wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
8301 commits 20 branches 302 tags 153 MiB
Commit graph

937 commits

Author SHA1 Message Date
Dr. Stephen Henson
7f5448e3a8 Servers can't end up talking SSLv2 with legacy renegotiation disabled 2009-11-18 15:08:49 +00:00
Dr. Stephen Henson
5d965f0783 Don't use SSLv2 compatible client hello if we don't tolerate legacy renegotiation 2009-11-18 14:43:27 +00:00
Dr. Stephen Henson
b14713c231 Include a more meaningful error message when rejecting legacy renegotiation 2009-11-18 14:24:00 +00:00
Dr. Stephen Henson
af13c50d51 Fix wrong function codes and duplicate codes 2009-11-09 18:21:57 +00:00
Dr. Stephen Henson
16e7efe3c8 use OPENSSL_assert() and not assert() 2009-11-08 17:07:42 +00:00
Ben Laurie
c2b78c31d6 First cut of renegotiation extension. 2009-11-08 14:51:54 +00:00
Dr. Stephen Henson
a1dc0336dd Re-revert (re-insert?) temporary change that made renegotiation work again 
and add a proper fix: specifically if it is a new session don't send the old
TLS ticket, send a zero length ticket to request a new session.
 2009-11-08 14:30:22 +00:00
Ben Laurie
d99a35f275 Revert renegotiation-breaking change. 2009-11-08 12:14:55 +00:00
Ben Laurie
949fbf073a Disable renegotiation. 2009-11-05 11:28:37 +00:00
Dr. Stephen Henson
d7d4325655 PR: 2089 
Submitted by: David Woodhouse <dwmw2@infradead.org>
Approved by: steve@openssl.org

Use EVP_MD_size() in OpenSSL 0.9.8.
 2009-11-04 12:58:54 +00:00
Dr. Stephen Henson
9f81ffe433 PR: 2089 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS Fragment size bug fix.
 2009-11-02 13:36:56 +00:00
Dr. Stephen Henson
8164930816 Generate stateless session ID just after the ticket is received instead 
of when a session is loaded. This will mean that applications that
just hold onto SSL_SESSION structures and never call d2i_SSL_SESSION()
will still work.
 2009-10-30 14:07:59 +00:00
Dr. Stephen Henson
2a8834cf89 Fix stateless session resumption so it can coexist with SNI 2009-10-30 13:28:07 +00:00
Dr. Stephen Henson
e6e11f4ec3 Don't attempt session resumption if no ticket is present and session 
ID length is zero.
 2009-10-28 19:53:10 +00:00
Dr. Stephen Henson
3a0b6de4d0 PR: 2073 
Submitted by: Tomas Mraz <tmraz@redhat.com>
Approved by: steve@openssl.org

Don't access freed SSL_CTX in SSL_free().
 2009-10-16 13:42:15 +00:00
Dr. Stephen Henson
fb5a4bbaa7 PR: 2055 
Submitted by: Julia Lawall <julia@diku.dk>
Approved by: steve@openssl.org

Correct BIO_ctrl error handling in s2_srvr.c
 2009-10-01 00:07:21 +00:00
Dr. Stephen Henson
d402f6b66f PR: 2054 
Submitted by: Julia Lawall <julia@diku.dk>
Approved by: steve@openssl.org

Correct BIO_ctrl error handling
 2009-10-01 00:03:59 +00:00
Ben Laurie
4e92353d23 Make it build, plus make depend. 2009-09-27 14:04:33 +00:00
Dr. Stephen Henson
96e20179e4 Typo presumably... 2009-09-20 12:53:42 +00:00
Dr. Stephen Henson
3b95629db1 PR: 2039 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS listen bug fix,
 2009-09-15 23:11:22 +00:00
Dr. Stephen Henson
e1246e1ad7 Submitted by: Julia Lawall <julia@diku.dk> 
The functions ENGINE_ctrl(), OPENSSL_isservice(),
CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error fix
so the return code is checked correctly.
 2009-09-13 11:20:38 +00:00
Dr. Stephen Henson
07cb0a82d1 PR: 2025 
Submitted by: Tomas Mraz <tmraz@redhat.com>
Approved by: steve@openssl.org

Constify SSL_CIPHER_description
 2009-09-12 23:18:43 +00:00
Dr. Stephen Henson
f2671f8ac4 PR: 1411 
Submitted by: steve@openssl.org

