Geoff Thorpe
62afa8bd58
These should be write-locks, not read-locks.
2003-09-08 16:00:46 +00:00
Dr. Stephen Henson
33ed371ec9
Only accept a client certificate if the server requests
...
one, as required by SSL/TLS specs.
2003-09-03 23:42:17 +00:00
Bodo Möller
9cc513a000
fix out-of-bounds check in lock_dbg_cb (was too lose to detect all
...
invalid cases)
PR: 674
2003-08-14 10:33:26 +00:00
Bodo Möller
0e9edc98d4
make sure no error is left in the queue that is intentionally ignored
2003-08-11 18:56:19 +00:00
Bodo Möller
5cc2658cff
tolerate extra data at end of client hello for SSL 3.0
...
PR: 659
2003-07-21 15:17:49 +00:00
Lutz Jänicke
a157379adc
Fix ordering of compare functions: strncmp() must be used first, as it
...
the cipher name in the list is not guaranteed to be at least "buflen"
long.
PR: 567
Submitted by: "Matt Harren" <matth@cs.berkeley.edu>
2003-04-08 06:28:34 +00:00
Richard Levitte
961b565690
Let's limit the extent of the definition of _XOPEN_SOURCE.
2003-03-25 21:17:31 +00:00
Bodo Möller
409a5de586
countermeasure against new Klima-Pokorny-Rosa atack
2003-03-19 19:19:58 +00:00
Ulf Möller
37d9503a67
mingw related cleanups, as in head
2003-02-22 18:02:46 +00:00
Richard Levitte
352df99302
Security fix: Vaudenay timing attack on CBC.
...
An advisory will be posted to the web. Expect a release within the hour.
2003-02-19 12:04:16 +00:00
Richard Levitte
b9447ec1bc
Make it possible to disable OCSP, the speed application, and the use of sockets.
...
PR: 358
2003-02-14 01:03:06 +00:00
Dr. Stephen Henson
c13eba970c
Option to disable auto SSL chain building.
2003-02-12 17:05:17 +00:00
Bodo Möller
4309b740ce
comments
2003-02-12 14:17:38 +00:00
Bodo Möller
636631cdd5
SSL_add_dir_cert_subjects_to_stack now exists for WIN32
2003-02-05 16:37:17 +00:00
Richard Levitte
8e1e238219
A few small bugs with BIO popping.
...
PR: 364
2003-01-30 21:49:16 +00:00
Richard Levitte
6d85cd36e2
Add the possibility to build without the ENGINE framework.
...
PR: 287
2003-01-30 17:37:49 +00:00
Richard Levitte
8f94b2010f
Fix a memory leak in SSL.
...
PR: 477
2003-01-30 11:00:37 +00:00
Richard Levitte
bc35d57932
Fix possible NULL dereferencial.
...
Notified by Verdon Walker <VWalker@novell.com>
2003-01-16 06:00:59 +00:00
Lutz Jänicke
b2c71c489d
Really fix SSLv2 session ID handling
...
PR: 377
2003-01-15 09:48:29 +00:00
Lutz Jänicke
ef9d3a10c3
Fix wrong handling of session ID in SSLv2 client code.
...
PR: 377
2002-12-29 20:58:55 +00:00
Lutz Jänicke
c71414b3a9
Some more adjustments
...
Submitted by: Jeffrey Altman <jaltman@columbia.edu>, "Kenneth R. Robinette" <support@securenetterm.com>
2002-12-24 21:53:34 +00:00
Richard Levitte
88a908e50d
Stop a possible memory leak.
...
(I wonder why s2_connect() handles the initial buffer allocation slightly
differently...)
PR: 416
2002-12-21 23:49:25 +00:00
Lutz Jänicke
214b8b998a
Fix Kerberos5/SSL interaction
...
Submitted by: "Kenneth R. Robinette" <support@securenetterm.com>
Reviewed by:
PR:
2002-12-20 12:47:16 +00:00
Richard Levitte
e286dfe6ed
We stupidly had a separate LIBKRB5 variable for KRB5 library dependencies,
...
and then didn't support it very well. And that when there already is a
useful variable for exactly this kind of thing; EX_LIBS...
2002-12-19 22:10:20 +00:00
Richard Levitte
bbd6c8bd16
If _XOPEN_SOURCE_EXTENDED or _XOPEN_SOURCE are defined, _POSIX_C_SOURCE gets
...
defined in DECC$TYPES.H. If _POSIX_C_SOURCE is defined, certain types do
not get defined (u_char, u_int, ...). DECC.H gets included by assert.h
and others. Now, in6.h uses the types u_char, u_int and so on, and gets
included as part of other header inclusions, and will of course fail because
of the missing types.
On the other hand, _XOPEN_SOURCE_EXTENDED is needed to get gethostname()
properly declared...
Solution: define _XOPEN_SOURCE_EXTENDED much later, so DECC$TYPES.H has
a chance to be included *first*, so the otherwise missing types get defined
properly.
Personal: *mumble* *mumble*
2002-12-19 19:38:51 +00:00
Richard Levitte
1f1a32541f
Protect loading routines with a lock.
...
PR: 373
2002-12-16 06:06:06 +00:00
Richard Levitte
a0ed612fef
gethostname() is more a BSD feature than an XOPEN one.
