summaryrefslogtreecommitdiff
path: root/ssl/ssl_lib.c
Commit message (Collapse)AuthorAgeFilesLines
* Fix no-ec warningMatt Caswell2015-02-271-3/+10
| | | | | | | This is a partial back port of commit 5b430cfc to remove a warning when compiling with no-ec. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
* Re-align some comments after running the reformat script.OpenSSL_1_0_1-post-reformatMatt Caswell2015-01-221-5/+5
| | | | | | | | | This should be a one off operation (subsequent invokation of the script should not move them) This commit is for the 1.0.1 changes Reviewed-by: Tim Hudson <tjh@openssl.org>
* Run util/openssl-format-source -v -c .Matt Caswell2015-01-221-2676/+2653
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* indent has problems with comments that are on the right hand side of a line.Matt Caswell2015-01-221-4/+9
| | | | | | | | | | | | | | | | | | | Sometimes it fails to format them very well, and sometimes it corrupts them! This commit moves some particularly problematic ones. Conflicts: crypto/bn/bn.h crypto/ec/ec_lcl.h crypto/rsa/rsa.h demos/engines/ibmca/hw_ibmca.c ssl/ssl.h ssl/ssl3.h Conflicts: crypto/ec/ec_lcl.h ssl/tls1.h Reviewed-by: Tim Hudson <tjh@openssl.org>
* mark all block comments that need format preserving so thatTim Hudson2015-01-221-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | indent will not alter them when reformatting comments (cherry picked from commit 1d97c8435171a7af575f73c526d79e1ef0ee5960) Conflicts: crypto/bn/bn_lcl.h crypto/bn/bn_prime.c crypto/engine/eng_all.c crypto/rc4/rc4_utl.c crypto/sha/sha.h ssl/kssl.c ssl/t1_lib.c Conflicts: crypto/rc4/rc4_enc.c crypto/x509v3/v3_scts.c crypto/x509v3/v3nametest.c ssl/d1_both.c ssl/s3_srvr.c ssl/ssl.h ssl/ssl_locl.h ssl/ssltest.c ssl/t1_lib.c Reviewed-by: Tim Hudson <tjh@openssl.org>
* Only inherit the session ID context in SSL_set_SSL_CTX if the existingEmilia Kasper2015-01-061-13/+20
| | | | | | | context was also inherited (matches that of the existing SSL_CTX). Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit ac8e9cbe14b59dacfe4ac52bc5ff06f8003e9b01)
* Ensure that the session ID context of an SSL* is updatedAdam Langley2015-01-051-0/+15
| | | | | | | | | | when its SSL_CTX is updated. From BoringSSL commit https://boringssl.googlesource.com/boringssl/+/a5dc545bbcffd9c24cebe65e9ab5ce72d4535e3a Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 61aa44ca99473f9cabdfb2d3b35abd0b473437d1)
* Clear warnings/errors within CIPHER_DEBUG code sectionsRichard Levitte2014-12-171-1/+1
| | | | | Reviewed-by: Andy Polyakov <appro@openssl.org> (cherry picked from commit cd387d21daa939862e081f00be0a98dbc5a85351)
* Fix memory leak in SSL_new if errors occur.Matt Caswell2014-12-081-7/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 76e6509085ea96df0ca542568ee2596343711307)
* Remove instances in libssl of the constant 28 (for size of IPv4 header + UDP)Matt Caswell2014-12-031-13/+0
| | | | | | | | | | | | | | | and instead use the value provided by the underlying BIO. Also provide some new DTLS_CTRLs so that the library user can set the mtu without needing to know this constant. These new DTLS_CTRLs provide the capability to set the link level mtu to be used (i.e. including this IP/UDP overhead). The previous DTLS_CTRLs required the library user to subtract this overhead first. Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit 59669b6abf620d1ed2ef4d1e2df25c998b89b64d) Conflicts: ssl/d1_both.c ssl/ssl_lib.c
* When processing ClientHello.cipher_suites, don't ignore cipher suitesBodo Moeller2014-10-211-0/+1
| | | | | | | listed after TLS_FALLBACK_SCSV. RT: 3575 Reviewed-by: Emilia Kasper <emilia@openssl.org>
* Support TLS_FALLBACK_SCSV.Bodo Moeller2014-10-151-14/+46
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Preserve digests for SNI.Dr. Stephen Henson2014-10-101-2/+13
| | | | | | | | | | SSL_set_SSL_CTX is normally called for SNI after ClientHello has received and the digest to use for each certificate has been decided. The original ssl->cert contains the negotiated digests and is now copied to the new ssl->cert. PR: 3560 Reviewed-by: Tim Hudson <tjh@openssl.org>
* Fix SRP ciphersuite DoS vulnerability.Dr. Stephen Henson2014-08-061-0/+5
| | | | | | | | | | | | If a client attempted to use an SRP ciphersuite and it had not been set up correctly it would crash with a null pointer read. A malicious server could exploit this in a DoS attack. Thanks to Joonas Kuorilehto and Riku Hietamäki from Codenomicon for reporting this issue. CVE-2014-5139 Reviewed-by: Tim Hudson <tjh@openssl.org>
* Check sk_SSL_CIPHER_num() after assigning sk.Kurt Roeckx2014-05-121-2/+3
|
* Avoid out-of-bounds write in SSL_get_shared_ciphersGünther Noack2014-05-111-0/+3
| | | | PR: 3317
* Disable compression for DTLS.Dr. Stephen Henson2013-03-191-1/+3
| | | | | | The only standard compression method is stateful and is incompatible with DTLS. (cherry picked from commit e14b8410ca882da8e9579a2d928706f894c8e1ae)
* Fix for SSL_get_certificateDr. Stephen Henson2013-02-111-3/+1
| | | | | | Now we set the current certificate to the one used by a server there is no need to call ssl_get_server_send_cert which will fail if we haven't sent a certificate yet.