Allow use of trusted certificates in SSL_CTX_use_chain_file()
 2009-09-12 23:09:59 +00:00
Dr. Stephen Henson
43e9e1a160 PR: 2033 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS listen support.
 2009-09-09 17:06:13 +00:00
Dr. Stephen Henson
197ab47bdd PR: 2028 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Fix DTLS cookie management bugs.
 2009-09-04 17:53:30 +00:00
Dr. Stephen Henson
e8cce0babe PR: 2022 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Fix DTLS record header length bug.
 2009-09-04 16:42:17 +00:00
Dr. Stephen Henson
1da61e8051 PR: 2009 
Submitted by: "Alexei Khlebnikov" <alexei.khlebnikov@opera.com>
Approved by: steve@openssl.org

Avoid memory leak and fix error reporting in d2i_SSL_SESSION(). NB: although
the ticket mentions buffer overruns this isn't a security issue because
the SSL_SESSION structure is generated internally and it should never be
possible to supply its contents from an untrusted application (this would
among other things destroy session cache security).
 2009-09-02 13:20:02 +00:00
Dr. Stephen Henson
da6ce18279 PR: 2006 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Do not use multiple DTLS records for a single user message
 2009-08-26 11:54:14 +00:00
Richard Levitte
8a04c6f894 Include proper header files for time functions. 
Submitted by Arpadffy Zoltan <Zoltan.Arpadffy@scientificgames.se>
 2009-08-25 07:10:40 +00:00
Dr. Stephen Henson
fbc4a24633 PR: 1997 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS timeout handling fix.
 2009-08-13 15:14:32 +00:00
Dr. Stephen Henson
17620eec4c Fix error codes. 2009-08-06 16:23:17 +00:00
Dr. Stephen Henson
19dac35e5f Make no-comp compile again under WIN32. 2009-08-05 15:48:48 +00:00
Dr. Stephen Henson
76a268a43f PR: 1993 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS cookie resumption and typo fix.
 2009-07-24 11:50:51 +00:00
Dr. Stephen Henson
34d01a3b20 PR: 1984 
Submitted by: Michael Tüxen <Michael.Tuexen@lurchi.franken.de>
Approved by: steve@openssl.org

PR#1984 DTLS fix for 0.9.8.
 2009-07-13 22:37:45 +00:00
Dr. Stephen Henson
2c5f3606d1 Remove MD2 from digest algorithm table. This follows the recommendation in 
several places that it is not used in new applications.
 2009-07-08 08:33:27 +00:00
Dr. Stephen Henson
1649489834 Fix warnings. 2009-07-04 11:56:10 +00:00
Dr. Stephen Henson
b51291cba8 Update from HEAD. 2009-07-04 11:49:36 +00:00
Dr. Stephen Henson
b29b576957 Update from 1.0.0-stable 2009-07-01 11:32:40 +00:00
Dr. Stephen Henson
abe389fd28 Make text line up. 2009-06-30 22:29:24 +00:00
Dr. Stephen Henson
e7e7f5de4b PR: 1960 
Approved by: steve@openssl.org

Encode compression id in {i2d,d2i}_SSL_SESSION().
 2009-06-30 22:20:46 +00:00
Dr. Stephen Henson
3dfa7416cd Typo. 2009-06-30 20:55:19 +00:00
Dr. Stephen Henson
d733ef7a69 Update from 1.0.0-stable. 2009-06-30 11:42:50 +00:00
Dr. Stephen Henson
f67f815624 Update from 1.0.0-stable. 2009-06-30 11:22:25 +00:00
Dr. Stephen Henson
ab8fe43fa2 PR: 1942 
Submitted by: David Woodhouse <dwmw2@infradead.org>
Approved by: steve@openssl.org

Replace ad-hoc chain builder with X509_verify_cert().
 2009-06-28 16:23:05 +00:00
Dr. Stephen Henson
3f4802a14e PR: 1949 
Submitted by: David.Smith@cern.ch
Approved by: steve@openssl.org

When checking whether to flush the output BIO use BIO_CTRL_WPENDING instead
of BIO_CTRL_INFO. In most cases this will have no effect since the following
BIOs wont buffer. In the case of a following buffering BIO this will check
for any pending data in the whole chain and not just the single BIO.