...
PR: 379
2002-12-04 22:48:10 +00:00
Richard Levitte
610abd4c52
define USE_SOCKETS so sys/param.h gets included (and thusly, MAXHOSTNAMELEN
...
gets defined).
PR: 371
2002-12-02 22:49:12 +00:00
Richard Levitte
c9ea7400b4
A few more memset()s converted to OPENSSL_cleanse().
...
I *think* I got them all covered by now, bu please, if you find any more,
tell me and I'll correct it.
PR: 343
2002-11-29 11:31:51 +00:00
Richard Levitte
9fa15b6ff8
Have all tests use EXIT() to exit rather than exit(), since the latter doesn't
...
always give the expected result on some platforms.
2002-11-28 18:57:30 +00:00
Richard Levitte
75e3026a14
Cleanse memory using the new OPENSSL_cleanse() function.
...
I've covered all the memset()s I felt safe modifying, but may have missed some.
2002-11-28 08:09:03 +00:00
Richard Levitte
dc199cfaa2
Small bugfixes to the KSSL implementation.
...
PR: 349
2002-11-26 10:09:28 +00:00
Lutz Jänicke
a153c46d7f
Fix bug introduced by the attempt to fix client side external session
...
caching (#288 ): now internal caching failed (#351 ):
Make sure, that cipher_id is set before comparing.
Submitted by:
Reviewed by:
PR: 288 (and 351)
2002-11-20 10:46:35 +00:00
Bodo Möller
8faad520ae
allocate bio_err before memory debugging is enabled to avoid memory leaks
...
(we can't release it before the CRYPTO_mem_leaks() call!)
Submitted by: Nils Larsch
2002-11-19 11:55:47 +00:00
Richard Levitte
29ca164513
WinCE patches
2002-11-15 22:44:08 +00:00
Lutz Jänicke
da91e37d37
The pointer to the cipher object is not yet set, when session was reloaded
...
from external cache (using d2i_SSL_SESSION). Perform comparison based on
the cipher's id instead.
Submitted by: Steve Haslam <araqnid@innocent.com>
Reviewed by:
PR: 288
2002-11-15 10:51:40 +00:00
Richard Levitte
0439a5a8a7
We need to read one more byte of the REQUEST-CERTIFICATE message.
...
PR: 300
2002-11-15 09:17:45 +00:00
Ben Laurie
9831d941ca
Many security improvements (CHATS) and a warning fix.
2002-11-12 13:23:40 +00:00
Bodo Möller
e2a93e38d6
avoid Purify warnings
...
Submitted by: Nils Larsch
2002-11-05 12:28:10 +00:00
Richard Levitte
c752563e43
Remove all referenses to RSAref, since that's been gone for more than
...
a year.
2002-10-31 16:46:18 +00:00
Geoff Thorpe
74174b9d05
Bodo spotted this keyslip in my patch to 0.9.7-stable.
2002-10-29 17:00:33 +00:00
Geoff Thorpe
6f7ba4be1f
Correct and enhance the behaviour of "internal" session caching as it
...
relates to SSL_CTX flags and the use of "external" session caching. The
existing flag, "SSL_SESS_CACHE_NO_INTERNAL_LOOKUP" remains but is
supplemented with a complimentary flag, "SSL_SESS_CACHE_NO_INTERNAL_STORE".
The bitwise OR of the two flags is also defined as
"SSL_SESS_CACHE_NO_INTERNAL" and is the flag that should be used by most
applications wanting to implement session caching *entirely* by its own
provided callbacks. As the documented behaviour contradicted actual
behaviour up until recently, and since that point behaviour has itself been
inconsistent anyway, this change should not introduce any compatibility
problems. I've adjusted the relevant documentation to elaborate about how
this works.
Kudos to "Nadav Har'El" <nyh@math.technion.ac.il> for diagnosing these
anomalies and testing this patch for correctness.
PR: 311
2002-10-29 00:31:14 +00:00
Bodo Möller
2ccb522c5b
increase permissible message length so that we can handle
...
CertificateVerify for 4096 bit RSA signatures
2002-10-28 15:47:44 +00:00
Richard Levitte
005bbb52ff
Typos.
...
PR: 189
2002-10-15 20:31:07 +00:00
Richard Levitte
a690102da2
Typos.
...
PR: 189
2002-10-15 20:29:27 +00:00
Richard Levitte
f6733ae577
makedepend complains when a header file is included more than once in
...
the same source file.
2002-10-14 09:53:46 +00:00
Richard Levitte
8376acbf7f
Typo
2002-10-10 08:32:45 +00:00
Richard Levitte
12a2ff9625
RFC 2712 redefines the codes for use of Kerberos 5 in SSL/TLS.
...
PR: 189
2002-10-10 07:59:45 +00:00
Richard Levitte
ff90d659e6
Use double dashes so makedepend doesn't misunderstand the flags we
...
give it.
For 0.9.7 and up, that means util/domd needs to remove those double
dashes from the argument list when gcc is used to find the
dependencies.
2002-10-09 13:21:33 +00:00
Bodo Möller
64cb996206
fix more race conditions
...
Submitted by: "Patrick McCormick" <patrick@tellme.com>
PR: 262
2002-09-26 15:54:15 +00:00