wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
8301 commits 20 branches 302 tags 153 MiB
Commit graph

937 commits

Author SHA1 Message Date
Ben Laurie
d886975835 Fix gcc 4.6 warnings. Check TLS server hello extension length. 2010-06-12 13:18:58 +00:00
Dr. Stephen Henson
d24f1cbf35 PR: 2230 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix bug in bitmask macros and stop warnings.
 2010-05-03 13:01:59 +00:00
Dr. Stephen Henson
82687bb4c3 PR: 2230 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fixed various DTLS fragment reassembly bugs patch for 0.9.8.
 2010-04-14 13:26:50 +00:00
Dr. Stephen Henson
2eb8e5e62a fix signed/unsigned comparison warnings 2010-04-14 00:41:25 +00:00
Dr. Stephen Henson
c713a4c04d PR: 2230 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix various DTLS fragment reassembly bugs.
 2010-04-14 00:17:12 +00:00
Dr. Stephen Henson
0cefa0f942 PR: 2229 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Don't drop DTLS connection if mac or decryption failed.
 2010-04-14 00:09:39 +00:00
Dr. Stephen Henson
834c85ef0c PR: 2228 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix DTLS buffer record MAC failure bug.
 2010-04-14 00:02:50 +00:00
Richard Levitte
0c8c8eab58 Third argument to dtls1_buffer_record is by reference 2010-04-13 08:42:01 +00:00
Dr. Stephen Henson
bc06baca76 Add SHA2 algorithms to SSL_library_init(). Although these aren't used 
directly by SSL/TLS SHA2 certificates are becoming more common and
applications that only call SSL_library_init() and not
OpenSSL_add_all_alrgorithms() will fail when verifying certificates.

Update docs.
 2010-04-07 13:19:48 +00:00
Dr. Stephen Henson
5e613d5411 PR: 2218 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fixes for DTLS replay bug.
 2010-04-06 12:44:44 +00:00
Dr. Stephen Henson
56e930eb03 PR: 2219 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fixes for DTLS buffering bug.
 2010-04-06 12:39:57 +00:00
Dr. Stephen Henson
4a052f0bb9 PR: 2223 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fixes for DTLS timeout bug
 2010-04-06 12:29:08 +00:00
Dr. Stephen Henson
f34e79f27b make no-comp compile again 2010-03-30 17:31:58 +00:00
Dr. Stephen Henson
ee91323f52 PR: 1731 and maybe 2197 
Clear error queue in a few places in SSL code where errors are expected
so they don't stay in the queue.
 2010-03-24 23:16:35 +00:00
Dr. Stephen Henson
354f92d66a Submitted by: Bodo Moeller and Adam Langley (Google). 
Fix for "Record of death" vulnerability CVE-2010-0740.
 2010-03-24 13:16:42 +00:00
Dr. Stephen Henson
ede1351997 Submitted by: Tomas Hoger <thoger@redhat.com> 
Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).
 2010-03-03 15:34:11 +00:00
Richard Levitte
00d1ecb1da Add t1_reneg to the VMS build. 
Hack the symbols with long names.
 2010-02-22 07:05:24 +00:00
Dr. Stephen Henson
bec7184768 OR default SSL_OP_LEGACY_SERVER_CONNECT so existing options are preserved 2010-02-17 19:43:08 +00:00
Dr. Stephen Henson
442ac8d259 Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as 
initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway.
 2010-02-17 18:37:47 +00:00
Dr. Stephen Henson
b50ef8b216 PR: 2171 
Submitted by: Tomas Mraz <tmraz@redhat.com>

Since SSLv2 doesn't support renegotiation at all don't reject it if
legacy renegotiation isn't enabled.

Also can now use SSL2 compatible client hello because RFC5746 supports it.
 2010-02-16 14:19:42 +00:00
Dr. Stephen Henson
0484ff5ec1 PR: 2160 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Make session tickets work with DTLS.
 2010-02-01 16:48:40 +00:00
Dr. Stephen Henson
4acc2fed6c PR: 2159 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Typo in PR#1949 bug, oops!
 2010-02-01 12:44:21 +00:00
Dr. Stephen Henson
cc62974182 PR: 1949 
Submitted by: steve@openssl.org

