Skip to content
  1. Jul 18, 2016
    • Matt Caswell's avatar
      Make sure we call ssl3_digest_cached_records() when necessary · 149c2ef5
      Matt Caswell authored
      
      
      Having received a ClientKeyExchange message instead of a Certificate we
      know that we are not going to receive a CertificateVerify message. This
      means we can free up the handshake_buffer. However we better call
      ssl3_digest_cached_records() instead of just freeing it up, otherwise we
      later try and use it anyway and a core dump results. This could happen,
      for example, in SSLv3 where we send a CertificateRequest but the client
      sends no Certificate message at all. This is valid in SSLv3 (in TLS
      clients are required to send an empty Certificate message).
      
      Found using the BoringSSL test suite.
      
      Reviewed-by: default avatarEmilia Käsper <emilia@openssl.org>
      149c2ef5
    • Matt Caswell's avatar
      Fix SSLv3 alert if no Client Ceritifcate sent after a request for one · 672f3337
      Matt Caswell authored
      
      
      In TLS if the server sends a CertificateRequest and the client does not
      provide one, if the server cannot continue it should send a
      HandshakeFailure alert. In SSLv3 the same should happen, but instead we
      were sending an UnexpectedMessage alert. This is incorrect - the message
      isn't unexpected - it is valid for the client not to send one - its just
      that we cannot continue without one.
      
      Reviewed-by: default avatarEmilia Käsper <emilia@openssl.org>
      672f3337
    • Matt Caswell's avatar
      Fix SSLv3 ClientAuth alert checking · 10e6d235
      Matt Caswell authored
      
      
      In TLS during ClientAuth if the CA is not recognised you should get an
      UnknownCA alert. In SSLv3 this does not exist and you should get a
      BadCertificate alert.
      
      Reviewed-by: default avatarEmilia Käsper <emilia@openssl.org>
      10e6d235
    • Matt Caswell's avatar
      Fix Client Auth tests · 78cbe94f
      Matt Caswell authored
      
      
      The Client Auth tests were not correctly setting the Protocol, so that this
      aspect had no effect. It was testing the same thing lots of times for
      TLSv1.2 every time.
      
      Reviewed-by: default avatarEmilia Käsper <emilia@openssl.org>
      78cbe94f
    • Matt Caswell's avatar
      Prepare the client certificate earlier · 05c4f1d5
      Matt Caswell authored
      
      
      Move the preparation of the client certificate to be post processing work
      after reading the CertificateRequest message rather than pre processing
      work prior to writing the Certificate message. As part of preparing the
      client certificate we may discover that we do not have one available. If
      we are also talking SSLv3 then we won't send the Certificate message at
      all. However, if we don't discover this until we are about to send the
      Certificate message it is too late and we send an empty one anyway. This
      is wrong for SSLv3.
      
      Reviewed-by: default avatarEmilia Käsper <emilia@openssl.org>
      05c4f1d5
    • Matt Caswell's avatar
      Fix mingw build · 3c49b2e0
      Matt Caswell authored
      
      
      Mingw builds on Travis were failing because INT_MAX was undeclared.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      3c49b2e0
    • Matt Caswell's avatar
      Fix strict-warnings build · 33e49fda
      Matt Caswell authored
      
      
      The i2d_SCT_LIST function is declared as __owur, therefore we need to check
      the result or a --strict-warnings build will fail.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      33e49fda
  2. Jul 16, 2016
  3. Jul 15, 2016
  4. Jul 14, 2016
  5. Jul 13, 2016
  6. Jul 12, 2016
  7. Jul 11, 2016
  8. Jul 10, 2016