See:
https://issues.apache.org/bugzilla/show_bug.cgi?id=46952
for a detailed analysis of this issue.
 2009-06-26 15:02:01 +00:00
Dr. Stephen Henson
6daac534d7 Ooops, apply PR #1946 to 0.9.8 too. 2009-06-22 10:32:27 +00:00
Dr. Stephen Henson
1ddf691244 Update from 1.0.0-stable. 2009-06-05 15:05:10 +00:00
Dr. Stephen Henson
d1e107702b Update from HEAD. 2009-06-02 11:23:51 +00:00
Dr. Stephen Henson
996b80f990 Oops, forgot #endif... 2009-05-29 12:09:07 +00:00
Dr. Stephen Henson
1998f60546 Update from 1.0.0-stable. 2009-05-29 12:00:22 +00:00
Dr. Stephen Henson
f86d65110d 0.9.8 version of PR#1931 fix. 2009-05-18 16:22:43 +00:00
Dr. Stephen Henson
4730ea8a38 Fix from 1.0.0-stable branch. 2009-05-18 16:12:56 +00:00
Dr. Stephen Henson
b7d0d35a13 Modified PR#1929 update from 1.0.0-stable. 2009-05-17 16:42:14 +00:00
Dr. Stephen Henson
e12ceb2c92 Reverted fix to PR#1931.. breaks compilation in 0.9.8. 2009-05-17 16:28:13 +00:00
Dr. Stephen Henson
76428da729 Fix from 1.0.0-stable. 2009-05-16 16:23:35 +00:00
Dr. Stephen Henson
6bf4ca0840 Update from 1.0.0-stable. 2009-05-16 16:18:45 +00:00
Dr. Stephen Henson
efa59b8d59 Updates from 1.0.0-stable. 2009-05-16 15:51:59 +00:00
Richard Levitte
48f48d96ce Functional VMS changes submitted by sms@antinode.info (Steven M. Schweda). 
Thank you\!
(note: not tested for now, a few nightly builds should give indications though)
 2009-05-15 16:37:29 +00:00
Dr. Stephen Henson
26b82246b1 Update from 1.0.0-stable. 2009-05-13 11:52:29 +00:00
Dr. Stephen Henson
5d577d7eb0 Update from 1.0.0-stable. 2009-04-28 22:02:16 +00:00
Dr. Stephen Henson
a224fe14e9 PR: 1751 
Submitted by: David Woodhouse <dwmw2@infradead.org>
Approved by: steve@openssl.org

Compatibility patches for Cisco VPN client DTLS.
 2009-04-19 18:08:12 +00:00
Dr. Stephen Henson
caeb429055 Update from 1.0.0-stable. 2009-04-16 16:43:18 +00:00
Dr. Stephen Henson
b00c36e366 PR: 1829 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS timer bug fix from 1.0.0-stable with fixes.
 2009-04-14 15:20:48 +00:00
Dr. Stephen Henson
1f9a128519 PR: 1647 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS Renogotiation bug fix.
 2009-04-14 14:28:33 +00:00
Dr. Stephen Henson
0d399f97dd Submitted by: Darryl Miles <darryl-mailinglists@netbauds.net> 
Approved by: steve@openssl.org

Handle non-blocking I/O properly in SSL_shutdown() call.
 2009-04-07 16:28:30 +00:00
Dr. Stephen Henson
3fdc2c906d PR: 1795 
Submitted by: Peter Edwards <peter.edwards@vordel.com>
Approved by: steve@openssl.org

Avoid race condition by sorting cipher list straight away.
 2009-04-07 12:10:12 +00:00
Dr. Stephen Henson
6252f3bc7c PR: 1827 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Fix application data in handshake bug.
 2009-04-02 22:34:59 +00:00
Dr. Stephen Henson
4e319926d7 PR: 1828 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Fix DTLS retransmission bug.
 2009-04-02 22:32:16 +00:00
Dr. Stephen Henson
e4f456918f PR: 1826 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Client random bug fix.
 2009-04-02 22:28:35 +00:00
Dr. Stephen Henson
c342341ea1 Ooops, revert patch... due to non-portable gettimeofday call. 2009-04-02 22:19:07 +00:00
Dr. Stephen Henson
9d396bee8e PR: 1829 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS timer bug fix.
 2009-04-02 22:16:02 +00:00
Dr. Stephen Henson
a9427c2536 PR: 1838 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS fragment bug.
 2009-04-02 22:12:13 +00:00
Dr. Stephen Henson
1fde5b65c6 Fix from HEAD. 2009-03-12 17:31:18 +00:00
Ben Laurie
241d088156 Fix memory leak. 2009-02-23 16:02:47 +00:00
Dr. Stephen Henson
72f6453c48 PR: 1835 
Submitted by: Damien Miller <djm@mindrot.org>
Approved by: steve@openssl.org

