summaryrefslogtreecommitdiff
path: root/ssl/ssl_sess.c
Commit message (Collapse)AuthorAgeFilesLines
* New ctrl values to clear or retrieve extra chain certs from an SSL_CTX.steve2011-12-221-10/+5
| | | | | | | | New function to retrieve compression method from SSL_SESSION structure. Delete SSL_SESSION_get_id_len and SSL_SESSION_get0_id functions as they duplicate functionality of SSL_SESSION_get_id. Note: these functions have never appeared in any release version of OpenSSL.
* Fix session handling.bodo2011-09-051-57/+78
|
* Initial incomplete TLS v1.2 support. New ciphersuites added, new versionsteve2011-04-291-0/+5
| | | | | | | checking added, SHA256 PRF support added. At present only RSA key exchange ciphersuites work with TLS v1.2 as the new signature format is not yet implemented.
* Initial "opaque SSL" framework. If an application definessteve2011-04-291-0/+29
| | | | | | | | | | OPENSSL_NO_SSL_INTERN all ssl related structures are opaque and internals cannot be directly accessed. Many applications will need some modification to support this and most likely some additional functions added to OpenSSL. The advantage of this option is that any application supporting it will still be binary compatible if SSL structures change.
* Add SRP support.ben2011-03-121-0/+7
|
* PR: 2160steve2010-02-011-1/+1
| | | | | | Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de> Make session tickets work with DTLS.
* Initial experimental TLSv1.1 supportsteve2009-12-071-0/+5
|
* Updates from 1.0.0-stable branch.steve2009-04-201-0/+5
|
* PR: 1574steve2008-11-151-0/+55
| | | | | | | Submitted by: Jouni Malinen <j@w1.fi> Approved by: steve@openssl.org Ticket override support for EAP-FAST.
* Fix from stable branch.steve2008-09-031-1/+1
|
* Avoid warnings with -pedantic, specifically:steve2008-07-041-1/+1
| | | | | | Conversion between void * and function pointer. Value computed not used. Signed/unsigned argument.
* Add client cert engine to SSL routines.steve2008-06-011-0/+22
|
* LHASH revamp. make depend.ben2008-05-261-12/+13
|
* Don't lookup zero length session ID.steve2007-10-171-1/+3
| | | | PR: 1591
* RFC4507 (including RFC4507bis) TLS stateless session resumption supportsteve2007-08-111-6/+34
| | | | for OpenSSL.
* Finish gcc 4.2 changes.steve2007-06-071-0/+1
|
* stricter session ID context matchingbodo2007-03-211-21/+23
|
* use user-supplied malloc functions for persistent kssl objectsnils2007-02-101-1/+1
| | | | | PR: 1467 Submitted by: Andrei Pelinescu-Onciul <andrei@iptel.org>
* Win32 fixes from stable branch.steve2006-11-301-7/+7
|
* replace macros with functionsnils2006-11-291-0/+69
| | | | Submitted by: Tracy Camp <tracyx.e.camp@intel.com>
* Implement Supported Elliptic Curves Extension.bodo2006-03-301-0/+16
| | | | Submitted by: Douglas Stebila
* udpate Supported Point Formats Extension codebodo2006-03-131-0/+1
| | | | Submitted by: Douglas Stebila
* Implement the Supported Point Formats Extension for ECC ciphersuitesbodo2006-03-111-0/+21
| | | | Submitted by: Douglas Stebila
* add initial support for RFC 4279 PSK SSL ciphersuitesnils2006-03-101-0/+36
| | | | | | PR: 1191 Submitted by: Mika Kousa and Pasi Eronen of Nokia Corporation Reviewed by: Nils Larsch
* Further TLS extension updatesbodo2006-01-091-7/+11
| | | | Submitted by: Peter Sylvester
* Fixes for TLS server_name extensionbodo2006-01-061-14/+20
| | | | Submitted by: Peter Sylvester
* Various changes in the new TLS extension code, including the following:bodo2006-01-031-2/+54
| | | | | | - fix indentation - rename some functions and macros - fix up confusion between SSL_ERROR_... and SSL_AD_... values
* Support TLS extensions (specifically, HostName)bodo2006-01-021-0/+7
| | | | Submitted by: Peter Sylvester
* Rewrite timeout computation in a way that is less prone to overflow.bodo2005-12-301-1/+1
| | | | (Problem reported by Peter Sylvester.)
* Avoid warnings on VC++ 2005.steve2005-12-051-1/+1
|
* Let the TLSv1_method() etc. functions return a const SSL_METHODnils2005-08-141-1/+1
| | | | | pointer and make the SSL_METHOD parameter in SSL_CTX_new, SSL_CTX_set_ssl_version and SSL_set_ssl_method const.
* check return value of RAND_pseudo_bytes; backport from the stable branchnils2005-04-291-1/+2
|
* Add DTLS support.ben2005-04-261-0/+5
|
* Constification.ben2005-03-301-5/+5
|
* Avoid including cryptlib.h, it's not really needed.levitte2003-12-271-1/+0
| | | | | Check if IDEA is being built or not. This is part of a large change submitted by Markus Friedl <markus@openbsd.org>
* These should be write-locks, not read-locks.geoff2003-09-081-2/+2
|
* Session cache implementations shouldn't have to access SSL_SESSIONgeoff2003-02-151-0/+7
| | | | | | elements directly, so this missing functionality is required. PR: 276
* Cleanse memory using the new OPENSSL_cleanse() function.levitte2002-11-281-4/+4
| | | | I've covered all the memset()s I felt safe modifying, but may have missed some.
