Commit graph

8139 commits

Author SHA1 Message Date
Dr. Stephen Henson
ccc3df8c33 New option to enable/disable connection to unpatched servers 2009-12-16 20:34:20 +00:00
Dr. Stephen Henson
593a6dbe19 add another missed case 2009-12-14 01:32:47 +00:00
Dr. Stephen Henson
efbe446f1a simplify RI error code and catch extra error case ignored before 2009-12-14 01:28:51 +00:00
Dr. Stephen Henson
725745d105 Allow initial connection (but no renegoriation) to servers which don't support
RI.
2009-12-14 01:09:01 +00:00
Ben Laurie
c0e94f8292 Missing newline. 2009-12-12 11:10:25 +00:00
Dr. Stephen Henson
ef4bd0167c Move SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION out of SSL_OP_ALL 2009-12-11 00:22:12 +00:00
Dr. Stephen Henson
7a8a3ef4f6 clarify docs 2009-12-09 18:17:21 +00:00
Dr. Stephen Henson
98c7b0367d Document option clearning functions.
Initial secure renegotiation documentation.
2009-12-09 18:01:07 +00:00
Dr. Stephen Henson
9e5dea0ffd PR: 2124
Submitted by: Jan Pechanec <Jan.Pechanec@Sun.COM>

Check for memory allocation failures.
2009-12-09 13:41:50 +00:00
Dr. Stephen Henson
cb4823fdd6 Add ctrls to clear options and mode.
Change RI ctrl so it doesn't clash.
2009-12-09 13:15:01 +00:00
Dr. Stephen Henson
17bb051628 Send no_renegotiation alert as required by spec. 2009-12-08 19:05:49 +00:00
Dr. Stephen Henson
59f44e810b Add ctrl and macro so we can determine if peer support secure renegotiation.
Fix SSL_CIPHER initialiser for mcsv
2009-12-08 13:47:28 +00:00
Dr. Stephen Henson
7a014dceb6 Add support for magic cipher suite value (MCSV). Make secure renegotiation
work in SSLv3: initial handshake has no extensions but includes MCSV, if
server indicates RI support then renegotiation handshakes include RI.

NB: current MCSV value is bogus for testing only, will be updated when we
have an official value.

Change mismatch alerts to handshake_failure as required by spec.

Also have some debugging fprintfs so we can clearly see what is going on
if OPENSSL_RI_DEBUG is set.
2009-12-08 13:15:38 +00:00
Dr. Stephen Henson
1ff44a99a4 PR: 2111
Submitted by: Martin Olsson <molsson@opera.com>

Check for bn_wexpand errors in bn_mul.c
2009-12-02 15:27:19 +00:00
Dr. Stephen Henson
6cf61614e4 Replace the broken SPKAC certification with the correct version. 2009-12-02 14:39:12 +00:00
Dr. Stephen Henson
82e448b92b PR: 2115
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Add Renegotiation extension to DTLS, fix DTLS ClientHello processing bug.
2009-12-01 17:40:46 +00:00
Dr. Stephen Henson
b172352b52 PR: 1432
Submitted by: "Andrzej Chmielowiec" <achmielowiec@enigma.com.pl>, steve@openssl.org
Approved by: steve@openssl.org

Truncate hash if it is too large: as required by FIPS 186-3.
2009-12-01 17:32:16 +00:00
Dr. Stephen Henson
95b14fd803 typo 2009-11-29 13:44:59 +00:00
Bodo Möller
553d2e3280 (whitespace) 2009-11-26 18:35:33 +00:00
Bodo Möller
82fb4ee89d The version numbering may change, again; so be careful about what we
announce in CHANGES.
2009-11-26 17:30:07 +00:00
Bodo Möller
389fef6c9c Remove attribution -- this wasn't my patch, I only edited and applied it. 2009-11-26 17:28:27 +00:00
Bodo Möller
b6622f9623 Remove obsolete information about a change for 0.9.7n.
(No further releases from the 0.9.7 branch are planned.  Note that the
"deleted" change is also in 0.9.8f.)
2009-11-26 17:25:38 +00:00
Dr. Stephen Henson
7f5448e3a8 Servers can't end up talking SSLv2 with legacy renegotiation disabled 2009-11-18 15:08:49 +00:00
Dr. Stephen Henson
5d965f0783 Don't use SSLv2 compatible client hello if we don't tolerate legacy renegotiation 2009-11-18 14:43:27 +00:00
Dr. Stephen Henson
b14713c231 Include a more meaningful error message when rejecting legacy renegotiation 2009-11-18 14:24:00 +00:00
Dr. Stephen Henson
637e0ba420 PR: 2094
Submitted by: Arkadiusz Miskiewicz <arekm@maven.pl>
Approved by: steve@openssl.org

