length is zero.
2009-10-28 19:53:10 +00:00
Dr. Stephen Henson
3a0b6de4d0 PR: 2073
Submitted by: Tomas Mraz <tmraz@redhat.com>
Approved by: steve@openssl.org

Don't access freed SSL_CTX in SSL_free().
2009-10-16 13:42:15 +00:00
Dr. Stephen Henson
fb5a4bbaa7 PR: 2055
Submitted by: Julia Lawall <julia@diku.dk>
Approved by: steve@openssl.org

Correct BIO_ctrl error handling in s2_srvr.c
2009-10-01 00:07:21 +00:00
Dr. Stephen Henson
d402f6b66f PR: 2054
Submitted by: Julia Lawall <julia@diku.dk>
Approved by: steve@openssl.org

Correct BIO_ctrl error handling
2009-10-01 00:03:59 +00:00
Ben Laurie
4e92353d23 Make it build, plus make depend. 2009-09-27 14:04:33 +00:00
Dr. Stephen Henson
96e20179e4 Typo presumably... 2009-09-20 12:53:42 +00:00
Dr. Stephen Henson
3b95629db1 PR: 2039
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS listen bug fix,
2009-09-15 23:11:22 +00:00
Dr. Stephen Henson
e1246e1ad7 Submitted by: Julia Lawall <julia@diku.dk>
The functions ENGINE_ctrl(), OPENSSL_isservice(),
CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error fix
so the return code is checked correctly.
2009-09-13 11:20:38 +00:00
Dr. Stephen Henson
07cb0a82d1 PR: 2025
Submitted by: Tomas Mraz <tmraz@redhat.com>
Approved by: steve@openssl.org

Constify SSL_CIPHER_description
2009-09-12 23:18:43 +00:00
Dr. Stephen Henson
f2671f8ac4 PR: 1411
Submitted by: steve@openssl.org

Allow use of trusted certificates in SSL_CTX_use_chain_file()
2009-09-12 23:09:59 +00:00
Dr. Stephen Henson
43e9e1a160 PR: 2033
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS listen support.
2009-09-09 17:06:13 +00:00
Dr. Stephen Henson
197ab47bdd PR: 2028
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Fix DTLS cookie management bugs.
2009-09-04 17:53:30 +00:00
Dr. Stephen Henson
e8cce0babe PR: 2022
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Fix DTLS record header length bug.
2009-09-04 16:42:17 +00:00
Dr. Stephen Henson
1da61e8051 PR: 2009
Submitted by: "Alexei Khlebnikov" <alexei.khlebnikov@opera.com>
Approved by: steve@openssl.org

Avoid memory leak and fix error reporting in d2i_SSL_SESSION(). NB: although
the ticket mentions buffer overruns this isn't a security issue because
the SSL_SESSION structure is generated internally and it should never be
possible to supply its contents from an untrusted application (this would
among other things destroy session cache security).
2009-09-02 13:20:02 +00:00
Dr. Stephen Henson
da6ce18279 PR: 2006
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Do not use multiple DTLS records for a single user message
2009-08-26 11:54:14 +00:00
Richard Levitte
8a04c6f894 Include proper header files for time functions.
Submitted by Arpadffy Zoltan <Zoltan.Arpadffy@scientificgames.se>
2009-08-25 07:10:40 +00:00
Dr. Stephen Henson
fbc4a24633 PR: 1997
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS timeout handling fix.
2009-08-13 15:14:32 +00:00
Dr. Stephen Henson
17620eec4c Fix error codes. 2009-08-06 16:23:17 +00:00
Dr. Stephen Henson
19dac35e5f Make no-comp compile again under WIN32. 2009-08-05 15:48:48 +00:00
Dr. Stephen Henson
76a268a43f PR: 1993
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS cookie resumption and typo fix.
2009-07-24 11:50:51 +00:00
Dr. Stephen Henson
34d01a3b20 PR: 1984
Submitted by: Michael Tüxen <Michael.Tuexen@lurchi.franken.de>
Approved by: steve@openssl.org

PR#1984 DTLS fix for 0.9.8.
2009-07-13 22:37:45 +00:00
Dr. Stephen Henson
2c5f3606d1 Remove MD2 from digest algorithm table. This follows the recommendation in
several places that it is not used in new applications.
2009-07-08 08:33:27 +00:00
Dr. Stephen Henson
1649489834 Fix warnings. 2009-07-04 11:56:10 +00:00
Dr. Stephen Henson
b51291cba8 Update from HEAD. 2009-07-04 11:49:36 +00:00
Dr. Stephen Henson
b29b576957 Update from 1.0.0-stable 2009-07-01 11:32:40 +00:00
Dr. Stephen Henson
abe389fd28 Make text line up. 2009-06-30 22:29:24 +00:00
Dr. Stephen Henson
e7e7f5de4b PR: 1960
Approved by: steve@openssl.org

Encode compression id in {i2d,d2i}_SSL_SESSION().
2009-06-30 22:20:46 +00:00
Dr. Stephen Henson
3dfa7416cd Typo. 2009-06-30 20:55:19 +00:00
Dr. Stephen Henson
d733ef7a69 Update from 1.0.0-stable. 2009-06-30 11:42:50 +00:00
Dr. Stephen Henson
f67f815624 Update from 1.0.0-stable. 2009-06-30 11:22:25 +00:00
Dr. Stephen Henson
ab8fe43fa2 PR: 1942
Submitted by: David Woodhouse <dwmw2@infradead.org>
Approved by: steve@openssl.org

Replace ad-hoc chain builder with X509_verify_cert().
2009-06-28 16:23:05 +00:00
Dr. Stephen Henson
3f4802a14e PR: 1949
Submitted by: David.Smith@cern.ch
Approved by: steve@openssl.org

When checking whether to flush the output BIO use BIO_CTRL_WPENDING instead
of BIO_CTRL_INFO. In most cases this will have no effect since the following
BIOs wont buffer. In the case of a following buffering BIO this will check
for any pending data in the whole chain and not just the single BIO.

See:
https://issues.apache.org/bugzilla/show_bug.cgi?id=46952
for a detailed analysis of this issue.
2009-06-26 15:02:01 +00:00