root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity
10,893 Commits 32 Branches 398 Tags 545 MiB
Commit Graph

233 Commits

Author SHA1 Message Date
Dr. Stephen Henson ce33b42bc6 oops, not yet ;-) 2012-04-23 21:58:29 +00:00
Dr. Stephen Henson 579d553464 update NEWS 2012-04-23 21:56:33 +00:00
Dr. Stephen Henson a43526302f Add support for automatic ECDH temporary key parameter selection. When 
enabled instead of requiring an application to hard code a (possibly
inappropriate) parameter set and delve into EC internals we just
automatically use the preferred curve.
 2012-04-05 13:38:27 +00:00
Dr. Stephen Henson d0595f170c Initial revision of ECC extension handling. 
Tidy some code up.

Don't allocate a structure to handle ECC extensions when it is used for
default values.

Make supported curves configurable.

Add ctrls to retrieve shared curves: not fully integrated with rest of
ECC code yet.
 2012-03-28 15:05:04 +00:00
Dr. Stephen Henson 5421196eca ABI compliance fixes. 
Move new structure fields to end of structures.
 2012-02-22 15:39:54 +00:00
Dr. Stephen Henson 74b4b49494 SSL export fixes (from Adam Langley) [original from 1.0.1] 2012-02-22 15:06:56 +00:00
Dr. Stephen Henson c526ed410c Revise ssl code to use a CERT_PKEY structure when outputting a 
certificate chain instead of an X509 structure.

This makes it easier to enhance code in future and the chain
output functions have access to the CERT_PKEY structure being
used.
 2012-01-26 16:00:34 +00:00
Dr. Stephen Henson 8e1dc4d7ca Support for fixed DH ciphersuites. 
The cipher definitions of these ciphersuites have been around since SSLeay
but were always disabled. Now OpenSSL supports DH certificates they can be
finally enabled.

Various additional changes were needed to make them work properly: many
unused fixed DH sections of code were untested.
 2012-01-16 18:19:14 +00:00
Bodo Möller 7bb1cc9505 Fix for builds without DTLS support. 
Submitted by: Brian Carlstrom
 2012-01-05 10:22:41 +00:00
Ben Laurie e0af04056c Add TLS exporter. 2011-11-15 23:50:52 +00:00
Ben Laurie 333f926d67 Add DTLS-SRTP. 2011-11-15 22:59:20 +00:00
Dr. Stephen Henson 7d7c13cbab Don't disable TLS v1.2 by default now. 2011-10-09 23:26:39 +00:00
Dr. Stephen Henson 6dd547398a use client version when eliminating TLS v1.2 ciphersuites in client hello 2011-10-07 15:07:19 +00:00
Dr. Stephen Henson fca38e350b fix signed/unsigned warning 2011-09-26 17:04:32 +00:00
Dr. Stephen Henson 1d7392f219 PR: 2602 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS bug which prevents manual MTU setting
 2011-09-23 13:34:48 +00:00
Bodo Möller c519e89f5c Fix session handling. 2011-09-05 13:36:23 +00:00
Dr. Stephen Henson 1f59a84308 Remove hard coded ecdsaWithSHA1 hack in ssl routines and check for RSA 
using OBJ xref utilities instead of string comparison with OID name.

This removes the arbitrary restriction on using SHA1 only with some ECC
ciphersuites.
 2011-08-14 13:45:19 +00:00
Dr. Stephen Henson d09677ac45 Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support and 
prohibit use of these ciphersuites for TLS < 1.2
 2011-07-25 20:41:32 +00:00
Dr. Stephen Henson 238b63613b use TLS1_get_version macro to check version so TLS v1.2 changes don't interfere with DTLS 2011-05-25 11:43:07 +00:00
Dr. Stephen Henson 086e32a6c7 Implement FIPS_mode and FIPS_mode_set 2011-05-19 18:09:02 +00:00
Dr. Stephen Henson a2f9200fba Initial TLS v1.2 client support. Include a default supported signature 
algorithms extension (including everything we support). Swicth to new
signature format where needed and relax ECC restrictions.

Not TLS v1.2 client certifcate support yet but client will handle case
where a certificate is requested and we don't have one.
 2011-05-09 15:44:01 +00:00
Dr. Stephen Henson 6b7be581e5 Continuing TLS v1.2 support: add support for server parsing of 
signature algorithms extension and correct signature format for
server key exchange.

All ciphersuites should now work on the server but no client support and
no client certificate support yet.
 2011-05-06 13:00:07 +00:00
Dr. Stephen Henson 7409d7ad51 Initial incomplete TLS v1.2 support. New ciphersuites added, new version 
checking added, SHA256 PRF support added.

At present only RSA key exchange ciphersuites work with TLS v1.2 as the
new signature format is not yet implemented.
 2011-04-29 22:56:51 +00:00
Dr. Stephen Henson 08557cf22c Initial "opaque SSL" framework. If an application defines 
OPENSSL_NO_SSL_INTERN all ssl related structures are opaque
and internals cannot be directly accessed. Many applications
will need some modification to support this and most likely some
additional functions added to OpenSSL.