Fix for out range of signed 32bit displacement error on newer binutils.
2009-11-13 14:14:46 +00:00
Dr. Stephen Henson
9ac37cb018 PR: 2084
Submitted by: Mike Frysinger <vapier@gentoo.org>
Approved by: steve@openssl.org

Parallel build fix.
2009-11-13 14:09:45 +00:00
Dr. Stephen Henson
fb7751b44f PR: 2101
Submitted by: Doug Kaufman <dkaufman@rahul.net>
Approved by: steve@openssl.org

Fixes for tests in cms-test.pl
2009-11-13 14:09:09 +00:00
Richard Levitte
e333a8d673 Updated from 1.0.0-stable. 2009-11-12 16:59:18 +00:00
Dr. Stephen Henson
89a6daac00 PR: 1686
Submitted by: Hanno Böck <hanno@hboeck.de>
Approved by: steve@openssl.org

Create engines dir if it doesn't already exist.
2009-11-10 01:53:02 +00:00
Dr. Stephen Henson
7e42945918 PR: 2091
Submitted by: Martin Kaiser <lists@kaiser.cx>, Stephen Henson
Approved by: steve@openssl.org

If an OID has no short name or long name return the numerical representation.
2009-11-10 01:00:37 +00:00
Dr. Stephen Henson
b61a87b26c check new_der for NULL too 2009-11-10 00:46:57 +00:00
Dr. Stephen Henson
2c6b141931 PR: 2090
Submitted by: Martin Kaiser <lists@kaiser.cx>, Stephen Henson
Approved by: steve@openssl.org

Improve error checking in asn1_gen.c
2009-11-10 00:40:42 +00:00
Dr. Stephen Henson
af13c50d51 Fix wrong function codes and duplicate codes 2009-11-09 18:21:57 +00:00
Dr. Stephen Henson
65c2397fce Remove BF_PTR2 from configuration: it doesn't improve performance any more and causes gcc warnings about arrays out of range 2009-11-09 14:14:26 +00:00
Dr. Stephen Henson
16e7efe3c8 use OPENSSL_assert() and not assert() 2009-11-08 17:07:42 +00:00
Ben Laurie
c2b78c31d6 First cut of renegotiation extension. 2009-11-08 14:51:54 +00:00
Dr. Stephen Henson
a1dc0336dd Re-revert (re-insert?) temporary change that made renegotiation work again
and add a proper fix: specifically if it is a new session don't send the old
TLS ticket, send a zero length ticket to request a new session.
2009-11-08 14:30:22 +00:00
Ben Laurie
d99a35f275 Revert renegotiation-breaking change. 2009-11-08 12:14:55 +00:00
Ben Laurie
949fbf073a Disable renegotiation. 2009-11-05 11:28:37 +00:00
Ben Laurie
6156be4da3 Fix compilation problem. 2009-11-05 10:18:11 +00:00
Dr. Stephen Henson
d7d4325655 PR: 2089
Submitted by: David Woodhouse <dwmw2@infradead.org>
Approved by: steve@openssl.org

Use EVP_MD_size() in OpenSSL 0.9.8.
2009-11-04 12:58:54 +00:00
Dr. Stephen Henson
9f81ffe433 PR: 2089
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS Fragment size bug fix.
2009-11-02 13:36:56 +00:00
Dr. Stephen Henson
8164930816 Generate stateless session ID just after the ticket is received instead
of when a session is loaded. This will mean that applications that
just hold onto SSL_SESSION structures and never call d2i_SSL_SESSION()
will still work.
2009-10-30 14:07:59 +00:00
Dr. Stephen Henson
2a8834cf89 Fix stateless session resumption so it can coexist with SNI 2009-10-30 13:28:07 +00:00
Dr. Stephen Henson
e6e11f4ec3 Don't attempt session resumption if no ticket is present and session
ID length is zero.
2009-10-28 19:53:10 +00:00
Dr. Stephen Henson
452e41562c PR: 2085
Submitted by: Mike Frysinger <vapier@gentoo.org>
Approved by: steve@openssl.org

Change domd test to match 1.0.0+ version: check $MAKEDEPEND
ends in "gcc" to support cross compilers.
2009-10-28 19:29:05 +00:00
Dr. Stephen Henson
8c6dd96aed Don't replace whole AR line 2009-10-28 15:33:06 +00:00
Dr. Stephen Henson
23a4ccd178 PR: 2081
Submitted by: Mike Frysinger <vapier@gentoo.org>
Approved by: steve@openssl.org

Respect AR and RANLIB environment variables if set.
2009-10-28 14:00:54 +00:00
Dr. Stephen Henson
2b4d877a27 PR: 2080
Submitted by: Mike Frysinger <vapier@gentoo.org>
Approved by: steve@openssl.org

Respect MAKE environment variable if set.
2009-10-28 13:56:06 +00:00