Fix various typos.
 2009-02-14 21:50:14 +00:00
Dr. Stephen Henson
a00c3c4019 Properly check EVP_VerifyFinal() and similar return values 
(CVE-2008-5077).
Submitted by: Ben Laurie, Bodo Moeller, Google Security Team
 2009-01-07 10:48:23 +00:00
Lutz Jänicke
f4677b7960 Fix compilation with -no-comp by adding some more #ifndef OPENSSL_NO_COMP 
Some #include statements were not properly protected. This will go unnoted
on most systems as openssl/comp.h tends to be installed as a system header
file by default but may become visible when cross compiling.
 2009-01-05 14:43:07 +00:00
Dr. Stephen Henson
4b253d904d Avoid signed/unsigned compare warnings. 2008-12-29 00:17:36 +00:00
Dr. Stephen Henson
2c17b493b1 Make -DKSSL_DEBUG work again. 2008-11-10 18:55:07 +00:00
Lutz Jänicke
4db3e88459 Firstly, the bitmap we use for replay protection was ending up with zero 
length, so a _single_ pair of packets getting switched around would
cause one of them to be 'dropped'.

Secondly, it wasn't even _dropping_ the offending packets, in the
non-blocking case. It was just returning garbage instead.
PR: #1752
Submitted by: David Woodhouse <dwmw2@infradead.org>
 2008-10-13 06:43:06 +00:00
Lutz Jänicke
ab073bad4f When the underlying BIO_write() fails to send a datagram, we leave the 
offending record queued as 'pending'. The DTLS code doesn't expect this,
and we end up hitting an OPENSSL_assert() in do_dtls1_write().

The simple fix is just _not_ to leave it queued. In DTLS, dropping
packets is perfectly acceptable -- and even preferable. If we wanted a
service with retries and guaranteed delivery, we'd be using TCP.
PR: #1703
Submitted by: David Woodhouse <dwmw2@infradead.org>
 2008-10-10 10:41:32 +00:00
Bodo Möller
d875413a0b Make sure that SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG can't 
enable disabled ciphersuites.
 2008-09-22 21:22:51 +00:00
Dr. Stephen Henson
e852835da6 Make update: delete duplicate error code. 2008-09-17 17:11:09 +00:00
Dr. Stephen Henson
52702f6f92 Updates to build system from FIPS branch. Make fipscanisterbuild work and 
build FIPS test programs.
 2008-09-17 15:56:42 +00:00
Bodo Möller
446881468c update comment 2008-09-14 19:50:53 +00:00
Bodo Möller
c198c26226 oops 2008-09-14 18:16:09 +00:00
Andy Polyakov
54d6ddba69 dtls1_write_bytes consumers expect amount of bytes written per call, not 
overall [from HEAD].
PR: 1604
 2008-09-14 17:57:03 +00:00
Dr. Stephen Henson
1af12ff1d1 Fix error code discrepancy. 
Make update.
 2008-09-14 16:43:37 +00:00
Bodo Möller
200d00c854 Fix SSL state transitions. 
Submitted by: Nagendra Modadugu
 2008-09-14 14:02:01 +00:00
Bodo Möller
36a4a67b2b Some precautions to avoid potential security-relevant problems. 2008-09-14 13:42:40 +00:00
Andy Polyakov
3413424f01 DTLS didn't handle alerts correctly [from HEAD]. 
PR: 1632
 2008-09-13 18:25:36 +00:00
Dr. Stephen Henson
8f59c61d1d If tickets disabled behave as if no ticket received to support 
stateful resume.
 2008-09-03 22:13:04 +00:00
Bodo Möller
f9f6f0e9f0 sanity check 
PR: 1679
 2008-08-13 19:44:44 +00:00
Dr. Stephen Henson
14748adb09 Make ssl code consistent with FIPS branch. The new code has no effect 
at present because it asserts either noop flags or is inside
OPENSSL_FIPS #ifdef's.
 2008-06-16 16:56:43 +00:00
Dr. Stephen Henson
0278e15fa3 If auto load ENGINE lookup fails retry adding builtin ENGINEs. 2008-06-05 15:13:03 +00:00
Dr. Stephen Henson
56ef1cbc40 include engine.h if needed. 2008-06-05 11:23:35 +00:00
Dr. Stephen Henson
591371566e Update from HEAD. 2008-06-04 22:39:29 +00:00
Dr. Stephen Henson
4aefb1dd98 Backport more ENGINE SSL client auth code to 0.9.8. 2008-06-04 18:35:27 +00:00
Dr. Stephen Henson
aa03989791 Backport ssl client auth ENGINE support to 0.9.8. 2008-06-04 18:01:40 +00:00
Bodo Möller
cec9bce126 fix whitespace 2008-05-28 22:22:50 +00:00