The advantage of this option is that any application supporting
it will still be binary compatible if SSL structures change.
 2011-04-29 22:37:12 +00:00
Ben Laurie edc032b5e3 Add SRP support. 2011-03-12 17:01:19 +00:00
Dr. Stephen Henson a3654f0586 Include openssl/crypto.h first in several other files so FIPS renaming 
is picked up.
 2011-02-16 17:25:01 +00:00
Dr. Stephen Henson b71f815f6b remove duplicate statement 2010-11-18 17:33:17 +00:00
Dr. Stephen Henson ac7797a722 oops, reinstate TLSv1 string 2010-11-17 18:17:08 +00:00
Ben Laurie bf48836c7c Fixes to NPN from Adam Langley. 2010-09-05 17:14:01 +00:00
Dr. Stephen Henson bdd5350804 PR: 1833 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix other cases not covered by original patch.
 2010-08-27 11:29:15 +00:00
Bodo Möller 7c2d4fee25 For better forward-security support, add functions 
SSL_[CTX_]set_not_resumable_session_callback.

Submitted by: Emilia Kasper (Google)

[A part of this change affecting ssl/s3_lib.c was accidentally commited
separately, together with a compilation fix for that file;
see s3_lib.c CVS revision 1.133 (http://cvs.openssl.org/chngview?cn=19855).]
 2010-08-26 15:15:47 +00:00
Dr. Stephen Henson 44959ee456 PR: 1833 
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Support for abbreviated handshakes when renegotiating.
 2010-08-26 14:23:52 +00:00
Ben Laurie ee2ffc2794 Add Next Protocol Negotiation. 2010-07-28 10:06:55 +00:00
Ben Laurie c8bbd98a2b Fix warnings. 2010-06-12 14:13:23 +00:00
Dr. Stephen Henson 7512141162 OR default SSL_OP_LEGACY_SERVER_CONNECT so existing options are preserved 2010-02-17 19:43:56 +00:00
Dr. Stephen Henson 423c66f10e Simplify RI+SCSV logic: 
1. Send SCSV is not renegotiating, never empty RI.
2. Send RI if renegotiating.
 2010-01-07 19:04:52 +00:00
Dr. Stephen Henson 76998a71bc Updates to conform with draft-ietf-tls-renegotiation-03.txt: 
1. Add provisional SCSV value.
2. Don't send SCSV and RI at same time.
3. Fatal error is SCSV received when renegotiating.
 2010-01-06 17:37:09 +00:00
Dr. Stephen Henson 73527122c9 Typo 2009-12-27 23:02:50 +00:00
Dr. Stephen Henson d68015764e Update RI to match latest spec. 
MCSV is now called SCSV.

Don't send SCSV if renegotiating.

Also note if RI is empty in debug messages.
 2009-12-27 22:58:55 +00:00
Dr. Stephen Henson ef51b4b9b4 New option to enable/disable connection to unpatched servers 2009-12-16 20:25:59 +00:00
Dr. Stephen Henson a8640f0a7d Check s3 is not NULL 2009-12-09 15:03:44 +00:00
Dr. Stephen Henson 7661ccadf0 Add ctrls to clear options and mode. 
Change RI ctrl so it doesn't clash.
 2009-12-09 13:25:16 +00:00
Dr. Stephen Henson 5430200b8b Add ctrl and macro so we can determine if peer support secure renegotiation. 2009-12-08 13:42:08 +00:00
Dr. Stephen Henson 13f6d57b1e Add support for magic cipher suite value (MCSV). Make secure renegotiation 
work in SSLv3: initial handshake has no extensions but includes MCSV, if
server indicates RI support then renegotiation handshakes include RI.

NB: current MCSV value is bogus for testing only, will be updated when we
have an official value.

Change mismatch alerts to handshake_failure as required by spec.

Also have some debugging fprintfs so we can clearly see what is going on
if OPENSSL_RI_DEBUG is set.
 2009-12-08 13:14:03 +00:00
Dr. Stephen Henson 637f374ad4 Initial experimental TLSv1.1 support 2009-12-07 13:31:02 +00:00
Dr. Stephen Henson 7f354fa42d Ooops... 2009-12-01 18:40:50 +00:00
Dr. Stephen Henson 6732e14278 check DSA_sign() return value properly 2009-12-01 18:39:33 +00:00
Dr. Stephen Henson 7c3908dd19 PR: 2073 
Submitted by: Tomas Mraz <tmraz@redhat.com>
Approved by: steve@openssl.org

Don't access freed SSL_CTX in SSL_free().
 2009-10-16 13:41:39 +00:00
Dr. Stephen Henson ccf117510d Update from 1.0.0-stable. 2009-06-30 11:58:10 +00:00
Dr. Stephen Henson 48fd490c6d Update from 1.0.0-stable. 2009-05-16 11:16:43 +00:00