Skip to content
  1. Dec 01, 2015
    • Matt Caswell's avatar
      Remove cookie validation return value trick · 94f98a90
      Matt Caswell authored
      
      
      In the DTLS ClientHello processing the return value is stored in |ret| which
      by default is -1. |ret| is only updated to a positive value once we are past
      all points where we could hit an error. We wish to return 1 on success or 2
      on success *and* we have validated the DTLS cookie. Previously on successful
      validation of the cookie we were setting |ret| to -2, and then once we were
      past all error points we set |ret = -ret|. This is non-obvious behaviour and
      could be error prone. This commit tries to make this a bit more intuitive.
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      94f98a90
  2. Nov 30, 2015
  3. Nov 24, 2015
  4. Nov 23, 2015
  5. Nov 22, 2015
  6. Nov 21, 2015
  7. Nov 20, 2015
  8. Nov 19, 2015
  9. Nov 18, 2015
  10. Nov 16, 2015
  11. Nov 13, 2015
  12. Nov 11, 2015
  13. Nov 10, 2015
    • Matt Caswell's avatar
      Stop DTLS servers asking for unsafe legacy renegotiation · d40ec4ab
      Matt Caswell authored
      
      
      If a DTLS client that does not support secure renegotiation connects to an
      OpenSSL DTLS server then, by default, renegotiation is disabled. If a
      server application attempts to initiate a renegotiation then OpenSSL is
      supposed to prevent this. However due to a discrepancy between the TLS and
      DTLS code, the server sends a HelloRequest anyway in DTLS.
      
      This is not a security concern because the handshake will still fail later
      in the process when the client responds with a ClientHello.
      
      Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
      d40ec4ab
    • Matt Caswell's avatar
      Only call ssl3_init_finished_mac once for DTLS · 15a7164e
      Matt Caswell authored
      
      
      In DTLS if an IO retry occurs during writing of a fragmented ClientHello
      then we can end up reseting the finish mac variables on the retry, which
      causes a handshake failure. We should only reset on the first attempt not
      on retries.
      
      Thanks to BoringSSL for reporting this issue.
      
      RT#4119
      
      Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
      15a7164e
  14. Nov 09, 2015
  15. Nov 08, 2015
  16. Nov 04, 2015
  17. Nov 02, 2015
  18. Nov 01, 2015
  19. Oct 29, 2015
  20. Oct 23, 2015