* Security fixes brought forward from 0.9.7.ben2002-11-131-3/+3
|
* Correct and enhance the behaviour of "internal" session caching as itgeoff2002-10-291-3/+6
| | | | | | | | | | | | | | | | | | | relates to SSL_CTX flags and the use of "external" session caching. The existing flag, "SSL_SESS_CACHE_NO_INTERNAL_LOOKUP" remains but is supplemented with a complimentary flag, "SSL_SESS_CACHE_NO_INTERNAL_STORE". The bitwise OR of the two flags is also defined as "SSL_SESS_CACHE_NO_INTERNAL" and is the flag that should be used by most applications wanting to implement session caching *entirely* by its own provided callbacks. As the documented behaviour contradicted actual behaviour up until recently, and since that point behaviour has itself been inconsistent anyway, this change should not introduce any compatibility problems. I've adjusted the relevant documentation to elaborate about how this works. Kudos to "Nadav Har'El" <nyh@math.technion.ac.il> for diagnosing these anomalies and testing this patch for correctness. PR: 311
* get rid of OpenSSLDiebodo2002-08-021-1/+6
|
* OpenSSL Security Advisory [30 July 2002]jaenicke2002-07-301-0/+2
| | | | | | | Changes marked "(CHATS)" were sponsored by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-01-2-0537.
* Make removal from session cache more robust.jaenicke2002-02-101-2/+2
|
* Make the necessary changes to work with the recent "ex_data" overhaul.geoff2001-09-011-8/+4
| | | | | | | | | | | See the commit log message for that for more information. NB: X509_STORE_CTX's use of "ex_data" support was actually misimplemented (initialisation by "memset" won't/can't/doesn't work). This fixes that but requires that X509_STORE_CTX_init() be able to handle errors - so its prototype has been changed to return 'int' rather than 'void'. All uses of that function throughout the source code have been tracked down and adjusted.
* The indexes returned by ***_get_ex_new_index() functions are used whengeoff2001-08-121-4/+4
| | | | | | | | setting stack (actually, array) values in ex_data. So only increment the global counters if the underlying CRYPTO_get_ex_new_index() call succeeds. This change doesn't make "ex_data" right (see the comment at the head of ex_data.c to know why), but at least makes the source code marginally less frustrating.
* Whoops, my fault, a backslash got converted to a slash...levitte2001-07-311-1/+1
|
* More Kerberos SSL changes from Jeffrey Altman <jaltman@columbia.edu>levitte2001-07-311-0/+11
| | | | | | | | | | | | | | His comments are: First, it corrects a problem introduced in the last patch where the kssl_map_enc() would intentionally return NULL for valid ENCTYPE values. This was done to prevent verification of the kerberos 5 authenticator from being performed when Derived Key ciphers were in use. Unfortunately, the authenticator verification routine was not the only place that function was used. And it caused core dumps. Second, it attempt to add to SSL_SESSION the Kerberos 5 Client Principal Name.
* Fix an oversight - when checking a potential session ID for conflicts withgeoff2001-02-231-2/+2
| | | | | | | | | | | | | | an SSL_CTX's session cache, it is necessary to compare the ssl_version at the same time (a conflict is defined, courtesy of SSL_SESSION_cmp(), as a matching id/id_length pair and a matching ssl_version). However, the SSL_SESSION that will result from the current negotiation does not necessarily have the same ssl version as the "SSL_METHOD" in use by the SSL_CTX - part of the work in a handshake is to agree on an ssl version! This is fixed by having the check function accept an SSL pointer rather than the SSL_CTX it belongs to. [Thanks to Lutz for illuminating the full extent of my stupidity]
* This change allows a callback to be used to override the generation ofgeoff2001-02-211-18/+73
| | | | | | | | | | | | | | | | | | | | SSL/TLS session IDs in a server. According to RFC2246, the session ID is an arbitrary value chosen by the server. It can be useful to have some control over this "arbitrary value" so as to choose it in ways that can aid in things like external session caching and balancing (eg. clustering). The default session ID generation is to fill the ID with random data. The callback used by default is built in to ssl_sess.c, but registering a callback in an SSL_CTX or in a particular SSL overrides this. BTW: SSL callbacks will override SSL_CTX callbacks, and a new SSL structure inherits any callback set in its 'parent' SSL_CTX. The header comments describe how this mechanism ticks, and source code comments describe (hopefully) why it ticks the way it does. Man pages are on the way ... [NB: Lutz was also hacking away and helping me to figure out how best to do this.]
* Move all the existing function pointer casts associated with LHASH's twogeoff2001-01-091-1/+3
| | | | | | | "doall" functions to using type-safe wrappers. As and where required, this can be replaced by redeclaring the underlying callbacks to use the underlying "void"-based prototypes (eg. if performance suffers from an extra level of function invocation).
View Lorry Controller Status