* ssl/*: fix linking errors with no-srtp.Andy Polyakov2013-02-091-0/+4
|
* Fix error codes.Dr. Stephen Henson2013-02-041-1/+1
|
* Minor enhancement to PR#2836 fix. Instead of modifying SSL_get_certificateDr. Stephen Henson2012-09-211-3/+11
| | | | | | | | change the current certificate (in s->cert->key) to the one used and then SSL_get_certificate and SSL_get_privatekey will automatically work. Note for 1.0.1 and earlier also includes backport of the function ssl_get_server_send_pkey.
* Call OCSP Stapling callback after ciphersuite has been chosen, so theBen Laurie2012-09-171-2/+4
| | | | | | | right response is stapled. Also change SSL_get_certificate() so it returns the certificate actually sent. See http://rt.openssl.org/Ticket/Display.html?id=2836.
* Reduce version skew.Ben Laurie2012-06-081-1/+1
|
* Fix for builds without DTLS support.Bodo Möller2012-01-051-0/+2
| | | | Submitted by: Brian Carlstrom
* SSL export fixes (from Adam Langley).Ben Laurie2011-12-131-5/+6
|
* Add TLS exporter.Ben Laurie2011-11-151-1/+15
|
* Add DTLS-SRTP.Ben Laurie2011-11-151-0/+6
|
* Add Next Protocol Negotiation.Ben Laurie2011-11-131-0/+129
|
* Don't disable TLS v1.2 by default any more.Dr. Stephen Henson2011-10-091-2/+0
|
* use client version when eliminating TLS v1.2 ciphersuites in client helloDr. Stephen Henson2011-10-071-1/+1
|
* fix signed/unsigned warningDr. Stephen Henson2011-09-261-1/+1
|
* PR: 2602Dr. Stephen Henson2011-09-231-0/+3
| | | | | | | Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de> Reviewed by: steve Fix DTLS bug which prevents manual MTU setting
* Fix session handling.Bodo Möller2011-09-051-5/+4
|
* Remove hard coded ecdsaWithSHA1 hack in ssl routines and check for RSADr. Stephen Henson2011-08-141-19/+13
| | | | | | | using OBJ xref utilities instead of string comparison with OID name. This removes the arbitrary restriction on using SHA1 only with some ECC ciphersuites.
* Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support andDr. Stephen Henson2011-07-251-0/+4
| | | | prohibit use of these ciphersuites for TLS < 1.2
* use TLS1_get_version macro to check version so TLS v1.2 changes don't ↵Dr. Stephen Henson2011-05-251-2/+2
| | | | interfere with DTLS
* add FIPS support to ssl: doesn't do anything on this branch yet as there is ↵Dr. Stephen Henson2011-05-191-0/+8
| | | | no FIPS compilation support
* Backport TLS v1.2 support from HEAD.Dr. Stephen Henson2011-05-111-12/+19
| | | | | This includes TLS v1.2 server and client support but at present client certificate support is not implemented.
* Initial "opaque SSL" framework. If an application defines OPENSSL_NO_SSL_INTERNDr. Stephen Henson2011-05-111-0/+15
| | | | | | | | | | | all ssl related structures are opaque and internals cannot be directly accessed. Many applications will need some modification to support this and most likely some additional functions added to OpenSSL. The advantage of this option is that any application supporting it will still be binary compatible if SSL structures change. (backport from HEAD).
* Add SRP.Ben Laurie2011-03-161-0/+6
|
* remove duplicate statementDr. Stephen Henson2010-11-181-2/+0
|
* oops, reinstate TLSv1 stringDr. Stephen Henson2010-11-171-0/+2
|
* PR: 1833Dr. Stephen Henson2010-08-271-2/+2
| | | | | | Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de> Fix other cases not covered by original patch. (correct patch this time!)
* oops, revert previous patchDr. Stephen Henson2010-08-271-9/+21
|
* PR: 1833Dr. Stephen Henson2010-08-271-21/+9
| | | | | | Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de> Fix other cases not covered by original patch.
* PR: 1833Dr. Stephen Henson2010-08-261-7/+19
| | | | | | Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de> Support for abbreviated handshakes when renegotiating.
* Backport TLS v1.1 support from HEAD, ssl/ changesDr. Stephen Henson2010-06-271-2/+4
|
* Fix warnings (From HEAD, original patch by Ben).Dr. Stephen Henson2010-06-151-13/+2
|
* OR default SSL_OP_LEGACY_SERVER_CONNECT so existing options are preservedDr. Stephen Henson2010-02-171-1/+1
|
* Simplify RI+SCSV logic:Dr. Stephen Henson2010-01-071-3/+2
| | | | | 1. Send SCSV is not renegotiating, never empty RI. 2. Send RI if renegotiating.
View Lorry Controller Status