More robust fix and workaround for PR#1949. Don't try to work out if there
is any write pending data as this can be unreliable: always flush.
 2010-01-26 19:40:36 +00:00
Dr. Stephen Henson
e8387db0c4 Fix VC++ warning (change had already been made to other branches). 2010-01-26 13:24:08 +00:00
Dr. Stephen Henson
714044cc03 oops revert test code from previous commit 2010-01-24 13:52:38 +00:00
Dr. Stephen Henson
5598b99fb3 The fix for PR#1949 unfortunately broke cases where the BIO_CTRL_WPENDING 
ctrl is incorrectly implemented (e.g. some versions of Apache). As a workaround
call both BIO_CTRL_INFO and BIO_CTRL_WPENDING if it returns zero. This should
both address the original bug and retain compatibility with the old behaviour.
 2010-01-24 13:50:57 +00:00
Dr. Stephen Henson
6899d9bbf6 If legacy renegotiation is not permitted then send a fatal alert if a patched 
server attempts to renegotiate with an unpatched client.
 2010-01-22 18:49:43 +00:00
Dr. Stephen Henson
dd28d12add make update 2010-01-20 16:35:30 +00:00
Dr. Stephen Henson
ff2549be1d PR: 2144 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Better fix for PR#2144
 2010-01-19 19:10:03 +00:00
Dr. Stephen Henson
aae48de0f7 PR: 2144 
Submitted by: steve@openssl.org

Fix DTLS connection so new_session is reset if we read second client hello:
new_session is used to detect renegotiation.
 2010-01-16 19:45:46 +00:00
Dr. Stephen Henson
766708f24b PR: 2133 
Submitted by: steve@openssl.org

Add missing DTLS state strings.
 2010-01-16 19:18:31 +00:00
Dr. Stephen Henson
fbeb4a9d15 Add strings for DTLS protocol versions 2010-01-16 19:02:43 +00:00
Dr. Stephen Henson
c3c3b28818 Fix version handling so it can cope with a major version >3. 
Although it will be many years before TLS v2.0 or later appears old versions
of servers have a habit of hanging around for a considerable time so best
if we handle this properly now.
 2010-01-13 19:08:45 +00:00
Dr. Stephen Henson
3798a4d059 Simplify RI+SCSV logic: 
1. Send SCSV is not renegotiating, never empty RI.
2. Send RI if renegotiating.
 2010-01-07 19:09:32 +00:00
Dr. Stephen Henson
f244ed3ed2 correct error codes 2010-01-06 18:02:07 +00:00
Dr. Stephen Henson
50a095ed16 Updates to conform with draft-ietf-tls-renegotiation-03.txt: 
1. Add provisional SCSV value.
2. Don't send SCSV and RI at same time.
3. Fatal error is SCSV received when renegotiating.
 2010-01-06 17:59:41 +00:00
Dr. Stephen Henson
5f40948714 Update RI to match latest spec. 
MCSV is now called SCSV.

Don't send SCSV if renegotiating.

Also note if RI is empty in debug messages.
 2009-12-27 23:03:40 +00:00
Dr. Stephen Henson
98809a1458 Alert to use is now defined in spec: update code 2009-12-17 15:42:25 +00:00
Dr. Stephen Henson
ccc3df8c33 New option to enable/disable connection to unpatched servers 2009-12-16 20:34:20 +00:00
Dr. Stephen Henson
593a6dbe19 add another missed case 2009-12-14 01:32:47 +00:00
Dr. Stephen Henson
efbe446f1a simplify RI error code and catch extra error case ignored before 2009-12-14 01:28:51 +00:00
Dr. Stephen Henson
725745d105 Allow initial connection (but no renegoriation) to servers which don't support 
RI.
 2009-12-14 01:09:01 +00:00
Ben Laurie
c0e94f8292 Missing newline. 2009-12-12 11:10:25 +00:00
Dr. Stephen Henson
ef4bd0167c Move SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION out of SSL_OP_ALL 2009-12-11 00:22:12 +00:00
Dr. Stephen Henson
98c7b0367d Document option clearning functions. 
Initial secure renegotiation documentation.
 2009-12-09 18:01:07 +00:00
Dr. Stephen Henson
cb4823fdd6 Add ctrls to clear options and mode. 
Change RI ctrl so it doesn't clash.
 2009-12-09 13:15:01 +00:00
Dr. Stephen Henson
17bb051628 Send no_renegotiation alert as required by spec. 2009-12-08 19:05:49 +00:00
Dr. Stephen Henson
59f44e810b Add ctrl and macro so we can determine if peer support secure renegotiation. 
Fix SSL_CIPHER initialiser for mcsv
 2009-12-08 13:47:28 +00:00
Dr. Stephen Henson
7a014dceb6 Add support for magic cipher suite value (MCSV). Make secure renegotiation 
work in SSLv3: initial handshake has no extensions but includes MCSV, if
server indicates RI support then renegotiation handshakes include RI.

NB: current MCSV value is bogus for testing only, will be updated when we
have an official value.

Change mismatch alerts to handshake_failure as required by spec.

Also have some debugging fprintfs so we can clearly see what is going on
if OPENSSL_RI_DEBUG is set.
 2009-12-08 13:15:38 +00:00
Dr. Stephen Henson
82e448b92b PR: 2115 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Add Renegotiation extension to DTLS, fix DTLS ClientHello processing bug.
 2009-12-01 17:40:46 +00:00