Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Properly check EVP_VerifyFinal() and similar return values | Dr. Stephen Henson | 2009-01-07 | 5 | -8/+8 |
| | | | | | (CVE-2008-5077). Submitted by: Ben Laurie, Bodo Moeller, Google Security Team | ||||
* | Fix compilation with -no-comp by adding some more #ifndef OPENSSL_NO_COMP | Lutz Jänicke | 2009-01-05 | 4 | -0/+11 |
| | | | | | | Some #include statements were not properly protected. This will go unnoted on most systems as openssl/comp.h tends to be installed as a system header file by default but may become visible when cross compiling. | ||||
* | Avoid signed/unsigned compare warnings. | Dr. Stephen Henson | 2008-12-29 | 1 | -1/+1 |
| | |||||
* | Make -DKSSL_DEBUG work again. | Dr. Stephen Henson | 2008-11-10 | 3 | -23/+32 |
| | |||||
* | Firstly, the bitmap we use for replay protection was ending up with zero | Lutz Jänicke | 2008-10-13 | 2 | -0/+2 |
| | | | | | | | | | | length, so a _single_ pair of packets getting switched around would cause one of them to be 'dropped'. Secondly, it wasn't even _dropping_ the offending packets, in the non-blocking case. It was just returning garbage instead. PR: #1752 Submitted by: David Woodhouse <dwmw2@infradead.org> | ||||
* | When the underlying BIO_write() fails to send a datagram, we leave the | Lutz Jänicke | 2008-10-10 | 1 | -1/+8 |
| | | | | | | | | | | | offending record queued as 'pending'. The DTLS code doesn't expect this, and we end up hitting an OPENSSL_assert() in do_dtls1_write(). The simple fix is just _not_ to leave it queued. In DTLS, dropping packets is perfectly acceptable -- and even preferable. If we wanted a service with retries and guaranteed delivery, we'd be using TCP. PR: #1703 Submitted by: David Woodhouse <dwmw2@infradead.org> | ||||
* | Make sure that SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG can't | Bodo Möller | 2008-09-22 | 1 | -13/+19 |
| | | | | enable disabled ciphersuites. | ||||
* | Make update: delete duplicate error code. | Dr. Stephen Henson | 2008-09-17 | 1 | -587/+610 |
| | |||||
* | Updates to build system from FIPS branch. Make fipscanisterbuild work and | Dr. Stephen Henson | 2008-09-17 | 1 | -1/+1 |
| | | | | build FIPS test programs. | ||||
* | update comment | Bodo Möller | 2008-09-14 | 1 | -1/+1 |
| | |||||
* | oops | Bodo Möller | 2008-09-14 | 1 | -2/+2 |
| | |||||
* | dtls1_write_bytes consumers expect amount of bytes written per call, not | Andy Polyakov | 2008-09-14 | 1 | -1/+1 |
| | | | | | overall [from HEAD]. PR: 1604 | ||||
* | Fix error code discrepancy. | Dr. Stephen Henson | 2008-09-14 | 1 | -472/+493 |
| | | | | Make update. | ||||
* | Fix SSL state transitions. | Bodo Möller | 2008-09-14 | 2 | -6/+6 |
| | | | | Submitted by: Nagendra Modadugu | ||||
* | Some precautions to avoid potential security-relevant problems. | Bodo Möller | 2008-09-14 | 1 | -1/+1 |
| | |||||
* | DTLS didn't handle alerts correctly [from HEAD]. | Andy Polyakov | 2008-09-13 | 3 | -3/+25 |
| | | | | PR: 1632 | ||||
* | If tickets disabled behave as if no ticket received to support | Dr. Stephen Henson | 2008-09-03 | 1 | -6/+8 |
| | | | | stateful resume. | ||||
* | sanity check | Bodo Möller | 2008-08-13 | 3 | -0/+9 |
| | | | | PR: 1679 | ||||
* | Make ssl code consistent with FIPS branch. The new code has no effect | Dr. Stephen Henson | 2008-06-16 | 13 | -31/+111 |
| | | | | | at present because it asserts either noop flags or is inside OPENSSL_FIPS #ifdef's. | ||||
* | If auto load ENGINE lookup fails retry adding builtin ENGINEs. | Dr. Stephen Henson | 2008-06-05 | 1 | -0/+6 |
| | |||||
* | include engine.h if needed. | Dr. Stephen Henson | 2008-06-05 | 1 | -0/+3 |
| | |||||
* | Update from HEAD. | Dr. Stephen Henson | 2008-06-04 | 1 | -0/+19 |
| | |||||
* | Backport more ENGINE SSL client auth code to 0.9.8. | Dr. Stephen Henson | 2008-06-04 | 6 | -5/+60 |
