- 20 11月, 2014 2 次提交
-
-
由 Emilia Kasper 提交于
once the ChangeCipherSpec message is received. Previously, the server would set the flag once at SSL3_ST_SR_CERT_VRFY and again at SSL3_ST_SR_FINISHED. This would allow a second CCS to arrive and would corrupt the server state. (Because the first CCS would latch the correct keys and subsequent CCS messages would have to be encrypted, a MitM attacker cannot exploit this, though.) Thanks to Joeri de Ruiter for reporting this issue. Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Dr. Stephen Henson 提交于
When no-ssl3 is set only make SSLv3 disabled by default. Retain -ssl3 options for s_client/s_server/ssltest. When no-ssl3-method is set SSLv3_*method() is removed and all -ssl3 options. We should document this somewhere, e.g. wiki, FAQ or manual page. Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
- 19 11月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
The supported signature algorithms extension needs to be processed before the certificate to use is decided and before a cipher is selected (as the set of shared signature algorithms supported may impact the choice). Reviewed-by: NMatt Caswell <matt@openssl.org> (cherry picked from commit 56e8dc542bd693b2dccea8828b3d8e5fc6932d0c) Conflicts: ssl/ssl.h ssl/ssl_err.c
-
- 24 9月, 2014 1 次提交
-
-
由 Emilia Kasper 提交于
(Original commit adb46dbc) Use the new constant-time methods consistently in s3_srvr.c Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
- 09 8月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
The addition of SRP authentication needs to be checked in various places to work properly. Specifically: A certificate is not sent. A certificate request must not be sent. Server key exchange message must not contain a signature. If appropriate SRP authentication ciphersuites should be chosen. Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 07 8月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Check SRP parameters when they are received so we can send back an appropriate alert. Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
- 05 7月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
PR#319 (reoponed version).
-
- 04 7月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Remove RFC5878 code. It is no longer needed for CT and has numerous bugs
-
- 02 7月, 2014 1 次提交
-
-
由 Rich Salz 提交于
-
- 05 6月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Only accept change cipher spec when it is expected instead of at any time. This prevents premature setting of session keys before the master secret is determined which an attacker could use as a MITM attack. Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue and providing the initial fix this patch is based on. (cherry picked from commit bc8923b1ec9c467755cd86f7848c50ee8812e441)
-
- 01 6月, 2014 1 次提交
-
-
由 David Ramos 提交于
Make sure there is an extra 4 bytes for server done message when NETSCAPE_HANG_BUG is defined. PR#3361
-
- 13 5月, 2014 1 次提交
-
-
由 Serguei E. Leontiev 提交于
Replace manual ASN.1 decoder with ASN1_get object. This will decode the tag and length properly and check against it does not exceed the supplied buffer length. PR#3335
-
- 28 3月, 2014 3 次提交
-
-
由 Dr. Stephen Henson 提交于
Security callback: selects which parameters are permitted including sensible defaults based on bits of security. The "parameters" which can be selected include: ciphersuites, curves, key sizes, certificate signature algorithms, supported signature algorithms, DH parameters, SSL/TLS version, session tickets and compression. In some cases prohibiting the use of a parameters will mean they are not advertised to the peer: for example cipher suites and ECC curves. In other cases it will abort the handshake: e.g DH parameters or the peer key size. Documentation to follow...
-
由 Dr. Stephen Henson 提交于
-
由 Dr. Stephen Henson 提交于
Add auto DH parameter support. This is roughly equivalent to the ECDH auto curve selection but for DH. An application can just call SSL_CTX_set_auto_dh(ctx, 1); and appropriate DH parameters will be used based on the size of the server key. Unlike ECDH there is no way a peer can indicate the range of DH parameters it supports. Some peers cannot handle DH keys larger that 1024 bits for example. In this case if you call: SSL_CTX_set_auto_dh(ctx, 2); Only 1024 bit DH parameters will be used. If the server key is 7680 bits or more in size then 8192 bit DH parameters will be used: these will be *very* slow. The old export ciphersuites aren't supported but those are very insecure anyway.
-
- 19 3月, 2014 1 次提交
-
-
由 Piotr Sikora 提交于
-
- 21 2月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
(cherry picked from commit b709f8ef54b1c9ad513878ba0213aa651a9acef8)
-
- 06 2月, 2014 3 次提交
-
-
由 Ben Laurie 提交于
-
由 Scott Deboy 提交于
Whitespace fixes
-
由 Scott Deboy 提交于
If multiple TLS extensions are expected but not received, the TLS extension and supplemental data 'generate' callbacks are the only chance for the receive-side to trigger a specific TLS alert during the handshake. Removed logic which no-op'd TLS extension generate callbacks (as the generate callbacks need to always be called in order to trigger alerts), and updated the serverinfo-specific custom TLS extension callbacks to track which custom TLS extensions were received by the client, where no-ops for 'generate' callbacks are appropriate.
