| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
This is a partial back port of commit 5b430cfc to remove a warning when
compiling with no-ec.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
|
|
|
|
|
|
|
|
|
| |
This should be a one off operation (subsequent invokation of the
script should not move them)
This commit is for the 1.0.1 changes
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
|
|
| |
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sometimes it fails to format them very well, and sometimes it corrupts them!
This commit moves some particularly problematic ones.
Conflicts:
crypto/bn/bn.h
crypto/ec/ec_lcl.h
crypto/rsa/rsa.h
demos/engines/ibmca/hw_ibmca.c
ssl/ssl.h
ssl/ssl3.h
Conflicts:
crypto/ec/ec_lcl.h
ssl/tls1.h
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
indent will not alter them when reformatting comments
(cherry picked from commit 1d97c8435171a7af575f73c526d79e1ef0ee5960)
Conflicts:
crypto/bn/bn_lcl.h
crypto/bn/bn_prime.c
crypto/engine/eng_all.c
crypto/rc4/rc4_utl.c
crypto/sha/sha.h
ssl/kssl.c
ssl/t1_lib.c
Conflicts:
crypto/rc4/rc4_enc.c
crypto/x509v3/v3_scts.c
crypto/x509v3/v3nametest.c
ssl/d1_both.c
ssl/s3_srvr.c
ssl/ssl.h
ssl/ssl_locl.h
ssl/ssltest.c
ssl/t1_lib.c
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
|
|
|
|
|
| |
context was also inherited (matches that of the existing SSL_CTX).
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit ac8e9cbe14b59dacfe4ac52bc5ff06f8003e9b01)
|
|
|
|
|
|
|
|
|
|
| |
when its SSL_CTX is updated.
From BoringSSL commit
https://boringssl.googlesource.com/boringssl/+/a5dc545bbcffd9c24cebe65e9ab5ce72d4535e3a
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 61aa44ca99473f9cabdfb2d3b35abd0b473437d1)
|
|
|
|
|
| |
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit cd387d21daa939862e081f00be0a98dbc5a85351)
|
|
|
|
|
| |
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 76e6509085ea96df0ca542568ee2596343711307)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and instead use the value provided by the underlying BIO. Also provide some
new DTLS_CTRLs so that the library user can set the mtu without needing to
know this constant. These new DTLS_CTRLs provide the capability to set the
link level mtu to be used (i.e. including this IP/UDP overhead). The previous
DTLS_CTRLs required the library user to subtract this overhead first.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 59669b6abf620d1ed2ef4d1e2df25c998b89b64d)
Conflicts:
ssl/d1_both.c
ssl/ssl_lib.c
|
|
|
|
|
|
|
| |
listed after TLS_FALLBACK_SCSV.
RT: 3575
Reviewed-by: Emilia Kasper <emilia@openssl.org>
|
|
|
|
| |
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
|
|
|
|
|
|
| |
SSL_set_SSL_CTX is normally called for SNI after ClientHello has
received and the digest to use for each certificate has been decided.
The original ssl->cert contains the negotiated digests and is now
copied to the new ssl->cert.
PR: 3560
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a client attempted to use an SRP ciphersuite and it had not been
set up correctly it would crash with a null pointer read. A malicious
server could exploit this in a DoS attack.
Thanks to Joonas Kuorilehto and Riku Hietamäki from Codenomicon
for reporting this issue.
CVE-2014-5139
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
| |
|
|
|
|
| |
PR: 3317
|
|
|
|
|
|
| |
The only standard compression method is stateful and is incompatible with
DTLS.
(cherry picked from commit e14b8410ca882da8e9579a2d928706f894c8e1ae)
|
|
|
|
|
|
| |
Now we set the current certificate to the one used by a server
there is no need to call ssl_get_server_send_cert which will
fail if we haven't sent a certificate yet.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
change the current certificate (in s->cert->key) to the one used and then
SSL_get_certificate and SSL_get_privatekey will automatically work.
Note for 1.0.1 and earlier also includes backport of the function
ssl_get_server_send_pkey.
|
|
|
|
|
|
|
| |
right response is stapled. Also change SSL_get_certificate() so it
returns the certificate actually sent.
See http://rt.openssl.org/Ticket/Display.html?id=2836.
|
| |
|
|
|
|
| |
Submitted by: Brian Carlstrom
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve
Fix DTLS bug which prevents manual MTU setting
|
| |
|
|
|
|
|
|
|
| |
using OBJ xref utilities instead of string comparison with OID name.
This removes the arbitrary restriction on using SHA1 only with some ECC
ciphersuites.
|
|
|
|
| |
prohibit use of these ciphersuites for TLS < 1.2
|
|
|
|
| |
interfere with DTLS
|
|
|
|
| |
no FIPS compilation support
|
|
|
|
|
| |
This includes TLS v1.2 server and client support but at present
client certificate support is not implemented.
|
|
|
|
|
|
|
|
|
|
|
| |
all ssl related structures are opaque and internals cannot be directly
accessed. Many applications will need some modification to support this and
most likely some additional functions added to OpenSSL.
The advantage of this option is that any application supporting it will still
be binary compatible if SSL structures change.
(backport from HEAD).
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>
Fix other cases not covered by original patch. (correct patch this time!)
|
| |
|
|
|
|
|
|
| |
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>
Fix other cases not covered by original patch.
|
|
|
|
|
|
| |
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>
Support for abbreviated handshakes when renegotiating.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
1. Send SCSV is not renegotiating, never empty RI.
2. Send RI if renegotiating.
|