| | |||||
* | Backport ssl client auth ENGINE support to 0.9.8. | Dr. Stephen Henson | 2008-06-04 | 1 | -3/+0 |
| | |||||
* | fix whitespace | Bodo Möller | 2008-05-28 | 1 | -6/+6 |
| | |||||
* | Fix flaw if 'Server Key exchange message' is omitted from a TLS | Mark J. Cox | 2008-05-28 | 1 | -0/+7 |
| | | | | | | | | | handshake which could lead to a cilent crash as found using the Codenomicon TLS test suite (CVE-2008-1672) Reviewed by: openssl-security@openssl.org Obtained from: mark@awe.com | ||||
* | Fix double-free in TLS server name extensions which could lead to a remote | Mark J. Cox | 2008-05-28 | 1 | -0/+1 |
| | | | | | | | | crash found by Codenomicon TLS test suite (CVE-2008-0891) Reviewed by: openssl-security@openssl.org Obtained from: jorton@redhat.com | ||||
* | Reword comment to be much shorter to stop other people from complaining | Lutz Jänicke | 2008-05-26 | 1 | -5/+1 |
| | | | | about "overcommenting" | ||||
* | Clear error queue when starting SSL_CTX_use_certificate_chain_file | Lutz Jänicke | 2008-05-23 | 1 | -0/+6 |
| | | | | | PR: 1417, 1513 Submitted by: Erik de Castro Lopo <mle+openssl@mega-nerd.com> | ||||
* | TLS ticket key setting callback: this allows and application to set | Dr. Stephen Henson | 2008-04-30 | 5 | -30/+82 |
| | | | | its own TLS ticket keys. | ||||
* | Do not permit stateless session resumption is session IDs mismatch. | Dr. Stephen Henson | 2008-04-29 | 1 | -1/+5 |
| | |||||
* | Support ticket renewal in state machine (not used at present). | Dr. Stephen Henson | 2008-04-29 | 1 | -2/+11 |
| | |||||
* | Status strings for ticket states. | Dr. Stephen Henson | 2008-04-29 | 1 | -0/+4 |
| | |||||
* | Fix from HEAD. | Dr. Stephen Henson | 2008-04-25 | 1 | -1/+9 |
| | |||||
* | Avoid "initializer not constant" errors when compiling in pedantic mode. | Dr. Stephen Henson | 2008-04-02 | 1 | -1/+1 |
| | |||||
* | Make depend. | Ben Laurie | 2007-11-15 | 1 | -21/+23 |
| | |||||
* | Allow new session ticket when resuming. | Dr. Stephen Henson | 2007-11-03 | 1 | -1/+4 |
| | |||||
* | Ensure the ticket expected flag is reset when a stateless resumption is | Dr. Stephen Henson | 2007-10-18 | 1 | -0/+1 |
| | | | | successful. | ||||
* | New unused field crippled ssl_ctx_st in 0.9.8"f". | Andy Polyakov | 2007-10-17 | 1 | -1/+0 |
| | |||||
* | Don't let DTLS ChangeCipherSpec increment handshake sequence number. From | Andy Polyakov | 2007-10-17 | 2 | -4/+6 |
| | | | | | HEAD with a twist: server interoperates with non-compliant client. PR: 1587 | ||||
* | Don't try to lookup zero length session. | Dr. Stephen Henson | 2007-10-17 | 1 | -1/+3 |
| | |||||
* | Allow TLS tickets and session ID to both be present if lifetime hint is -1. | Dr. Stephen Henson | 2007-10-17 | 1 | -6/+9 |
| | | | | | This never happens in normal SSL sessions but can be useful if the session is being used as a "blob" to contain other data. | ||||
* | Make ssl compile. | Andy Polyakov | 2007-10-14 | 2 | -0/+2 |
| | |||||
* | Avoid shadow and signed/unsigned warnings. | Dr. Stephen Henson | 2007-10-12 | 1 | -8/+8 |
| | |||||
* | Backport certificate status request TLS extension support to 0.9.8. | Dr. Stephen Henson | 2007-10-12 | 11 | -6/+521 |
| | |||||
* | make update, and more DTLS stuff. | Ben Laurie | 2007-10-11 | 4 | -615/+541 |
| | |||||
* | Respect cookie length set by app_gen_cookie_cb [from HEAD]. | Andy Polyakov | 2007-10-09 | 1 | -2/+1 |
| | | | | Submitted by: Alex Lam | ||||
* | Make DTLS1 record layer MAC calculation RFC compliant. From HEAD with a | Andy Polyakov | 2007-10-09 | 1 | -5/+25 |
| | | | | twist: server interoperates with non-compliant pre-0.9.8f client. | ||||
* | Prohibit RC4 in DTLS [from HEAD]. | Andy Polyakov | 2007-10-05 | 2 | -1/+23 |
| | |||||
* | Set client_version earlier in DTLS (this is 0.9.8 specific). | Andy Polyakov | 2007-10-03 | 1 | -0/+1 |
| |