-
- 28 1月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
PR#3244 (cherry picked from commit 9614d2c676ffe74ce0c919d9e5c0d622a011cbed)
-
- 26 1月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
-
- 09 1月, 2014 2 次提交
-
-
由 Daniel Kahn Gillmor 提交于
DHE is the standard term used by the RFCs and by other TLS implementations. It's useful to have the internal variables use the standard terminology. This patch leaves a synonym SSL_kEDH in place, though, so that older code can still be built against it, since that has been the traditional API. SSL_kEDH should probably be deprecated at some point, though.
-
由 Daniel Kahn Gillmor 提交于
ECDHE is the standard term used by the RFCs and by other TLS implementations. It's useful to have the internal variables use the standard terminology. This patch leaves a synonym SSL_kEECDH in place, though, so that older code can still be built against it, since that has been the traditional API. SSL_kEECDH should probably be deprecated at some point, though.
-
- 02 1月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
When sending an invalid version number alert don't change the version number to the client version if a session is already established. Thanks to Marek Majkowski for additional analysis of this issue. PR#3191
-
- 18 11月, 2013 1 次提交
-
-
由 Dr. Stephen Henson 提交于
-
- 21 10月, 2013 2 次提交
-
-
由 Nick Mathewson 提交于
-
由 Nick Mathewson 提交于
Instead, send random bytes, unless SSL_SEND_{CLIENT,SERVER}RANDOM_MODE is set. This is a forward-port of commits: 4af793036f6ef4f0a1078e5d7155426a98d50e37 f4c93b46edb51da71f09eda99e83eaf193a33c08 3da721dac9382c48812c8eba455528fd59af2eef 2583270191a8b27eed303c03ece1da97b9b69fd3 While the gmt_unix_time record was added in an ostensible attempt to mitigate the dangers of a bad RNG, its presence leaks the host's view of the current time in the clear. This minor leak can help fingerprint TLS instances across networks and protocols... and what's worse, it's doubtful thet the gmt_unix_time record does any good at all for its intended purpose, since: * It's quite possible to open two TLS connections in one second. * If the PRNG output is prone to repeat itself, ephemeral handshakes (and who knows what else besides) are broken.
-
- 06 9月, 2013 3 次提交
-
-
由 Ben Laurie 提交于
-
由 Ben Laurie 提交于
-
由 Scott Deboy 提交于
Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions) Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API Tests exercising the new supplemental data registration and callback api can be found in ssltest.c. Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
-
- 13 6月, 2013 1 次提交
-
-
由 Adam Langley 提交于
that bad encryptions are treated like random session keys in constant time.
-
- 09 4月, 2013 3 次提交
-
-
由 Dr. Stephen Henson 提交于
Check for Suite B support using method flags instead of version numbers: anything supporting TLS 1.2 cipher suites will also support Suite B. Return an error if an attempt to use DTLS 1.0 is made in Suite B mode.
-
由 Dr. Stephen Henson 提交于
If we successfully match a cookie don't set return value to 2 as this results in other error conditions returning 2 as well. Instead set return value to -2 which can be checked later if everything else is OK.
-
由 Dr. Stephen Henson 提交于
Add new methods DTLS_*_method() which support both DTLS 1.0 and DTLS 1.2 and pick the highest version the peer supports during negotiation. As with SSL/TLS options can change this behaviour specifically SSL_OP_NO_DTLSv1 and SSL_OP_NO_DTLSv1_2.
-
- 18 3月, 2013 2 次提交
-
-
由 Dr. Stephen Henson 提交于
Use the enc_flags field to determine whether we should use explicit IV, signature algorithms or SHA256 default PRF instead of hard coding which versions support each requirement.
-
由 Dr. Stephen Henson 提交于
Revise DTLS code. There was a *lot* of code duplication in the DTLS code that generates records. This makes it harder to maintain and sometimes a TLS update is omitted by accident from the DTLS code. Specifically almost all of the record generation functions have code like this: some_pointer = buffer + HANDSHAKE_HEADER_LENGTH; ... Record creation stuff ... set_handshake_header(ssl, SSL_MT_SOMETHING, message_len); ... write_handshake_message(ssl); Where the "Record creation stuff" is identical between SSL/TLS and DTLS or in some cases has very minor differences. By adding a few fields to SSL3_ENC to include the header length, some flags and function pointers for handshake header setting and handshake writing the code can cope with both cases. Note: although this passes "make test" and some simple DTLS tests there may be some minor differences in the DTLS code that have to be accounted for.
-
- 30 12月, 2012 1 次提交
-
-
由 Dr. Stephen Henson 提交于
-
- 26 11月, 2012 1 次提交
-
-
由 Dr. Stephen Henson 提交于
-
- 11 9月, 2012 1 次提交
-
-
由 Ben Laurie 提交于
right response is stapled. Also change SSL_get_certificate() so it returns the certificate actually sent. See http://rt.openssl.org/Ticket/Display.html?id=2836.
-